Module 9: Remote User Connectivity in Windows Server

Goal: Provide secure, reliable, and efficient remote access for users to internal network resources using Windows Server technologies.

Key Remote Access Methods in Windows Server

Method	Purpose	Technology
VPN	Securely connect users to internal network over internet	RRAS (Routing and Remote Access Service)
DirectAccess	Seamless always-on remote access (domain-joined clients)	Requires Windows Server and IPv6
Remote Desktop Services (RDS)	Provide full desktop or app access remotely	RDS role in Windows Server
Web Access / RD Web Access	Use web browser to access desktops/apps	Part of RDS
Always On VPN (Win10/11)	Modern alternative to DirectAccess	Uses IKEv2/IPSec or SSTP protocols

RRAS (Routing and Remote Access Service)

RRAS allows you to:

Set up VPN access
Configure NAT routing
Enable LAN routing

How to Install RRAS:

Open Server Manager → Add Roles and Features
Select Remote Access → Choose DirectAccess and VPN (RAS)
After install, open RRAS Management Console
Right-click server name → Configure and Enable Routing and Remote Access
Choose VPN access, NAT, or LAN routing as needed

VPN Configuration Overview

Supported VPN Protocols:

PPTP (least secure, outdated)
L2TP/IPSec
SSTP (uses HTTPS port 443, firewall-friendly)
IKEv2 (fast and stable, supports mobility)

Steps:

Configure user permissions in AD for dial-in access
Set up IP address assignment (static pool or DHCP)
Enable firewall ports: 1723 (PPTP), 500/4500 (L2TP/IPSec), 443 (SSTP)

DirectAccess vs VPN

Feature	DirectAccess	VPN
Connection Type	Always-on	User-initiated
Protocol	IPv6 / IP-HTTPS	PPTP/L2TP/SSTP/IKEv2
Requirements	Domain-joined devices, PKI	Any client device
Best for	Corporate-managed devices	BYOD or general users

Remote Desktop Services (RDS)

Components:

RD Session Host (actual remote desktop or apps)
RD Web Access (browser-based access)
RD Gateway (secure RDP over HTTPS)
RD Connection Broker (load balancing sessions)

Install using Server Manager > Remote Desktop Services role.

Firewall & Network Considerations

Service	Required Ports
SSTP VPN	443
L2TP/IPSec VPN	500, 1701, 4500
RDP	3389
RD Gateway	443
Web Access	443/80

Introducing Routing and Remote Access

Designing a Functional Remote Access Solution (Windows Server)

A functional remote access solution allows users to securely connect to internal corporate resources from remote locations, ensuring seamless productivity without compromising security.

Objectives of a Remote Access Solution

Enable secure access to internal resources (files, apps, desktops)
Support both domain and non-domain clients (employees, contractors)
Offer flexibility (VPN, RDP, web-based access)
Maintain high availability and performance
Enforce security policies (authentication, encryption)

Core Components

Component	Purpose
RRAS (Routing and Remote Access Service)	Provides VPN connectivity and routing
RADIUS/NPS	Centralized authentication and policy management
Remote Desktop Services (RDS)	Full desktop or app access remotely
Firewall & NAT	Secure internet-to-internal routing
Group Policy (GPO)	Enforce settings on domain-joined remote devices
Certificates (PKI)	Secure communication and user/device trust
DNS & DHCP	IP and name resolution for remote clients

Step-by-Step: Functional Remote Access Design (VPN-Based)

1. Assess Requirements

Number of remote users
Types of clients (Windows, Mac, BYOD)
Bandwidth and performance needs
Security policies (MFA, access restrictions)

2. Prepare Server

Install Windows Server with latest updates
Assign a static IP address
Join to Active Directory Domain (optional but preferred)

3. Install RRAS Role

Open Server Manager
Add Role: Remote Access
Select DirectAccess and VPN (RAS)
Complete installation and open RRAS Management Console

