About Routing and Remote Access in Server 2008

Components of a Network Access Services Infrastructure

In Windows Server 2008, Network Access Service includes the following:

• VPN Server
• Active Directory Domain services (AD DS)
• IEEE 802.1X Devices – provides port based authentication of users
• Dynamic Host Configuration Protocol (DHCP) Server – Responsible for leasing IP addresses
• NAP Health Policy Server – Provides authentication services for other network access components
• Health Registration Authority – Obtains health certificates for clients passing the health policy verification
• Remediation Servers – A new server for Windows Server 2008 on a limited network, designed to treat machines that do not have the latest antivirus or Windows updates, by pushing the updates down to the NAP client sitting in the restricted network before the client accesses the main network

Network Policy and Access Services

Network Policy and Access Services Role

The Network Policy and Access Services Role in Windows Server 2008 provides these components:

Component	Description
Network Policy Server	Microsoft implementation of the RADIUS Server and proxy
Routing and Remote Access	Provides VPNs, dial-up solutions for users, full-featured software routers, and shares Internet connections across the intranet
Health Registration Authority	Issues health certificates to clients that are using Ipsec NAP enforcement
Host Credential Authorization Protocol	Integrates with Cisco network access control server

RADIUS: Remote Authentication Dial in User Service, is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect to a network. RADIUS is a client/server protocol. The RADIUS server usually runs as a background process on a UNIX or Microsoft Windows server.

The Network Policy and Access Services Role in Windows Server 2008 provides these network connectivity solutions:

• NAP: enforce health policies
• Secure wireless and wired access: with a secure certificate or password-based authentication method
• Remote access solutions: VPN or dial-up
• Central network policy management with RADIUS server and proxy

Windows Server 2008 and Windows Server 2008 R2

What is Routing and Remote Access?

Routing and Remote Access is built into Windows Server 2008 and can be used to:

• Provide remote users access to resources on a private network using Dial-up or VPN services
• Provide Network Address Translation NAT services: when you deploy VPN and NAT, computers on the Internet will not be able to determine the IP address of computers on the private network, even though VPN clients can connect to computers on the private network as if they are on the same network.
• Provide LAN and WAN routing services in order to connect the network segments

Routing and Remote Access Service

How to Install Routing and Remote Access Services

1. Go to Server Manager
2. Select Roles
3. Select Add Roles
4. Click Next
5. On the Select Server Roles page, check Network and Policy Access Services
6. Click Next
7. On the Network Policy Access Services page, read the material and check out the links to Microsoft help, if desired, and click Next
8. On Select Role Services page, check Network Policy Server, Routing and Remote Access Services
9. Click Next
10. Click Install

After the install is completed, click Close to close Server Manager. You will see the Network and Policy and Access Services role in Server Manager. You will see a red arrow underneath to indicate Routing and Remote Access is not yet configured.

Network Authentication and Authorization

To access the Windows Server 2008 network, you must go through the Authentication and Authorization process.

Authentication verifies your credentials (user name and password) and uses an authentication protocol to send the encrypted user name and password from the remote access client to the remote access server.

Authorization verifies the connection attempt is allowed which occurs after a successful authentication.

Authentication vs. Authorization

Authentication Methods

Protocol	Description	Security
PAP (Password Authentication Protocol)	Try to avoid because it passes the password over in plain text.	Least secure protocol.
CHAP (Challenge Handshake Protocol)	A challenge-response authentication protocol that uses the industry-standard MD5 (message digest) hashing scheme to encrypt the response.	An improvement over PAP because the password is not sent over the PPP link. Requires a plain text version of the password to validate the challenge response and does not protect against remote server impersonation.
MS-CHAPv2	An upgrade to MS-CHAP and is known as mutual authentication.	Stronger security than CHAP.
EAP (Extensible Authentication Protocol)	Uses an arbitrary authentication method of a remote access connection using authentication schemes, known as EAP types.	Strongest method of authenticating.
Smart Cards	You must use EAP with the smart card or other certificate (TLS) EAP type, known as EAP-TLS.	Strongest form of authentication in the Windows Server 2008 family.

