Many organizations rely on a virtual private network, particularly those with a large number of remote workers who need access to resources.
While there are numerous vendors selling their VPN products in the IT market, Windows administrators also have the option to use the built-in VPN that comes with Windows Server. One of the benefits of using Windows Server 2019 VPN technology is there is no additional cost to your organizations once you purchase the license.
Another perk with using a Windows Server 2019 VPN is the integration of the VPN with the server operating system reduces the number of infrastructure components that can break. An organization that uses a third-party VPN product will have an additional hoop the IT staff must jump through if remote users can't connect to the VPN and lose access to network resources they need to do their jobs.
One relatively new feature in Windows Server 2019 VPN functionality is the Always On VPN, which some users in various message boards and blogs have speculated will eventually replace DirectAccess, which remains supported in Windows Server 2019. Microsoft cites several advantages of Always On VPN, including granular app- and traffic-based rules to restrict network access, support for both RSA and elliptic curve cryptography algorithms, and native Extensible Authentication Protocol support to enable the use of a wider variety of advanced authentication methods.
Microsoft documentation recommends organizations that currently use DirectAccess to check Always On VPN functionality before migrating their remote access processes.
The following transcript for the video tutorial by contributor Brien Posey explains how to install the Windows Server 2019 VPN role.
In this video, I want to show you how to configure Windows Server 2019 to act as a VPN server.
Right now, I'm logged into a domain joined Windows Server 2019 machine and I'll get the Server Manager open so let's go ahead and get started.
The first thing that I'm going to do is click on Manage and then I'll click on Add Roles and Features.
This is going to launch the Add Roles and Features wizard.
I'll go ahead and click Next on the Before you begin screen.
For the installation type, I'm going to choose Role-based or feature-based installation and click Next. From there I'm going to make sure that my local server is selected. I'll click Next.
Now I'm prompted to choose the server role that I want to deploy. You'll notice that right here we have Remote Access. I'll go ahead and select that now. Incidentally, in the past, this was listed as Routing and Remote Access, but now it's just listed as a Remote Access. I'll go ahead and click Next.
I don't need to install any additional feature, so I'll click Next again, and I'll click Next [again].
Now I'm prompted to choose the Role Services that I want to install. In this case, my goal is to turn the server into a VPN, so I'm going to choose DirectAccess and VPN (RAS).
There are some additional features that are going to need to be installed to meet the various dependencies, so I'll click Add Features and then I'll click Next. I'll click Next again, and I'll click Next [again].
I'm taken to a confirmation screen where I can make sure that all of the necessary components are listed. Everything seems to be fine here, so I'll click Install and the installation process begins.
So, after a few minutes the installation process completes. I'll go ahead and close this out and then I'll click on the Notifications icon. We can see that some post-deployment configuration is required. I'm going to click on the Open the Getting Started Wizard link.
I'm taken into the Configure Remote Access wizard and you'll notice that we have three choices here: Deploy both DirectAccess and VPN, Deploy DirectAccess Only and Deploy VPN Only. I'm going to opt to Deploy VPN Only, so I'll click on that option.
I'm taken into the Routing and Remote Access console. Here you can see our VPN server. The red icon indicates that it hasn't yet been configured. I'm going to right-click on the VPN server and choose the Configure and Enable Routing and Remote Access option. This is going to open up the Routing and Remote Access Server Setup Wizard. I'll go ahead and click Next.
I'm asked how I want to configure the server. You'll notice that the very first option on the list is Remote access dial-up or VPN. That's the option that I want to use, so I'm just going to click Next since it's already selected.
I'm prompted to choose my connections that I want to use. Rather than using dial-up, I'm just going to use VPN, so I'll select the VPN checkbox and click Next.
The next thing that I have to do is tell Windows which interface connects to the internet. In my case it's this first interface, so I'm going to select that and click Next.
I have to choose how I want IP addresses to be assigned to remote clients. I want those addresses to be assigned automatically, so I'm going to make sure Automatically is selected and click Next.
The next prompt asks me if I want to use a RADIUS server for authentication. I don't have a RADIUS server in my own organization, so I'm going to choose the option No, use Routing and Remote Access to authenticate connection requests instead. That's selected by default, so I can simply click Next.
I'm taken to a summary screen where I have the chance to review all of the settings that I've enabled. If I scroll through this, everything appears to be correct. I'll go ahead and click Finish.
You can see that the Routing and Remote Access service is starting and so now my VPN server has been enabled.