none
VPN RRS feed

  • Question

  • My client is using native Windows 10 (builtin) technology to create a VPN tunnel from a laptop (running Windows 10) in his house to his three colleagues in the field. They need to remotely access the resources (a running service) on the laptop in his house, which is a license 'server' to run specific petroleum modelling software. In order to do this W10 vpn is used. The problem is they cannot all access the laptop resources at the same time, as W10 builtin VPN technology does not accommodate this. It only allows one connection at a time. My client needs at least three concurrent connections.

    The other problem is that W10 vpn doesn't offer split tunnelling, so a lot of the broadband bandwidth in the house is used by a vpn connection.

    Whether this is technically possible is one consideration, but presumably Windows 10 EULAs would preclude more than one connection at a time in any event? So, I think the only alternative is to roll out Server 2016 Essentials. Presumably with the correct licensing this will allow at least three concurrent VPN connections?

    The server probably doesn't need to be raised to a DC but just to use Workgroup functionality? Presumably setting up VPN on this server is fairly straightforward?

    Just out of interest has Server 2019 Essentials been released, as I cannot find any documentation on the MS website about configuring one of these boxes?

    • Edited by itechnician Saturday, August 24, 2019 11:53 PM
    Saturday, August 24, 2019 11:50 PM

All replies

  • Hi,

    >The problem is they cannot all access the laptop resources at the same time, as W10 builtin VPN technology does not accommodate this. It only allows one connection at a time. My client needs at least three concurrent connections.
    Based on your description, you need at lease 3 connections to the system which holds the sources. 

    It is not the VPN limitation. Windows client/server system allow max of two simultaneous sessions/connections. If you want to allow more than two simultaneous sessions/connections, then, Windows Server system with RDS (remote desktop services) is recommended.

    >Whether this is technically possible is one consideration, but presumably Windows 10 EULAs would preclude more than one connection at a time in any event? So, I think the only alternative is to roll out Server 2016 Essentials.
    Windows Server Essentials does not meet your first requirement. As due to license limitation, Windows Server Essentials system itself only supports two admin sessions/connections. It does not allow more that two connections at same time even with RDS deployment. 

    >Suggestion
    Based on your first requirement, it is recommended to consider of Windows Server Standard, with RD Session Host and RD Licensing role services installed, it supports workgroup environment. Also, purchase appropriate RDS CALs for your user/device which need to access the remote resources and install it on your RD Licensing server. 

    Installing the Remote Desktop Session Host role service on Windows Server without the Connection Broker role service:
    https://support.microsoft.com/en-sg/help/2833839/guidelines-for-installing-the-remote-desktop-session-host-role-service

    Also, you can configure the Standard server as VPN server(RRAS) to provide the VPN function which you need.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 26, 2019 7:25 AM
    Moderator
  • Hi Eve,

    I am much obliged for your notes.

    Is it not VPN that is required rather than RDP in this case, in order to access the 'resources' (a running service) on the server? Will RDP allow this?

    Many thanks.

    Monday, August 26, 2019 6:25 PM
  • Hi,

    >They need to remotely access the resources (a running service) on the laptop in his house, which is a license 'server' to run specific petroleum modelling software.
    In general, VPN provides the security virtual channel for users to access internal resources, there is no such user number limitation for VPN itself. 

    Based on your description, users will log on the server and use the software/application on the server. If you want three or more users to do the operation at same time, then, RDS is necessary to enable multi simultaneous sessions. 

    >Is it not VPN that is required rather than RDP in this case, in order to access the 'resources' (a running service) on the server? Will RDP allow this?
    RDP is point-to-point remote desktop connection, without RDS deployment, there is still RDP number limitation. For example, we can open Task Manager – Users tab to check log on user/session, without RDS deployment, there should be max of two active user/session. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 27, 2019 3:06 AM
    Moderator
  • Hi Eve,

    Thank you for your suggestions.

    You mention that "there is no such user number limitation for VPN itself" and VPN also "provides the security virtual channel fo users to access internal resources". Would this not be the solution then, rather than RDS. Or do you mean that VPN will not provide three or more simultaneous connections, in which case RDP is the only solution?

    I thought there is a difference between VPN and RDP, in that only VPN will provide the functionality to access a running service on the target server?

    Is it possible to provide a link to Microsoft documentation which may clarify these points?

    Many thanks,

    Mark

    Tuesday, August 27, 2019 9:27 AM
  • Hello Mark,

    Is the following a correct description of your set-up? There is an application ("petroleum modelling software") that runs largely standalone on laptops in the field but needs a connection to a "license 'server'" running in someone's "house"?

    Here are three possible approaches to using the application, along with their drawbacks:

    1) Install the application on the license server (or any other Windows computer) in the house and use Remote Desktop services (RDP). There is a well-known software implemented limit of two concurrent remote sessions on client versions of Windows. All of the computation would take place on the remote system. Access by the application to data on the field laptops might be difficult/slow.

    2) Use a VPN/IPsec. This is what you are currently doing but, for unknown reasons, concurrent VPN connections are "not working" (not known how this problem manifests itself). Split tunnelling is possible by manually configuring/deleting routes. There is some doubt about whether any licensing restrictions on concurrent VPN connections exist - I tend to think that there are none.

    3) Connect directly to the license server. If the protocol used to communicate with the license server is encrypted and authenticated (or could be made so) then just set-up port forwarding on the "home" router (in the house containing the license server) to allow direct (NATed) access to the license server.