Troubleshooting

Authentication Methods for use with IAS

Integrating DHCP Servers with Routing and Remote Access Service

DHCP servers can be integrated into the Routing and Remote Access Service. To provide remote clients with an IP address, you can use either:

• The RRAS (Routing and Remote Access) server starts with the Use DHCP to assign remote TCP/IP addresses option, to obtain a pool of ten IP addresses from the DHCP server. Ten IP addresses will be allocated with the RRAS server taking one of the IP addresses and the remaining nine IP addresses for the remote connections. When these ten IP addresses are used up, the RRAS server will acquire ten more from the DHCP server. The IP addresses are freed when remote clients disconnect, and are subsequently reused. When Routing and Remote Access service stops, all IP addresses are released.
• Use the corporate DHCP server located on the corporate LAN

DHCP servers running Windows Server 2008 have a predefined user class called the Default Routing and Remote Access Class. This is used for assigning options to the Routing and Remote Access clients.

Configure VPN Access

VPNs provide a point-to-point connection between the components of a private network through a public network, using tunneling protocols.

Components of a VPN Connection

VPN Client: the Client Operating System has to be capable of communicating with a VPN, like Microsoft has all the way back to Windows NT and Windows 95.

VPN Tunnel: a secure tunnel is created over the Internet to the VPN server.

VPN Server: the VPN server is then connected to our internal network, and the client has access to the internal network through the VPN Server.

VPN Protocol: VPN Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), or if the client is Windows Vista Svc Pk 1 or later, we can use Secure Socket Tunneling Protocol (SSTP).

Tunneling Protocols

For a tunneling protocol for a VPN connection into our network, we can use:

• PPTP (Point-to-Point Tunneling Protocol): Encrypts and encapsulates in an IP header multi-protocol traffic and sends it across an IP network or public IP network. PPTP can be used for remote access and site-to-site VPN connections. PPTP traffic is sent over port 1723, which may be blocked by default on company firewalls, web proxies, or NAT routers, preventing successful VPN connections.
  • PPTP encapsulates PPP frames in IP datagrams.
  • The PPP payload (IPV4 packet) frame is encrypted with Microsoft Point-to-Point Encryption (MPPE). The encryption keys are generated from the MS-CHAPv2 or EAP-TLS authentication protocol.
• L2TP (Layer 2 Tunneling Protocol): Encrypts multi-protocol traffic and sends over mediums supporting point-to-point-datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP presents the best features of PPTP and Layer2 Forwarding (L2F). L2TP uses Ipsec in Transport Mode for encryption, known as L2TP/IPSEC. L2TP/IPSEC-based VPN connections requires manually opening ports on firewalls to ensure a successful VPN connection. The VPN client and server must support L2TP and Ipsec. L2TP is built into Windows XP, Windows Vista, and Windows 7 remote access clients. VPN server support for L2TP is built into Windows Server 2008 and Windows Server 2003. L2TP traffic is sent over port 1701.
  • Encapsulation for the L2TP/Ipsec packets consists of the two layers.
    • The first layer encapsulates a PPP frame (IP datagram) wrapped with an L2TP header and a User Datagram Protocol (UDP) header.
    • The second layer, the Ipsec encapsulation, wraps the resulting L2TP message with an Ipsec Authentication trailer that provides authentication, and a final IP header. The IP header contains the source and destination IP address corresponding to the VPN client and server.
  • The L2TP message is encrypted with either Advanced Encryption Standard (AES) or Triple DES (3DES) using encryption keys the IKE negotiation process generates.
• SSTP(Secure Socket Tunneling Protocol): Available if the clients are running at least Windows Vista Svc Pk1 or Windows Server 2008. It uses TCP port 443 to pass the point-to-point (PPP) data frames over the network through firewalls and web proxies that could block PPTP and L2TP/IPSEC traffic. TCP Port 443 is used for all secure websites. SSTP is only suitable for Vista Svc Pk1 or Windows Server 2008.
  • SSTP encapsulates PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.
  • Encryption is performed by the SSL channel of the Secure Hypertext Transfer Protocol (HTTPS) protocol.
  • SSTP VPN connections require a CA computer certificate issued by a CA trusted by the VPN server. The root CA certificate of the VPN server's computer certificate should be installed on the client computers.
  • To ensure clients are able to obtain a certificate over the Internet from the VPN, you should install the AD CS and the IIS roles. After installing AD CS and IIS, you should install the Server Authentication certificate in the VPN server.
• IKEv2 (Internet Key Exchange version 2 (IKEv2): uses the Ipsec Tunnel Mode protocol over UDP port 500. IKEv2 is a good choice for mobile users because of its support for mobility (MOBIKE). IKEv2 is very resilient for changing network connectivity and for users what switch from a wired to a wireless connections and is required for VPN Reconnect. VPN Reconnect is a feature in Windows Server 2008 R2 and Windows 7 that maintains connectivity across the network, seamlessly. It automatically re-establishes VPN connections when connectivity is available, and maintains the connection even if users move between different networks, while making the connection status transparent to users. Public Key Infrastructure (PKI) is required because a computer certificate is required for a remote connection.
  • Datagrams are encapsulated using Ipsec ESP or AH headers.
  • Messages are encrypted with encryption keys generated in the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms.

