Network configuration ties the Always On VPN servers together. In this part of the series, we will learn about server placement, DNS, and security settings.

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at DeployHappiness.com.

If you have followed this Always On VPN series so far, you are almost completely configured! In the previous two articles, you installed a Routing and Remote Access Server (RRAS) or virtual private network (VPN), a Network Policy Server (NPS) or Remote Authentication Dial-In User Service (RADIUS), and a Certificate Authority (CA). These segments are the most difficult portion of the whole guide, as one mistake can break functionality in the other roles. In this article, we will tackle network configuration and several security items.

The network configuration required for an Always On VPN environment is relatively simple. However, exact steps vary. Firewall, router, and switch configurations differ among vendors. As you will see in the next section, you can set up the networking components differently depending on your environment. We will begin with an overview of the final network layout first.

Networking configuration for Always On VPN ^

Your remote access server should have two network interfaces. One should be connected to the public network, and the other should be connected to the internal network. The public-facing interface should sit behind your network edge firewall. The internal interface should sit in front of your internal firewall. The NPS, CA, and domain controllers (DCs) sit inside the internal network. You can see this diagram in the center blue portion of the picture below.

Microsoft's network topology overview for Always On VPN

Microsoft's network topology overview for Always On VPN

If you do not have a separate internal firewall, you have a few options. First, many firewalls allow you to create a perimeter (DMZ) network within the external firewall. Connections would come into the external box and would be routed to that perimeter network. The external firewall would then allow certain traffic into the internal network.

The second option is to use an external firewall and route VPN traffic to a dedicated network on your router/core switches. You would then apply access control lists (ACLs) to this network to restrict your traffic. If these options do not work, you can also use the software firewalls in Windows Server. This mode is not recommended for production environments though.

On your VPN server, ensure you configured the public-facing interface with a dedicated IP, subnet mask, and default gateway. This default gateway will often be the external firewall. The internal network should also have a static IP and subnet mask. It will not have a default gateway though. Two default gateways can cause issues with routing the VPN connections and can often lead to missing VPN default gateway issues.

There are many ways to make the Always On VPN network configuration work for your environment. If you have specific questions about HP or Cisco equipment, leave a comment and I can try to help. Once you've correctly placed your servers in your network, continue below to finalize the security aspects.

Always On VPN Server security settings ^

A secure Always On VPN setup uses just a few ports for communication and a proper public/private certificate configuration. Part of this security is ensuring that clients always connect to your trusted RRAS/VPN server.

Start by creating a public DNS entry pointing to your RRAS/VPN server's public IP. This DNS name does not have to match the computer name. Of course, the domain name does have to match your publically routable domain name. For example, my DNS name would be AlwaysOn.DeployHappiness.com, and the server name might be VPN-01.DeployHappiness.com. Note this DNS name. You will need it in the next article (client configuration).

Creating the type A DNS record for client connections

Creating the type A DNS record for client connections

The certificate issued to the VPN-01 server would need to contain AlwaysOn.DeployHappiness.com in the Subject Alternative Name (SAN) field. Any clients connecting to your network should establish this as a trusted certificate. If you plan on using nondomain machines or might use these servers for separate purposes (such as wireless authentication on NPS), plan on purchasing a SAN certificate from a third-party certificate provider. Depending on the size of your environment, you may purchase a single certificate for NPS and RRAS.

Client VPN connections need two open ports. On your edge firewall, allow UDP 500 and 4500 to the public-facing interface of your VPN server. Ensure these two ports are also open on the software firewall for your public-facing network interface controller (NIC) inside Windows Server.

Firewall rule on the public facing interface

Firewall rule on the public facing interface

On any internal firewall sitting between your VPN server and your NPS box, allow ports 1645, 1646, 1812, and 1813. Ensure these four ports are also open on the firewalls inside Windows Server. It is always best to enforce additional configurations like these with Group Policy or Desired State Configuration.

With these changes, your Always On VPN network and server configurations are finished! In the next post, we will set up a client to connect and cover client deployment options.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

1+
Share
41 Comments
  1. John717 2 years ago

    Great article, Thank you!

    Can you elaborate on the IP Address Pool or point me in the direction where I can find detailed information and best practices. Microsoft is vague and confusing on this topic as quoted below.
    "The static address pool should contain addresses from the internal perimeter network. These addresses are on the internal-facing network connection on the VPN server, not the corporate network."
     

    0

  2. Author
    Joseph Moody 2 years ago

    Sure - in the RRAS console (on the VPN server), you can create a manual IP address scope that will be used. This is similar to IP pools that you may have used in Hyper-V/SCVMM.

    Personally, I find DHCP to be the better option as it centralizes addressing to a single technology/management pane.

