Setting up Remote Access with VPN on Windows 2016 Server

I have a Windows 2016 server(Domain Controller and Certification Authority).  I am running Hyper-V.  I have two virtual machines.  The first virtual machine is I have installed and configured Remote Access Server(setup for VPN only) role.  The second virtual machine I have installed the NPS (radius server).  I the needed certificates enrolled.
My goal is to have the Remote Access Server function as a VPN server.  I want to have a BRANCH office have the ability to:
1.      Connect to the VPN server
2.      Use Remote Desktop Connection to connect to a domain computer at the MAIN office.
Both offices have the Xycel VMG4325-B10A routers sitting on the edge of the network.  
Both offices have access to the Internet through the Xycel router.
I have VPN ports(UDP and TCP) on an ACL list and I have Port Forwarded.
When I set up the client for VPN I am using the FQDN name of the VPN server. I am unable to connect
I am missing something?  Asking for assistance.
Van JohnsonChief Technology OfficerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Van JohnsonChief Technology OfficerAuthor Commented:
I need to add:  I am getting the following message when I test a VPN connection from a Window 10 client on an external network:
The network connection between your computer and the VPN server could not be established because the remote server is not responding.  I have setup this VPN connection with the server entry being the Public IP address which I have added to the ACL list pointing to the internal address of the VPN (Remote Access) server.
Rob WilliamsCommented:
In my "humble" opinion you would be much better off, and more secure, to set up a site-to-site VPN using the two Xycel routers.  No need for RRAS or NPS, and security is at the perimeter of the network, using full IPsec.
Cliff GaliherCommented:
Am I understanding that you are running hyper-v *on* your domain controller? That Laine will cause all sorts of unpredictable network issues.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Rob WilliamsCommented:
I missed that.  I hope the DC is a VM and not hyper-V running on the DC.

Another issue is if you have multiple users connecting as software clients to a Windows VPN server, the Xycel router at the client end will need to support VPN pass-through.  I am sure it does but all routers have a pass-through limit.  Some 1, the most I have seen is 9.  I couldn't find specs for Xycel.  A Site-to-site VPN does not have these limits.  The only limit is performance, based on bandwidth.
Van JohnsonChief Technology OfficerAuthor Commented:
Physical server with (3) virtual machines.  1. DC 2. Remote Access 3. NPS
 Yes, Rob, I would love to setup a site to site with those Xycel routers to be honest on the Xycel VMG4325-B10A
I do not see how to set that up, I do not see a VPN function.  The Xycel routers were provided by the ISP maybe my next step is to hit them up about an upgrade.
Rob WilliamsCommented:
Interesting, I haven't looked at Xycel specs for quite a few years but they all used to have very high end VPN capabilities.  They were even one of the few that offered VPN fail-over connections.  However, I looked at your units, and as you said they do not seem to offer VPN site-to-site capabilities.  You can put them in bridge mode and set up a VPN capable router behind them.  Perhaps as you suggested you should first talk to the ISP and see what options are available.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.