Windows Server Essentials is a great product. Easy to configure and it uses the existing network infrastructure to save money and resources. There is a situation that I see fairly regularly with the VPN (Virtual Private Network) on Essentials though. I have seen this issue on all versions of Essentials from 2011 to 2016.
My customer will setup the VPN using the anywhere access wizard and it completes without any errors. He/she will then test the connection with a client. The client connects without a problem, but is unable to access any resources on the Essentials network.
The problem is that RRAS (Routing and Remote Access), the VPN server in Windows, is not able to lease an IP from the DHCP server running on the router. Failing to lease an IP, Windows reverts to using an APIPA (Automatic Private IP Addressing) address. This will be an IP in the 169.254.0.0/16 subnet. More likely than not this is on a different subnet than the rest of the Essentials network. This effectively isolates the VPN client from the Essentials network.
The fix is quite easy on Essentials 2011, 2012, and 2012 R2. Simply add a static pool to the VPN server configuration. Here are the steps:
- Install the RRAS management console, if not installed.
- Run Windows PowerShell as administrator
- Run the following command: Install-WindowsFeature RSAT-RemoteAccess-Mgmt
- Run rrasmgmt.msc to launch the RRAS console
- Right-click on the server name and choose properties
- Click on the IPv4 tab
- Click the radio button for “Static address pool”
- Click the “Add” button
- Fill in the start and end IP address for the pool. This should be a range that is not included in the router’s DHCP (Dynamic Host Control Protocol) range, but that is part of the same subnet.
- Click OK twice.
- Restart the Routing and Remote Access service. PowerShell: Restart-Service RemoteAccess
For Essentials 2016 the fix is a bit more involved. Unfortunately the RRAS configuration cannot be edited to simply add a static pool. The anywhere access wizard in 2016 uses PowerShell to configure RRAS and disables the RRAS console. This would be fine, but Microsoft neglected to include a PowerShell command to modify the IP address management. Since the configuration cannot be modified it must be torn down and re-deployed outside the anywhere access wizard. I may add this to this article in the future.
I hope this article has been informative. If you have any comments or suggestions, please post them below.