Question: Your company has an Activer Direcory domain. All servers in your network run Windows Server 2008. All client computers run Windows7. Some users occaisionally work from a remote location and they are a member of the domain. The network has a firewall to keep out unauthorized users.
You install Routing and Remote Access on one of your servers and name it VPN1. You decide to configure the server as a virtual private networking(VPN) server. You decide to configure the server to use (SSTP) Secure Socket Tunneling Protocol, to prevent any VPN connectivity problems when the users are behind firewalls, proxies. or network translation routers (NAT).

You  install the Internet Information Services (IIS) and Active Directory Certificate Services (AD CS) roles on VPN1 to issue the required computer certificate for an SSTP-based VPN connection. You create and install the Server Authentication certificate on VPN1.

What is the next thing you should do to make sure clients are able to connect to the VPN1 using SSTP-based VPN connections?



Answer: Install the root CA certificate of the VPN Server's computer certificate on the client computers. SSTP VPN connections require a computer certificate issued by a CA trusted by the VPN server. Therefore, install the AD CS role in your network. When you want to ensure clients can obtain a certificate over the Internet from VPN1, you should install the IIS role. IIS is a required role for the Certificate Authority Web Enrollment Web Service. After installing AD CS and IIS, you should create and install the Server Authentication certificate on the VPN server. A VPN client must have the root CA certificate of the VPN server's computer certificate installed in order to use an SSTP connection.

What are the VPN server configuration requirements?

• Two network interfaces (Configure one for the public Internet and one for the private network. Consider naming the network interfaces appropriately so your remote access VPN server will operate correctly.)
• IP Address allocation (use a static pool on the Routing and Remote Access Server or use DHCP. Note: if the DHCP server is not on the same subnet as your internal network, you might need DHCP relay (also called BOOTP forwarding) agents. If your router is running Windows Server 2008 or Windows Server 2008 R2, you can configure the DHCP Relay Agent service on the router to forward DHCPINFORM messages between subnets.). DHCP Relay is defined RFC 1542 and must be enabled on the server running Routing and Remote Access.
• Authentication provide (NPS/Radius or the VPN server)
• Local Admin group membership or equivalent required

How to Configure VPN Access

Configure a VPN Client Connection on a Windows Vista client

1. Start | Connect To
2. Select Set up a connection or network
3. On the Connect to a network page, select Connect to a workplace
4. Click Next
5. Select Use my Internet connection (VPN)
6. On the page that displays, you can either use the IP address or the FQDN of the VPN server. On the same page, you can indicate:
   1. If you want to logon with a smart card
   2. If you want other people to use this connection
   3. Or, if you just want to set it up and connect later (we will choose this option, for now)
7. Click Next
8. Type your user name and password in the space provided
9. Select Create
10. Click Close
11. Start | Connect To
12. You can now see your VPN connection. Highlight and you will see the VPN Properties: the General tab, the Options tab, the Security tab, the Networking and Sharing tabs.
13. Click OK
14. Click Connect or Cancel