4. Configure RRAS for VPN

Right-click server name → Configure and Enable Routing and Remote Access
Select: Custom Configuration → VPN Access
Start the RRAS service
Assign IP address pool for VPN clients (or use DHCP relay)
Enable required VPN protocols: SSTP, L2TP/IPSec, IKEv2

5. Secure the Connection

Measure	Details
Firewall Rules	Allow necessary ports (443 for SSTP, 500/4500 for IKEv2)
Certificates	Install SSL cert for SSTP and/or IPsec certs
Authentication	Use AD credentials or RADIUS (NPS) with MFA
Split Tunneling	Enable if only internal traffic should route over VPN

Securing a Remote Access Solution (Windows Server)

Remote access—such as VPN, RDP, or DirectAccess—exposes your internal network to external users. Therefore, securing it is critical to prevent unauthorized access, data breaches, or service disruption.

Security Objectives

Ensure only authorized users/devices connect
Encrypt data in transit
Enforce security compliance for connecting devices
Monitor and log access activity
Protect against brute-force and phishing attacks

Key Security Measures

1. Use Secure VPN Protocols

Protocol	Security Level	Notes
SSTP (HTTPS-based)	High	Uses port 443; great for firewall traversal
IKEv2/IPSec	High	Secure with strong encryption; best for mobile devices
L2TP/IPSec	Medium	Still secure but slightly outdated
❌ PPTP	Weak	Do not use – outdated and insecure

2. Implement Multi-Factor Authentication (MFA)

Combine passwords with:
- OTP (Google Authenticator, Authy, etc.)
- Smartcards or certificates
- Microsoft Authenticator or other RADIUS-integrated MFA
Configure with Network Policy Server (NPS) + Azure MFA or Duo Security

3. Use Strong Certificates

SSL certificate for SSTP VPN or RD Gateway
Issue client certificates using an internal CA (Active Directory Certificate Services)
Enforce IPSec with certificates for site-to-site and client VPN

4. Restrict Access with Network Policies

Use NPS policies to:
- Allow VPN only to specific AD groups
- Enforce login hours
- Limit access by device MAC or hostname
- Apply quarantine checks for non-compliant systems

5. Enable Connection Logging & Auditing

Enable RRAS logging (Authentication and Accounting)
Use Windows Event Logs to:
- Track successful/failed logins
- Alert on brute-force attempts
Forward logs to SIEM or centralized syslog server

6. Configure the Firewall Properly

Allow only required ports (e.g., 443 for SSTP, 500/4500 for IKEv2)
Use Geo-IP restrictions (optional)
Block unused management ports (RDP, SMB, etc.) on external interfaces

7. Secure RDP (if used)

Use RD Gateway (HTTPS tunnel) instead of open RDP ports
Limit RDP access to a jump server or RDP broker
Enforce Network Level Authentication (NLA)
Use TLS encryption and disable legacy RDP clients

8. Limit Scope of Remote Users

Restrict users to only necessary resources via firewall or routing rules
Disable local admin rights on VPN clients
Apply least privilege principle

9. Endpoint Security on Remote Devices

Enforce that client systems have:
- Updated antivirus/EDR
- OS and software patches
- Encrypted disks (BitLocker)
Use NAP (Network Access Protection) or Intune Compliance Policies (modern approach)

10. Regular Security Review

Review access logs weekly/monthly
Revoke credentials/certificates of former employees
Audit Group Policies and firewall rules

Example Security Stack for Remote Access

Layer	Technology
Authentication	Active Directory + NPS + MFA
Encryption	SSL/TLS certs, IPSec
Access Control	AD Group Policies, NPS Conditions
Device Compliance	Intune, BitLocker, Defender
Monitoring	Event Logs, Syslog, SIEM
Firewall	NAT rules, Port filtering

Enhancing Remote Access Design for High Availability: Best Practices for 2025

Enhancing a Remote Access Design for Availability refers to optimizing remote access infrastructure (VPNs, RDP, DirectAccess, etc.) to ensure continuous, reliable, and redundant connectivity for users, even during network or system failures.

Uncategorized