Optimize VPN in Windows Server 2012 R2
In my last article here on WindowsNetworking.com I described in detail how to implement a client-based remote access VPN solution using Windows Server 2012 R2. The article covered preparation of the sever and initial configuration of the Routing and Remote Access Server (RRAS) service to support client-based remote access VPN connections. However, the initial configuration is somewhat incomplete and not entirely secure yet.
Remote Access Protocols
RRAS VPN in Windows Server 2012 R2 supports the following remote access protocols.
- PPTP – The Point-to-Point Tunneling Protocol has been around since the beginning of time it seems. It requires no additional configuration and works right out of the box. As it is really simple to deploy and supported by nearly all VPN clients, it is in wide use today. However, PPTP in its default configuration in Windows RRAS is fundamentally insecure. In fact, without additional configuration, communication that takes place over PPTP should be considered to unprotected.
- L2TP – The Layer Two Tunneling Protocol has also been around a long time and is commonly deployed to provide better security and protection than PPTP offers. L2TP is best deployed using certificates for authentication. However, it also supports authentication using pre-shared keys (passwords). This is the most common deployment model and one that works reasonably well for most organizations.
- SSTP – The Secure Sockets Tunneling Protocol is a relatively newcomer to remote access. It uses HTTP as a transport tunnel protected with Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption. SSTP was first introduced in Windows Vista SP1 as is included in all supported Windows operating systems today. SSTP is an excellent choice when supporting Windows remote access clients exclusively. The advantage of using SSTP is that it is simple to configure and is firewall friendly, as outbound TCP port 443 is commonly open to the public Internet.
- IKEv2 – The Internet Key Exchange version 2 protocol is a modern remote access protocol that is secure and resilient. It includes support for Network Address Translation (NAT) traversal, allowing the protocol to pass through an edge device performing NAT. It also includes enhanced mobility support with session resumption, enabling remote connections to drop intermittently without terminating the session and prompting the user to reconnect. This eliminates the need for a user to enter their credentials each time their connection drops off momentarily, which often occurs when using unreliable connections or switching Wi-Fi access points when roaming.
For security reasons it is recommended that the PPTP protocol not be enabled on a Windows Server 2012 R2 VPN server. To disable PPTP, open the Routing and Remote Access management console, expand the VPN server, and then right-click Ports and choose Properties. Highlight WAN Miniport (PPTP) and click Configure.
Uncheck the boxes next to Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound) and click OK and Apply.
To configure the SSTP protocol, right-click the VPN server in the Routing and Remote Access management console and choose Properties. Select the Security tab and choose the SSL certificate from the Certificate drop-down list and click OK.
It is recommended that the SSL certificate be issued by a trusted public certification authority (CA). An SSL certificate can be issued by an internal Public Key Infrastructure (PKI) as long as the Certificate Revocation List (CRL) is available publicly. In addition, the SSL certificate must be installed in the local computer certificates store. Be sure to import the private key, along with any intermediate certificates provided by the CA. Finally, ensure that the subject name on the SSL certificate matches the public hostname that clients will use to connect to the VPN server remotely. Multi-SAN and wildcard certificates are supported.
When configuring SSTP, the changes require that the RRAS service be restarted. Click Yes to continue.
It is recommended to use certificate authentication for L2TP for the highest level of security. However, detailed guidance for configuring certificate authentication with L2TP is outside the scope of this article. More information on configuring certificate authentication can be found here.
To configure the L2TP protocol using a preshared key, right-click the VPN server in the Routing and Remote Access management console and choose Properties. Select the Security tab and check the box next to Allow custom IPsec policy for L2TP/IKEv2 Connections. Enter a preshared key and click OK.
When configuring L2TP, the changes require that the RRAS service be restarted. Click Yes to continue.
IKEv2 requires a certificate to be issued to the VPN server by an internal PKI. The certificate must be installed in the local computer certificates store and must include the Server Authentication (126.96.36.199.188.8.131.52.1) Enhanced Key Usage (EKU). To avoid potential issues related to certificate selection on the client side for IPsec, it is recommended that the certificate also include the IP security IKE intermediate (184.108.40.206.220.127.116.11.2) EKU.
In addition, the subject name on the certificate must match the public hostname used by clients to connect remotely to the VPN server. The subject name must NOT be the VPN server’s hostname. For example, if the server’s hostname is RRAS01, but clients on the public internet use the FQDN vpn.example.com to resolve the public IP address of the VPN server, then vpn.example.com should be configured as the subject name for the certificate.
Additional Security Considerations
After disabling PPTP and enabling support for L2TP, SSTP, and IKEv2, the security of remote VPN connections is improved greatly. However, there are some additional steps that should be taken to ensure the highest levels of security and protection for remote clients.
The SSTP remote access protocol relies on SSL and TLS for authentication and encryption of data from remote clients. The default configuration of SSL and TLS in Windows is not ideal. In addition, SSL and TLS security is a moving target and should be evaluated on a regular basis. It is recommended to test the VPN server’s SSL and TLS configuration using the Qualys SSL Labs Server Test site. Remediate any findings uncovered by the test.
The use of strong user authentication is highly recommended for VPN connections. The configuration of multifactor authentication for VPN is outside the scope of this article. However, integrating a multifactor authentication solution on-premises or cloud-based like Microsoft Azure Multifactor Authentication is an excellent way to improve the overall security posture of the remote access solution.
After performing the initial installation and configuration of the RRAS service on Windows Server 2012 R2, the VPN server was only configured to support PPTP. While functional, this configuration was not desirable for a variety of reasons. First, PPTP is inherently insecure. Second, none of the modern, more robust, and secure remote access protocols were configured. Following the guidance in this article, the VPN server is now much more secure. In addition, it now provides support for a broader range of clients, including Windows PCs, Macs, Linux, iPhone, Android, Windows Phones and tablets, and much more.