    1+

  3. LukeNie 2 years ago

    Hi, Joseph

    Regarding the 2 NICs configuration on the VPN server, in our environment, we always prefer to use VIP ( F5 or A10) in front of any public facing Windows server, in this case, VPN server.

    If the F5 VIP has a public IP, and also a private IP, can we have a single private NIC on the VPN server? Basically F5 will route UDP ports 500 and 4500 traffic from the internal interface of F5 to the private interface of the VPN server. we can configure the F5's internal interface and VPN's internal interface to be the same VLAN.

    Will this set up work?

    Thanks

    0

    • Author
      Joseph Moody 2 years ago

      You can use that setup but I believe that your internal interfaces should be on separate VLANs.

      0

  4. LukeNie 2 years ago

    also regarding the certificate on the VPN1 server, if I understand correct, in subject field, the CN = VPN1.corp.domain.local; In SAN, DNS = VPN1.mycompany.com.

    on VPN2 server, it will be CN = VPN2.corp.domain.local; In SAN, DNS = VPN2.mycompany.com.

    Does it have to be internal PKI CA server issued certificate? if yes, do we need to make CRL public accessible.

    Or, can we use a public trusted CA, like Verisign or Comodo?

    1+

  5. Author
    Joseph Moody 2 years ago

    You can use a public CA.

    0

  6. JD 2 years ago

    Would you be willing to create another article for this series that explains how to configure a cluster using Windows NLB and two server 1709 nodes. The process to create a cluster seems quite different from DirectAccess.

    Thanks!

    0

    • Author
      Joseph Moody 2 years ago

      We can probably put together a walk-through on this. It may be a bit though. 🙂

      5+

      Users who have LIKED this comment:

      • avatar
  7. Colin 2 years ago

    Great article and a +1 to request same with RRAS NLB high availability cluser - documentation is near nonexistent!

    Cheers!

    0

  8. Stefan 2 years ago

    Great Series.

    in the szenario of split tunnel:

    What i didnt understand so far is: how does the client decide what to route via vpn and what via local internet connection. In DA there were explicit settings at client side, but not with alwaysonvpn...

    could you give me any hint?

    0

    • Author
      Joseph Moody 1 year ago

      It is similar to DA. Of course, traffic in the same subnet as the VPN tunnel is routed via VPN.

      If you want additional traffic to route on the VPN, you could add something like this to your XML profile that is imported. This routes all 10.10.0.0/24 traffic through the VPN client.

      <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
      </NativeProfile>
      <Route>
      <Address>10.10.0.0</Address>
      <PrefixSize>24</PrefixSize>
      </Route>

      2+

      Users who have LIKED this comment:

      • avatar
  9. Marc 1 year ago

    Hi Joseph,

    Thanks for the great tutorail. I'm still having a small issue. THe server is happy when the FW is disabled but it is complaining about "Ports required for VPN connections have been blocked by the firewall" as soom as I enable the FW. I set up a rule allowing incoming traffic on UDP ports 500 and 4500 but it doesn't seem to be enough.
    Any idea as to which other ports need to be opened ?

    Thanks a lot in advance,

    0

  10. Marc 1 year ago

    Forget it, I found out by myself. The missing ports were TCP port 1701 and UDP ports 47 and 1723.

    Source : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd458955(v=ws.10)

    🙂

    0

    • Author
      Joseph Moody 1 year ago

      Glad that you got it figured out! 500 and 4500 is only used for IKEv2. It looks like your connection is using PPTP. You probably don't want to use PPTP.

      To check this, open up the Routing and Remote Access console. Right click on Ports and select properties. Open PPTP and uncheck the options. Do this for the other protocols as well (except IKEv2). The end result should be that the Used By column states None by all protocols except for IKEv2. IKEv2 should state RAS/Routing.

      *Note - for high availability scenarios, you would keep SSTP enabled as a secondary user connection.

      1+

      Users who have LIKED this comment:

      • avatar
  11. Marc 1 year ago

    I did as you said and was able to restrict the firewall rule accordingly. Thanks for the tip !
    🙂

    0

    • Author
      Joseph Moody 1 year ago

      Awesome! Let me know if you run into any other issues

      0

  12. Michael 1 year ago

    Hi,

    we are currently using Direct Access which is working good. However, we want to switch to AOVPN...

    We have set up everything according to MS and your fantastic guide but it's not working yet.

    We have an external WatchGuard Firewall. External DNS is configured and the WatchGuard passes requests on to the VPN Server in the Perimeter Network.
    UDP 500 and 4500 are open.

    The WatchGuard Firewall also acts as internal Firewall - so the VPN Server is configured with only one NIC.