Configure a VPN Server

1. Start | Administrative Tools | Routing and Remote Access
2. Right click the server name and select Configure and Enable Routing and Remote Access
3. The Wizard appears. Click Next.
4. Select Remote access (dial-up or VPN)
5. Click Next
6. On the Remote Access display, the options are VPN or Dial-up, choose VPN
7. Click Next
8. Now, you can select the network interface adapter (best practice is to reconfigure the name on the adapter to indicate public and the external adapter and reconfigure the name on the internal adapter to indicate private network)
9. You can enable security on the selected interface by marking the check box and click Next
10. On the IP Address Assignment page, indicate How do you want IP addresses to be assigned to remote clients? Select Automatically or From a specified range of addresses.
11. Click Next
12. Indicate whether you want to use RADIUS to authenticate
13. Click Next
14. Click Finish to start the Routing and Remote Access service
15. A message alert displays, “ Routing and Remote Access has created a default connection request policy called Microsoft Routing and Remote Access Service Policy. To ensure that this new policy does not conflict with the existing Network Policy Server (NPS) connection request policies, open the NPS console and verify that it is configured properly.
16. Click OK.
17. Another message alert displays, “To support the relaying of DHCP messages from remote access clients, you must configure the properties of the DHCP Relay Agent with the IP address of your DHCP server. Click Help for more information.”
18. Click OK.
19. The Routing and Remote Access Service starts.
20. If you expand the server node, you will see the following nodes: Network Interfaces, Ports, Remote Access Clients (0), Remote Access Logging & Policies.

Complete Additional Tasks

1. Configure static packet filters to create inbound and outbound rules for traffic, such as a packet filter for ICMP (this can be done through Windows Firewall), to protect your network.
2. Configure services and ports you want to make available for remote access users.
3. Adjust logging levels for routing protocols
4. Configure number of available VPN ports (add or remove VPN ports)
5. Create a Connection Manager profile for users to simply configuration and troubleshooting of client connections.
6. Add Certificate Services for Active Directory. Configure and manage a certification authority (CA) on a server for use in a PKI. Make sure you install the root Certification Authority (CA) certificate of the VPN server's computer certificate on the client computers.
7. Increase remote access security by enforcing use of secure authentication methods.
8. Increase VPN security by requiring the use of secure tunneling protocols, account lockout, etc.
9. Consider VPN Reconnect to provide seamless VPN connections.

SSTP Remote Access Step-by-Step Guide: Deployment

What is a Network Policy?

A network policy is a set of conditions, constraints, and settings. A network policy allows or prevents a user from gaining access to a VPN or a remote access solution. Examples of some of the conditions are:

• Does the user have dial-in permission?
• Is the user accessing with the correct type of protocol?
• Does the user belong to a group and is that group allowed remote access?
• Is the user connecting at the correct time?
• Is there any call back selected for this user?

Note: when you have NAP deployed, health policy is added to the network policy configuration and NPS performs client health checks during authorization.

What is the process for creating and configuring a network policy?

• Determine authorization by user or group
• Determine appropriate settings for the user account’s network access permissions
• Configure the New Network Policy Wizard:
  • Network Policy conditions
  • Network Policy constraints
  • Network Policy settings

How are network policies processed?

• The server is checked to see if there are policies to process.
• If there are network policies, does the connection attempt match the policy conditions? If the answer is no, the next policy is checked.
• If the answer to the above is yes, is the remote access permission for the user account set to Deny Access?
• If the answer to the above is yes, the server rejects the connection attempt.
• 

  If the answer is no, is the remote access permission for the user account set to Allow Access? If yes, does the connection attempt match the user object and profile settings? If yes, the connection attempt is accepted. If no, the connection attempt is rejected.

You can configure network policy in the NPS MMC snap-in or the Routing and Remote Access Service MMC snap-in.

