none
Windows Server 2012 Site-to-Site VPN

    Question

  • I've been given the assignment to setup a site-to-site VPN between two sites that don't have any specialised hardware equipment (we usually use Juniper SSG/SRX).

    The only hardware there is, are modems provided by ISP's, static IP's are used, and two lower end servers on which Hyper-V role is installed. There's plenty of bandwidth.

    I've installed one Windows Server 2012 VMs with the Remote Access role on each host. How do I setup a site-to-site VPN so that all other, future VMs will also have full or limited access (depending on the requirements) from one site to the other. In the future one of those Remote Access VMs will also be for DirectAccess.

    In my searching I can't find any step-by-steps, blogs that deal with this, the closest are on-premise to Azure VPNs. Links with plenty of guidance would be great, since the networking side is usually taken care of by another team.

    Saturday, September 14, 2013 8:22 AM

Answers

All replies

  •   That won't be easy, and not a job for someone with not much networking experience.

     Even if the RRAS routers are the default gateways for their networks it is far from simple. Running the RRAS servers on vms would require some fancy routing. I doubt that you will find a Howto for that!


    Bill

    Monday, September 16, 2013 7:26 AM
  • Thank you Bill.

    What is the normal setup for RRAS in a site-to-site scenario. I'm adaptable and am curious to know in which scenarios is the site-to-site funcionality usually used.

    Monday, September 16, 2013 7:40 AM
  •   A site-to-site VPN was developed as a cheaper alternative for a dedicated site to site link (such as a leased line). Instead of a dedicated link, the site to site traffic uses a tunnel through the Internet. The date is encrypted and encapsulated between the gateway routers of each site. Windows servers with RRAS can be set up do this job if you don't have third party hardware for it.

      When it is set up it works just like a leased line. Devices in one site can access devices in the other just as they would if connected by a router. It will of course not be a fast as directly connected network segments.

     

    Bill

    Monday, September 16, 2013 11:05 PM
  • So the purpose is exactly what I thought it was and what I need to implement. The only problem is the lack of any step-by-steps, tutorials, documentation in general that would assist me in doing so.
    Wednesday, September 18, 2013 7:38 AM
  • Mike, I don't know anyone personally that has done this, and most of my customers use a third party such as Cisco ASA 5505 (reliable and rock solid) at about USD $1000 each with a three years gold support contract, but here are my notes on it. And despite the Cisco example, I am not a salesman. I was just trying to iterate the importance of max uptime and reliability, especially that since getting two of these things are MUCH less expensive considering the cost of two devoted servers OS licensing and related hardware.

    Plus, I'm not sure if you had this in mind, but you do not want to make the RRAS servers a DC, otherwise you will have numerous AD communications issues.

    And sorry for all the links below. It's an accumulation of info from past discussions.

    -

    Configure VPN Tunnel using RRAS and not using TMG, but with using a demand dial VPN, Site to Site VPN, LAN to LAN, Router to Router, or whatever you want to call it, by any other name, it's the same - you want to connect to offices together securely.

    It's possible to create a site-to-site VPN using just RRAS but you have to be very careful with setting it up. The static routes which route traffic from one site to the other must bind properly to the demand-dial interfaces when the connection is made. You have to set this up manually. Only when this happens will the routing work between sites. Each site must have a static route to the other site through the VPN connection.

    The following link is an excellent write-up from a poster that had trouble with setting up a Site to Site L2TP VPN with two Windows 2008 server with a certificate from his own Certificate Authority. He finally got it working. He took the time to document and screenshot every step for anyone else that has problems setting it up.

    Step by Step - Site to Site or Router to Router VPN Server 2008 on SkyDrive:
    https://skydrive.live.com/P.mvc#!/view.aspx/Site%20to%20Site%20or%20Router%20to%20Router%20VPN%20Server%202008.docx?cid=e81114cae704d772&sc=documents

    Step-by-Step Guide for Setting Up a PPTP-based Site-to-Site VPN Connection in a Test Lab
    http://technet.microsoft.com/en-us/library/cc758271(WS.10).aspx

    Windows 2003 L2TP-based router-to-router VPN deployment
    http://technet.microsoft.com/en-us/library/cc778515(WS.10).aspx

     

    RRAS Demand-Dial Connections (defined)
    http://technet.microsoft.com/en-us/library/dd315852(WS.10).aspx

    How do I... Configure a network to use demand dial routing?
    http://www.techrepublic.com/article/how-do-i-configure-a-network-to-use-demand-dial-routing/6103901

    Technet discussion: VPN site to site tunnel with Windows 2008
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/ed4f7a25-96d0-45bc-9b48-e8d31925f11a/

    Technet discussion: Site to Site VPN using WIndows 2008 (also applies to Windows 2003)
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/450d6149-d8fd-497e-959d-ed9fe332456d


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, September 19, 2013 3:16 AM
  • Thank you very much, I'll take a look at the information provided esp. the Step by Step on SkyDrive, but will probably take your suggestion and will just go with a dedicated Cisco, Juniper... device.

    I was under the impression that using Windows Server for S2S, esp. in Windows Server 2012 was a lot more common, better documented.

    Tuesday, October 01, 2013 8:50 AM
  • You could use Windows 2012, but I think price-wise, it's overkill for this function. If you wanted to stick with Windows, you can acquire TMG, which will be better off and has this built in functionality, but that comes with a cost.

    Glad to have helped! :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, October 02, 2013 4:02 AM