Running a Unihomed VPN Server in Windows Server 2008
Someone wrote to me recently about whether it was possible to run a unihomed SSTP VPN server on Windows Server 2008, as the examples I gave in my articles on how to create and configure an SSTP VPN server always had two NICs. Now, while I don't typically recommend unihomed VPN servers from a security point of view, I can see the rational in terms of wanting to simplify the configuration in the event that there is already a multihomed Internet gateway device in play that doesn't support SSTP. Heck, even the new Forefront TMG (Threat Management Gateway), which runs on Windows Server 2008 doesn't support SSTP.
The problem is that when you run the RRAS wizard and choose the VPN option, it expects you to have multiple interfaces. The question then is how do you get around the limitations of the RRAS Wizard?
After installing the Routing and Remote Access Service from the Server Manager in Windows Server 2008, right click the Routing and Remote Access Node in the left pane of the console. When you get to the Configuration page, select the Custom Configuration option.
On the Custom Configuration page, put a checkmark in the VPN Access checkbox and click Next.
Click Finish on the Completing the Routing and Remote Access Server Setup wizard page. You will be asked to start the service, which is what you want to do.
When you check the RRAS configuration, you'll find that it's setup with PPTP, SSTP and L2TP/IPsec ports and that the default address assignment method is DHCP. If you don't have a DHCP server, you'll have to create a static address pool.
So, if you're look at this article http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part1.html make sure to substitute these steps for the ones in the article if you want to run unihomed. Everything else should be the same. Well, almost. In the Enable the RRAS Server and Configure it to be a VPN and NAT Server section you do not want to enable the NAT service. Just the VPN, as described in this blog post.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)