Create and Configure a Network Policy

1. START | Administrative Tools | Network Policy Server
2. Select the Policies folder
3. Select Network Policies and right-click
4. Select New
5. In the Policy Name: text box, type in a policy name
6. Under the Type of network access server:, we will select Remote Access Server (VPN-Dial up)
7. Under Vendor specific, enter any hardware settings the vendor might have provided
8. Click Next
9. On the Specify Conditions page, select the conditions. The list is huge. We will select User Groups.
10. Click the Add button. On the Select Group page, enter Domain Admins (provides access to the VPN server to Domain Administrators)
11. Click Check Names and OK (now the User Groups belongs to Domain Admins)
12. Click Next
13. On the Specify Access Permission page, we will select Access granted (Grant access if client connection attempts match the conditions of this policy.)
14. Click Next
15. On the Configure Authentication Methods page, we will select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)
16. Click Next
17. On the Configure Constraints page, the first constraint is Idle Timeout. We will specify 5 minutes as the maximum time the server can remain idle before the connection is disconnected.
18. You also have Session Timeout, Called Station ID, Day and time restrictions, and NAS Port Type. Under Nas Port Type, we will check Virtual (VPN)
19. Click Next
20. On the Configure Settings page, under the Routing and Remote Access section, under Encryption, we will deselect No encryption and leave Basic, Strong, and Strongest encryption for our clients.
21. Click Next
22. Click Finish

Connection Manager Administration Kit

How do you control and configure the client network connections?

Built into Windows Server 2008, is CMAK, the Connection Manager Administrative Kit. CMAK configures the client settings and distributes them as an .exe to the client computers and allows them to connect to a remote network, such as an Internet Service Provider (ISP) or a corporate network protected by a VPN server. The client executes the .exe and their computer is automatically configured to establish a network connection that you have designed. This reduces the end user errors and help desk calls.

CMAK is not installed by default.

To install CMAK:

1. Launch Server Manager.
2. CMAK is configured as a Feature. Select Features. Select Add Features.
3. The Add Features Wizard appears. Check off Connection Manager Administration Kit.
4. Click Next.
5. Select Install.
6. Click Close.
7. Click Next
8. Select Features and F5 to refresh and you can see the Connection Manager Administration Kit in the Features Summary.
9. Close Server Manager
10. Go to the START | Administrative Tools | Connection Manager Administration Kit to create a connection profile.

How to Configure a Connection Profile

Run the CMAK Wizard to Create a Connection Profile

CMAK contains the Connection Profile Wizard that will assist us in creating client connection profiles.

1. START | Connection Manager Administrative Kit
2. Click Next
3. In the Select Target Operating System, we are will choose Windows Vista as the operating system on which this Connection Manager profile will run.
4. Click Next
5. Select New Profile
6. Click Next
7. On the Specify the Service Name and the File Name page, Type the name that will appear in Connection Manager and Type the file name that will identify the Connection Manager profile on disk. We will use Company VPN for the Service Name and company for the file name.
8. Click Next
9. On the Specify a Realm Name page, select Do not add a realm name to the user name for this example
10. Click Next
11. We can choose to Merge Information from Other Profiles on the next page.
12. Click Next
13. On the Add Support for VPN Connections page, we choose Phone book from this profile and enter the VPN server name or IP address.
14. Then, we choose to Use the same user name and password for VPN and dial-up connections.
15. Click Next
16. We can Create or Modify a VPN Entry
17. You can click on Edit to review and/or change the settings
18. Click OK
19. Click Next
20. On the Add a Custom Phone Book (a collection of access numbers that users can dial to connect to a remote dial-up network) page, click Next because we are using a single VPN server.
21. On the Configure Dial-up Networking Entries page, click Next
22. On the Specify Routing Table Updates page, Click Next
23. On the Configure Proxy Settings for Internet Explorer page, Click Next
24. We can Add Custom Actions to perform additional configuration tasks on client computers, if desired.
25. Click Next
26. We can display custom graphics on the connection attempt, on the Display a Custom Logon Bitmap page.
27. Click Next
28. On the Display a Custom Phone Book Bitmap page, click Next
29. On the Display Custom Icons page, Click Next
30. You can Include a Custom Help File. Click Next
31. You can Display Custom Support Information by entering a phone number for custom support help. Click Next
32. Display a Custom License Agreement is where you enter the license agreement that is displayed on the client side when the .exe file is run. Click Next
33. Install Additional Files with the Connection Manager profile. Click Next
34. You can select Advanced customization on the Build the Connection Manager Profile and Its Installation Program page. Insert a check mark for this example.
35. On the next page, we can choose the File name, Section name, Key name, and Value. Click Next
36. Click Finish to create the profile. Note the profile path name. Copy it into Windows Explorer or the Run command and open. A text box appears asking “Do you wish to install Company VPN?” You can also browse to the file path to view it.
37. After the .exe is installed on the client side, the user clicks Yes, a display box appears allowing them to connect to the Company VPN.

