Server Core Remote Access Services -DirectAccess and Routing

• Author
• Recent Posts

Sander Berkouwer

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.

Latest posts by Sander Berkouwer (see all)

• Turn the tables on your organization with Adaxes 2018.1’s Web Interface and reporting capabilities - Thu, Sep 20 2018
• Review: Softerra Adaxes – Automating Active Directory management - Thu, Jun 4 2015
• Azure Multi-Factor Authentication – Part 8: Delegating Administration - Tue, Apr 28 2015

One of the strong points of Server Core installations is their ability to run workloads efficiently and without requiring much attention. In much the same way, network devices have been doing this long before Server Core installations were conceived. Many Virtual Private Network (VPN) gateways and routers run Intel processors and chipsets and a dedicated operating system (like Cisco’s IOS) optimized for the task. Today, I’ll show you how to create this functionality without spending tons of money on dedicated devices and their support contracts.

Overview

Both Server with a GUI installations and Server Core installations feature the whole Remote Access Services (RAS) Server Role. In both Server with a GUI and Server Core installations, the Server Role comes with the following Role Services:

• DirectAccess and VPN (RAS)
• Routing

The DirectAccess and VPN (RAS) Role Service allows access to corporate network resources to clients from the Internet. The DirectAccess part of this Role Service enables this without the need for traditional VPN connections, but it provides support only for domain-joined Windows 7 Enterprise, Windows 7 Ultimate, and Windows 8 Enterprise clients. The VPN part offers traditional VPN connectivity for legacy clients, non-domain joined clients, and third-party VPN clients.

The RAS Role Service also provides site-to-site connections between servers. In Windows Server 2012, both DirectAccess and VPN can be deployed and managed on the same Windows Server installation. Also, DirectAccess can now operate behind a Network Address Translation (NAT) router, eliminating the need to place the DirectAccess server directly at the perimeter of the network (as was the case with Windows Server 2008 R2).

The Routing Role Service allows you to transform your Server Core installations into routers with NAT (only applicable to IPv4), routers running the Routing Information Protocol (RIP), and/or multicast capable routers (IGMP proxies).

Note: In contrast to Server with a GUI installations, the Network Protection Services (NPS) Server Role is not available in Server Core installations.

Installing the Remote Access Server Role

Turning a Windows Server 2012–based Server Core installation into a Remote Access Server is pretty easy. To install the Remote Access Services Server Role, use the following PowerShell commands (type PowerShell on the command line first, if you haven’t done so already):

Install-WindowsFeature RemoteAccess

You will be asked to reboot the server. Type Restart-Computer to do so.

After the restart, your Server Core installation will be installed with the Remote Access Services Server Role, along with its DirectAccess and VPN (RAS) Role feature (DirectAccess-VPN).

Now is a good time to install the Remote Access PowerShell Module:

Install-WindowsFeature RSAT-RemoteAccess-PowerShell

The Routing Role Service is not installed by default with the Server Role. Since a DirectAccess Server no longer needs to be placed at the perimeter of the network, the Routing part of DirectAccess is now optional. You can install it, if you want or need to, using the following PowerShell command:

Install-WindowsFeature Routing

Note: Although the Routing Role Service sounds like a promising Role Service to create a high-performing, Windows-based router, the Role Service cannot be installed independently of the DirectAccess and VPN (RAS) Role Service, and thus Internet Information Services (IIS).

Install Routing

Configuring a Remote Access Server

VPN Servers were once the successors to dial-in (or dial-up) networking connections. Instead of requiring co-workers to dial in to the corporate network using their PSTN or ISDN connections, they allowed for connecting using their Internet connection. Common advantages are lower costs and higher bandwidth.

Instead of hosting a cupboard of modems, an organization only has to manage one or more Internet connections and make sure only authenticated and authorized personnel are able to set up VPNs over it. For persistent site-to-site VPN connections, VPN Servers were configured with multiple Network Interface Cards (NICs) and routing protocols.

DirectAccess upped the game by creating persistent connections between the organization and Internet-connected, domain-joined clients without the need for their colleagues to manually connect and disconnect. In Windows Server 2008 R2, DirectAccess Servers were routers too—mandatory ones. As a consequence, they were configured as routers.

Configuring the second networking Interface

Managing multiple NICs in Server Core installations sounds like a daunting task, but it’s not. Using sconfig.cmd (Option 8) you can quickly identify networking connections, since these are listed in the order in which they were created.

Of course, to fully take advantage of the two NICs in your Server Core installation, you’ll need to install the Routing Role Service on the Server Core installation. (See above.)

Configuring Remote Access

You can configure incoming VPN connections in two ways:

1. On the command line, using PowerShell
2. Through the Remote Access Remote Server Administration Tool on a Windows 8 Professional installation, a Windows 8 Enterprise installation, or a Windows Server 2012 Server with a GUI

On the Command Line

To configure Remote Access on the command line of your Server Core installation, simply type the following PowerShell command (type PowerShell on the command line first, if you haven’t done so already):

Install-RemoteAccess -prerequisite

This command will check for the prerequisites to install both the VPN and DirectAccess Server (the default installation type, which can be altered using -VPNType). For instance, it will check whether the Server Core installation is a domain member and whether you’re logged in as a domain admin, with sufficient rights to create and link Group Policies. When the command returns True, you’re good to go with the next command:

Install-RemoteAccess -DAInstallType FullInstall -ConnectToAddress demo.ogd.nl

The ConnectToAddress is the public DNS name or public IP address your DirectAccess clients connect to.

Install Remote Access

Remotely with the Remote Server Administration Tools

Configuring the DirectAccess and VPN (RAS) Role Service is also available remotely, through Remote PowerShell (same commands as above) and through the Remote Server Administration Tools (RSAT) on Windows 8 and Windows Server 2012. When you install the RSAT on Windows 8, all the RSAT tools will be installed by default. On Windows Server 2012, you will need to install the Remote Access GUI and Command-Line Tools.

Open the Remote Access Management application from the Start Menu.

RAS Management Console

In the left pane, click the Manage a remote server link. On the Manage a remote server screen, enter the name of your Server Core installation and click OK.

To configure the Remote Access Services Server Role on the remote server, click either Run the Getting Started Wizard or Run the Remote Access Setup Wizard.

When done, you can use Dashboard and Operation Status in the left pane to remotely manage the DirectAccess and VPN Remote Access Services on your Server Core installation.

Concluding

The Remote Access Services Server Role in Server Core installations of Windows Server 2012 is a powerful Server Role. Its PowerShell commands allow you to quickly deploy DirectAccess and VPN tunnels. If you’re looking to deploy a lightweight Windows-based IP router, look somewhere else, because the IIS requirement is a definite no-go area.