    Gary



    Tuesday, August 27, 2019 12:13 PM
  • Hi Gary,

    Thank you for your response.

    Coming to your points:

    At the moment the license server application has been installed on a Windows 10 laptop. Using builtin W10 VPN, my clients connect to the server but it can only handle one connection at a time. Notwithstanding the technical considerations of allowing three concurrent connections, there is a Microsoft Windows 10 limitation, in that the EULA states that:

    on a Windows 10 platform the Microsoft EULA restricts remote connections to just one. So, any further concurrent connections would be in breach of the Agreement. Also. Microsoft stipulates:

    Also, in the Microsoft License Terms:

    Section 2, C, (v):

    "[you may not] use the software [Windows 10] as server software, for commercial hosting, make the software available for simultaneous use by multiple users over a network, install the software on a server and allow users to access it remotely, or install the software on a device for use only by remote users".

    So, as my clients are using 'commercial' software, with the present set up, they are probably in breach of Microsoft W10 EULA.

    All they need is to set up Server 2016 to allow three concurrent VPN connections to the server (the license server is basically a running service on the server). Surely, this should be so straightforward. I cannot understand why RDP was suggested. Perhaps I have missed something along the way.

    Thank you for your patience.

    Tuesday, August 27, 2019 12:57 PM
  • Hello Mark,

    Your postings have two elements: technical (what type of connection do I need?) and licensing.

    My hope is to provide useful advice about the technical elements. Since the number of concurrent VPN connections to a Windows 10 PC is not limited to one by software, there is probably some other problem there. If you just upgrade Windows 10 to a server version of Windows then the technical problem will remain. That is why I suggested trying concurrent SSTP VPN connections - if it works then you know that you have a technically viable solution and just need to resolve the licensing questions.

    I keep debating with myself whether it is worth mentioning my interpretation of the EULA, when I am mainly concerned with the technical aspects of the issue, but I will again offer a counter view.

    In https://www.microsoft.com/en-us/Useterms/Retail/Windows/10/UseTerms_Retail_Windows_10_English.htm, section 2. c. (v), one interpretation is that one can not offer Windows desktop (VDI) as a service. Section 2. d. (iii) says:

    • Device connections. You may allow up to 20 other devices to access the software installed on the licensed device for the purpose of using the following software features: file services, print services, Internet information services, and Internet connection sharing and telephony services on the licensed device.

    If the license "service" is implemented as a "web service" of some sort then "Internet information services" might cover it.

    I doubt that you will get a definitive answer to this question without consulting a lawyer or a Microsoft sales person.

    Gary

    Tuesday, August 27, 2019 2:33 PM
  • Hi Gary,

    I think it will require a legal understanding of the EULA agreement to interpret correctly. But what you seem to be saying is that regardless of the EULA W10 builtin VPN should accept more than one concurrent correction? Is that correct? As I cannot see any documentation on the Technet site to suggest this. Perhaps I have overlooked it.

    Nonetheless, leaving aside Windows 10 at the moment and let's suggest that a Windows Server 2016 is set up. What role would the server need in order set up multiple VPN connections?

    Many thanks,

    Mark

    Tuesday, August 27, 2019 6:57 PM
  • Hi,

    VPN provides you the option to connect to internal/remote network, not direct connect to specific internal/remote system. If you want to log on specific system and use its installed application, and need more than two simultaneous log on sessions, then, RDS should be considered.

    Welcome to Remote Desktop Services:
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/welcome-to-rds

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 28, 2019 6:22 AM
    Moderator
  • Thank you for your suggestions.

    I think a Windows Server 2016 Essentials box is probably the best fit for my client. I have set up a test environment and sstp vpn seems to work well. Presumably, it is possible for 25 clients to simultaneously connect to the server, from a technical and licensing perspective?

    Many thanks.

    Monday, September 2, 2019 9:17 AM
  • Hello itechnician!

    Thank you for posting on forums!

    If your question has solved please be sure to write it here and let us know!

    Thank you


    Hamid Sadeghpour Saleh Microsoft MCT Regional Lead

    hamidsadeghpour.net

    Mark it as answer if your question has solved in order to keep forums updated.

    Wednesday, September 4, 2019 4:15 PM
    Moderator
  • Hi,

    >Presumably, it is possible for 25 clients to simultaneously connect to the server, from a technical and licensing perspective?
    Client can access resources, such as share folders & files on server simultaneously. But, more than 2 simultaneously RDP session is not supported. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 9, 2019 2:17 AM
    Moderator
  • Hi,

    Thank you for all the feedback. I moved ahead with a Windows 2016 Essentials Server which I have just about configured on my premises for my client, which included running the 'Anywhere Access' wizard to set up RDP and VPN. I also elected to use the 'free' xxx.remotewebaccess.com address offered by Microsoft.

    But it occurred to me that the url xxx.remotewebaccess.com is bound to my static ip address and not his. Presumably, when I deliver the Dell server to him, I will have to run the Anywhere Access wizard again to bind everything to his public static ip address. Or is there a way to configure the ip address without running the wizard? Are there any Technet articles on this problem?

    Many thanks.


    Wednesday, September 11, 2019 11:45 PM
  • One other question. Is it better to join my clients' devices to the domain whilst in the LAN or remotely?

    I have tested this remotely and it seems to work reasonably well but it is more fiddly. Although, I have not been able to work out how to login remotely to the domain on the connected device using the domain credentials, I always have to use the local account login credentials, otherwise 'NLA' and 'your domain isn't available' errors are returned.

    Wednesday, September 11, 2019 11:54 PM