Windows Server 2012 Essentials VPN without port 1723?
August 4, 2012 10 Comments
Ugh VPNS! Is what a lot of the MVPs said when we were told that VPN was being reintroduced as a feature on the Essentials SKU. No one uses VPNs anymore right? too insecure, too difficult to configure probably, doesn’t work in a hotel… or a star bucks.
Why is it needed if we have the RDP feature of RWA so a user can get back to his own desktop over SSL?
Suffice to say, this is one in a series of battles we lost areas we disagreed on initially, and VPN remains a feature, but on reflection i don’t think it is a bad thing.
Like most things, there are good and bad points of any technical decision or implementation, I’m not advocating the use of VPN over any other method, and where possible would use RWA over VPN, but if you do need to use a VPN then this is the way to do it. Oh and by the way, if you are not installing DHCP on your WSE servers, this is one scenario where i can see you probably would want to do that.
So, how is it configured?
Easy. Through the Anywhere Access wizard.
Depending on the options you chose, your path through the wizard will be different. However, assuming this is your first run of the wizard, after you complete the domain name section, you will then be prompted to chose which Anywhere Access features to choose. You can also return to the wizard at any time via the Server Settings option in the dashboard.
Just put a tick in that box, and that is literally all you need to do. You don’t need to open any additional ports on your firewall, Port 80 and Port 443 should already be open for the RWA but for the VPN you don’t need port 1723.
If you are wondering how that is achieved, it is done using Secure Socket Tunneling Protocol (SSTP). SSTP has been around for a while now, first introduced into Windows Server in 2008 i believe and there is a nice article about it here. it is an interesting technology and does seem to solve some potential headaches, however i personally have not seen it used much in my corner of the SMB world YMMV.
Currently there is very little in the way of tweaking you can do (may change in RTM build) but if you are curious you can open the RRAS snap-in from an MMC window, and look at the configuration.
You will see that a static address pool is defined for remote clients.
Depending on your environment and the competence of your users, this may give you a small challenge.
On a lab system i setup a VPN Connection which worked very nicely. I did find i had a problem with name resolution, despite my client being correctly told to use the IP of the WSE server for DNS. This is due to the DNS Suffix, and i think is a by-product of not running DHCP on the WSE server and using a static address pool. Fortunately it is easy to workaround that problem, however it may be another pro in favour of installing DHCP on the WSE server.
You can view my video on how to implement the workaround below.
Tim Barrett, of Home Server fame, pointed out that i didn’t mention about the ‘Use Default Gateway on Remote network’ check box.
Indeed i did not mention this, as it didn’t occur to me at the time. Tim rightly points out you will suffer web surfing speed issues if you leave that option checked, however, if you have a security concern, i would still leave that option enabled.
Now Tim, you see what i have done is raise a lot more questions, that perhaps would be better left to another blog post, or another blog altogether.
Perhaps it is just a hang-up from my ISA Server study that i keep that option checked because i want anything connected to the company lan controlled by the firewall at the office..
Anyway Tim, i hope you are happy now.
Remote Domain Join
Did someone say, remote domain join?
Yes i did, thanks for listening.
An exciting, perhaps exciting is a little strong… a new feature of WSE will make it possible to join clients to the domain, from a remote location over a WAN link.
The process is exactly the same as if you were local to the server, with the addition of one or two new screens in the connect wizard.
I know, i know, i can hear you all saying how painful the connect wizard is to use. You don’t have to tell me that, i remember. However what i can tell you is that the first time i used the connect wizard on a client computer, was to do this remote domain join process, and it worked perfectly. Perhaps that is a coincidence, but add on to that, the PC in question previously had the WSSE2008 Connector application installed, i think that is a great big win for everyone concerned.
I put together a heavily cropped and poorly narrated video to demonstrate the process, hope you enjoy it.
I hope you found this useful.
Ill be going through the process of setting up Direct Access in the next few weeks.
About Robert Pearman
Title (Required) 
Robert,
Great article! Do we NEED RRAS installed on our SE server for Access Anywhere VPN to work properly with our router? I have a Cisco ASA in-front of my SE server; RWA works great. Trying to get VPN configured by the wizard fails. I’ve opened the obvious ports (80,443,1723) but VPN configuration keeps failing. Our Cisco is currently the DHCP server, SE is DNS server. Is this article what I need to do? Am I missing something else? Thanks!
Are you choosing to manually configure the router?
Yes, it does not support UPnP
The Access Anywhere wizard doesn’t say anything about needs to configure RRAS and all the documentation I’ve read online doesn’t mention it either; this article is the only one.
I am not saying you have to configure RRAS, i am saying, if you wanted to, you could load up the RRAS console and look at it.
Great Article! Having a bit of an issue with setting up the vpn though. The router and domain name used to access rwa are manually configured and all the proper ports are open. The router is configured as the dhcp server while the windows server essentials box is configured as the dans server for the client computers. In our second office location I can run the connector software from the remote access website but the vpn connection always fails and the connector software gives an unexpected error. I’m at my wits end with this! The windows server box is running essentials 2012, not the r2 version. Any suggestions?
Devin, maybe you are encountering the same issue that I have had (though I’m using Essentials 2012 R2): RRAS gets configured to use DHCP (not the static IPs shown in Robert’s article), and for some reason that doesn’t work. Manually assigning a static IP range can fix this, but if you touch it in Anywhere Access again, e.g. to Repair, it will wipe out the static range and break. Blogged here: http://www.mcbsys.com/blog/2015/11/essentials-2012-r2-anywhere-access-vpn-failure/
Robert, any insight on why/how Anywhere Access sets up RRAS with DCHP vs. Static? Or why DHCP wouldn’t work? In my case, the router is the DHCP server.
It could be down to the implementation of DHCP on the router (or most routers?), preventing the server grabbing X number of addresses. As to why AA/RRAS I don’t know, It could be that my guide was written on the beta product and that the DHCP change came in RTM.
I’ve been running Essentials 2012 R2 on a server for the past year and use a VPN on a desktop and laptop in a remote office. The clients are running Windows 8.1 and 10 Professional and are both joined to the domain.
Anywhere Access is configured to use remote.domain.com and has an SSL installed. Everything works well except that for some reason the VPN connection address keeps changing to domain.com and manually updating it allows the connection to work until the next restart of the PC but then it reverts again.
Is there a setting I’m missing or something I can use to force the correct settings?
Not seen that behaviour before, can you send over some screen shots of the errors or changes it makes?