    Requests towards the internal Network get routed by the Firewall to the NPS.
    Ports 1645, 1646, 1812, and 1813 are open.

    … Can't get it to work after manually configuring a Connection on a Win 10 Machine.

    Always get the 809 error - but the ports are def. open. Also disabled all Windows Firewalls - no good.

    Are there any other ports / traffic necessary for the Clients and the internal Servers to be able to communicate?

    Thanks for your help!

    0

    • Author
      Joseph Moody 1 year ago

      First, make sure that your RRAS is setup to only use IKEv2. To check this, open up the Routing and Remote Access console. Right click on Ports and select properties. Open PPTP and uncheck the options. Do this for the other protocols as well (except IKEv2). The end result should be that the Used By column states None by all protocols except for IKEv2. IKEv2 should state RAS/Routing.

      Second, can you try connecting a client within your network? To do this, make sure that your VPN server name is internally resolvable. You may also need to remove the TRUSTEDNETWORKDETECTION line from your VPN profile.

      1+

      Users who have LIKED this comment:

      • avatar
      • Michael 1 year ago

        All protocols state None except IKEv2.

        Will try the othe Suggestion and get back with you.

        Thanks!

        0

      • Michael 1 year ago

        ok, got it working. was a misconfiguration on the WatchGuard.

        It is connecting… But 🙂

        • When I set the VPN up on a Laptop with the external Name xvpn.xxx.com, it connects, but I don't get any response from internal Servers from pings.
        • When I set the VPN up on a Laptop with the external IP, it connects and I get a response from internal Servers from pings. I can also access Shares, etc.

         

        0

        • Author
          Joseph Moody 1 year ago

          Sounds like you are almost there! On both configurations (name and IP), run route print from a command prompt on the client. Do you see any differences in the output between a connected VPN based on the name and a connected VPN based on the IP?

          1+

          • Michael 1 year ago

            Thanks. Will try tomorrow and post update.

             

            0

          • Michael 1 year ago

            Well... after I got everything working on my Surface (pre last Cumulative Update).... I encountered this:

            On another Windows 10 Enterprise Laptop (post last Cumulative Update) i logged on with the same User i used on my Surface to configure the initial Connection / Template.

            The Settings I do on the Template VPN Connection disappear after closing out everything with OK.

            Ever after assigning local and Domain Admin Rights to this user and trying 3 different, all completely up to date Windows 10 Enterprise Laptops (post last Cumulative Update) - no luck.

            On every Laptop after creating the VPN Template and changing all the Settings - it forgets them.

            Properties -> Security -> Looks ok.

            Properties on PEAP -> all blank

            When trying to connect with this VPN, a User / PW box pops up - since it forgot all the Settings.

            WOW

            0

  13. Szilard 1 year ago

    You should never run a second interface on your public facing DMZ server and bypass your firewall. That's suicide. If that DMZ server gets compromised (which is the whole reason its in a DMZ - its only partially protected as its public facing) the attacker then has unfiltered access to the LAN.

    The firewall should allow traffic from the internet to the DMZ server, and then from the DMZ server to the internal LAN. It should also be inspecting the traffic from the server to the LAN with application filtering, even if you do allow all ports.

    0

  14. Stuart Hawkins 1 year ago

    I'm running my AOVPN server in a VM. I've given it two NICs, but am unsure as to how I should set them up. I am very limited as to what I can do with my firewall. Port forwarding is about it! My internal IP range is all 10.161.x.x. Obviously the internal NIC will have an IP in this range, but what do I do with the external NIC please, and forwarding. My network currently doesn't have any VLANs, but I'm hoping to get some sorted over the summer.

    Thank you

    Stuart

    0

  15. Ian Burnell 1 year ago

    Hi Joseph. I am connecting fine but getting message "Server cannot contact a Domain Controller to service the authentication request" if I click on a network drive. I can ping the DC and also if I put in my credentials it does authenticate and I can see the drive - boot only in that subnet. We have another site with another DC but I cannot resolve to that server. What am I doing wrong?

    0

  16. Ian Burnell 1 year ago

    From above I traced this down to an expired certificate on my DC. It would not allow Smartcard login. I deleted and manually added from my CA and it works fine - haven't seen any documentation about having to add a Cert on the DC??

    Only remaining issue I now have is tunneling/routing. VPN_Profile.xml by default has "SpliTunnel" policy so I can't see other subnets. Seen articles saying to add in route entries but what is the option for forcetunel ?? - MS documentation poor. If that is selected can you avoid putting the routes into the xml file?