Distribute Your Connection Profile to Your Users

Troubleshooting Routing and Remote Access

TCP/IP Troubleshooting Tools

Command	Description
Ipconfig	Displays current TCP/IP network configuration, updates and releases; DHCP allocated leases; displays, registers, and flushes DNS names
Ping	Sends ICMP Echo Request msgs to verify TCP/IP is configured correctly and that a host is available
Pathping	Displays the path of a TCP/IP host and packet losses at routers
Tracert	Displays path of a TCP/IP host

Example:

START | CMD

Ipconfig /all

Ipconfig /? For HELP menu for ipconfig (up and down arrow lets you scroll through your previous typed commands)

Ipconfig /flushdns (flushes client machine resolver cache)

Ping computer name (verify the host name is being resolved to its correct IP address. The ping might not be successful due to packet filtering that prevents the delivery of ICMP messages to and from the VPN server)

Ping /?

Ping –t computer name (ping the host until stopped) (terminate the ping by using Control-C)

Cls to clear the screen

Pathping computer name (gives percentage values for packet loss). If you have a huge loss, it could indicate a damaged cable or other device or under-performing server.

Tracert computer name (to trace how many hops on route to a server)

Authentication and Accounting Logging (3 types)

• Event logging for auditing and troubleshooting connection attempts
• Logging authentication and accounting requests to a local file
• Logging authentication and accounting requests to a SQL server database

Note: You should keep the log files on a separate partition from the system partition, in order to prevent loss of hard-drive space. NPS in Windows Server 2008 stops processing connection requests if RADIUS accounting fails dues to a full hard-disk drive or other causes. NPS in Windows Server 2008 R2 can be configured to continue processing connections requests when logging fails.

Best Practices for NPS
The Cable Guy: The New and Improved Network Policy Server

Configure Log File Properties

Applies To: Windows Server 2008 R2

You can configure Network Policy Server (NPS) to perform Remote Authentication Dial-In User Service (RADIUS) accounting for: 

• user authentication requests 

• Access-Accept messages 

• Access-Reject messages 

• accounting requests and responses  

•  periodic status updates

You can use this procedure to configure the log files in which you want to store the accounting data.

To prevent the log files from filling the hard drive, it is strongly recommended that you keep them on a partition that is separate from the system partition. The following provides more information about configuring accounting for NPS:

• To send the log file data for collection by another process, you can configure NPS to write to a named pipe. To use named pipes, set the log file folder to \\.\pipe or \\ComputerName\pipe. The named pipe server program creates a named pipe called \\.\pipe\iaslog.log to accept the data. In the Local file properties dialog box, in Create a new log file, select Never (unlimited file size) when you use named pipes.
• The log file directory can be created by using system environment variables (instead of user variables), such as %systemdrive%, %systemroot%, and %windir%. For example, the following path, using the environment variable %windir%, locates the log file at the system directory in the subfolder \System32\Logs (that is, %windir%\System32\Logs\).
• Switching log file formats does not cause a new log to be created. If you change log file formats, the file that is active at the time of the change will contain a mixture of the two formats (records at the start of the log will have the previous format, and records at the end of the log will have the new format).
• If RADIUS accounting fails due to a full hard disk drive or other causes, NPS stops processing connection requests, preventing users from accessing network resources.
• NPS provides the ability to log to a Microsoft® SQL Server™ database in addition to, or instead of, logging to a local file.

Configuring Remote Access Logging

Start | Administrative Tools | Routing and Remote Access

Right-click servername | Properties

Click the Logging tab to view available options for the tracing log:

• Log errors only
• Log errors and warnings
• Log all events
• Not log any events
• Log additional routing and remote access info (enables you to specify whether the events in the PPP connection-establishment process for remote access and demand-dial routing connections are written to the PPP.LOG file stored in systemroot\Tracing folder

How to use command line for configuring Routing and Remote Access Server

The Routing and Remote Access service in Windows Server 2008 R2 has an extensive tracing capability.

To enable and disable tracing for a specific component:

Netsh ras set tracing component enabled | disabled

Where component is a component in the list of Routing and Remote Access service components found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing

To enable tracing for all components:

Netsh ras set tracing * enabled

• Netsh
  • Netsh ras diagnostics set rastracing * enabled (enables tracing on all components in RAS)
• Registry
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing

You can enable and disable tracing for components while the Routing and Remote Access service is running. Each component is capable of tracing and appears as a subkey under the preceding Registry key.

Troubleshooting Remote Access

Note: Tracing consumes resources, so you should disable it when finished troubleshooting

Configure NPS Log File Properties

1. Open the NPS (Network Policy Server) MMC snap-in
2. Click Accounting
3. In the details pane, right-click Local File Logging, then click Configure Local File Logging
4. In the dialog box, on the Log File tab, in Directory, type where you want to store NPS log files. The default location is systemroot\System32\LogFiles folder
5. In Format, click Database-compatible. If you would like to keep your log files in IAS format, click IAS.
6. To configure NPS to start new log files at specified intervals, click the interval you want to use:
   1. Daily: Heavy transaction volume and logging activity
   2. Weekly or Monthly: Less transaction volume and logging activity
   3. Never (unlimited file size): All transactions in one log file
   4. When log file reaches this size: To limit the size of each log file, type the file size. The default is 10 MB
7. To delete log files automatically when the disk is full, click When disk is full delete older log files

Note: You must be a member of the Domain Admins, Enterprise Admins, or Administrators group on the local computer.

Check Logging in Event Viewer

1. Start | Administrative Tools | Event Viewer
2. Expand Windows Log
3. Select System
4. Review the entries in the detail pane for the source RemoteAccess to see the logged data
5. Close Event Viewer 

Common Troubleshooting Solutions

• Error 800: VPN unreachable
  • Cause: PPTP/L2TP/SSTP packets cannot reach the VPN server.
  • Solution: Could be the firewall on the client computer
    • PPTP: Open TCP port 1723 forward IP protocol 47 for GRE traffic. Generic Route Encapsulation (GRE) protocol is used in conjunction with Point-to-Point Tunneling Protocol (PPTP) to create virtual private networks (VPNs) between clients or between clients and servers.
    • L2TP: Open UDP port 1701 and allow IPsec ESP formatted packets (IP protocol 50)
    • SSTP: enable TCP 443
• Error 721: Remote computer not responding
  • Cause: Firewall does not permit GRE traffic (IP protocol 47). PPTP uses GRE for tunneled data.
  • Solution: Configure network firewall to permit GRE and permit TCP traffic on port 1723.
• Error 741/742: Encryption mismatch
  • Cause: VPN client requests an invalid encryption level or the VPN server does not support this type of encryption
  • Solution: Check the Security tab properties of the VPN connection on the VPN client. If Require data encryption is selected, clear the selection and retry connection. If using NPS, check the encryption level in the network policy in the NPS console or policies on other RADIUS servers.
• L2TP/IPsec Authentication Issues
  • No certificate: Check the Local computer certificate stores of the remote access client and remote access server to ensure a suitable certificate exists (required for L2TP/IPsec connections)
  • Incorrect certificate:
  • A NAT device exists between the remote access client and remote access server: Client and server must both support IPsec NAT-T, if NAT is present.
  • A firewall exists between the remote access client and remote access server: verify the firewall allows forwarding of L2TP/IPsec traffic.
• EAP-TLS Authentication Issues
  • Current date must be within the certificate validity dates.
  • Certificate has been revoked.
  • Certificate must have valid digital signature, with the exception of the root CA certificate.

Question: Your network is having intermittent problems. Some segments are lost during peak periods. It seems this problem occurs because of router congestion during these peak periods. What can you do about this?

Answer: You should enabled Explicit Congestion Notification (ECN) in your network. ECN was designed for just this type of problem. Routers that are having congestion  problems will flag packets passing through the router. Hosts receiving these packets lower their transmission rate to the router's transmission rate. This lowers the congestion and helps to stop the packet loss in the network segment. This has minimal impact on network performance.