    0

  17. Steve 1 year ago

    It looks like we have the device tunnel partly working as we see the vpn connected on the client, as well as a connection on the vpn server. Our problem looks to be the client can't seem to ping the servers I have put in the profile? When we ping them, we get the same IP resolved (92.x.x.x)? Is this a failing on the profile side of things or the DMZ rule settings?

    We set it up using the various articles, but they look to be written around the user profile and not the device? Do we need rule specified to allow a device tunnel to the specific servers I've put in the profile

    0

    • Author
      Joseph Moody 1 year ago

      First, what version of Windows 10 are you on? There have been some changes in the more recent versions (1803 and 1809).

      Second, are you using route statements in your VPN profile? For example, this routes 10.10.0.0/24 traffic through the VPN interface.

      <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
      </NativeProfile>
      <Route>
      <Address>10.10.0.0</Address>
      <PrefixSize>24</PrefixSize>
      </Route>

      0

      • Steve 1 year ago

        Hi Joseph, thanks for replying.

        I'm using 1709, and have added a few IP's like below

        Route>
        <Address>10.75.34.205</Address>
        <PrefixSize>32</PrefixSize>
        </Route>

        I've also added the trafficfilter, as without it I can't ping anything

        <TrafficFilter>
        <RemoteAddressRanges>10.75.34.205</RemoteAddressRanges>
        </TrafficFilter>

        Cheers

        0

        • Author
          Joseph Moody 1 year ago

          If you can, try this on an 1803 or 1809 client. Lots of fixes with the VPN provider on those versions. Let me know what you find out!

          0

  18. Phil 10 months ago

    Hi Joseph,

    I am having a little bit of difficulty and was hoping you may be able to help,

    I have set up the VPN and am able to connect into the VPN but cannot not ping any of our internal servers, I have tried removing the default gateway from my internal NIC but it still doesnt seems to be working.

    I am running it with getting IP's from the static pool

    Thanks for any help

    0

    • Author
      Joseph Moody 10 months ago

      Hi Phil - can you ping the VPN server?

      0

      • Phil 10 months ago

        Hi Joseph,

        I managed to sort this thanks,

        My issue was because I had installed the role with both NIC's having a default gateway and regardless of me removing one it still wouldn't work. I unistalled the role and set only one to have a default gateway and hey presto started working.

        Thanks and awesome guide

        0

  19. Author
    Joseph Moody 10 months ago

    Awesome news! Thanks for posting your solution as well!

    0

  20. Cedric 9 months ago

    Hello,
    Thanks for your very helpful article.
    We have a RRAS server for the VPN connections and another serveur PKI / NPS, both windows 2019 standard, and it seems that this second server windows firewall blocks the connection.
    When the firewall is on, the client has a 812 error, but it manages to connect when the firewall is deactivated. I checked the ports 1645, 1646, 1812, 1813 are configured by default for NPS server and allowed on the firewall.
    Is there something else to open on the NPS server?
    Thanks for your help!

    0

  21. Author
    Joseph Moody 9 months ago

    Did you double check that the NPS rules apply for the network profile that the server is under (which should be domain)?

    You can use group policy to enable firewall logging. See what data is being dropped in that log file. Let me know what you find out!

    0

  22. Syed 9 months ago

    Hello Joseph,

    Thanks for the Nice Article,

    I am working on a RRAS setup with dual NIC cards (External and Internal) separated by edge and perimeter firewalls. Appreciate if you could help me with clarifying below queries pertaining to the network and firewall requirements, as I am unclear.

    1. Internal NIC - As there is NO default default gateway set on this adapter. Do I need to set default static route for the internal routing to work?
    2. From which NIC interface (ext OR int) of VPN server should I open required udp ports for radius communication?
    3. Also to allow intranet application access to the remote users. What should be my IP source? Again should this be ext interface IP OR the internal OR the internal interface entire IP range etc..?

    Thanks for your response.

    0

  23. Anthony 8 months ago

    I'm having a weird issue where I cannot get it to use DHCP.  It has errors 20167  and 20255.  The DMZ card has static ip / subnet / gateway and the internal card has static ip / subnet.  However if I set the Internal card to DHCP instead of static then the DHCP will reserve the 10 address for the VPN.  Obviously each card then has a default gateway, breaking the VPN.
    The static pool is being used as a workaround, but this is not what we want as part of the long term solution. It doesn't appear to be a firewall issue as the problem persists when we tested it with the server firewall disabled.  We have added persistent routes with the internal gateway and also tried using a the dhcp relay (event though the Internal card is on the same subnet as the dhcp)

    Thank you for any help.

    0

  24. Phil 8 months ago

    Hi All,

    I am running into an issue with Captive Portals and Force Tunneling has anyone come accross this and any idea on a fix ?

    Thanks

    0

Leave a reply to JD Click here to cancel the reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account