L2TP VPN connection to Windows Server 2016 Essentials

mtallon
mtallon used Ask the Experts™
on
I had this question after viewing Server Essentials 2016 L2TP VPN.

I can connect to Windows Server 2016 Essentials via PPTP after running the Anywhere Access wizard mentioned; however, I cannot connect via L2TP.  I checked my Watchguard M400 firewall policy and the ports for L2TP and IPSec are allowing traffic through to the Windows 2016 Server Essentials.  Are there other steps that need to be taken to enable L2TP VPN?  Some users are trying to connect via iPhone tethering or Mac OS and the VPN connection is failing.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

Commented:
Running the Anywhere Access Wizard on Essentials 2016 configures an SSTP VPN using port 443 and a certificate.
There are no wizards for PPTP (which is highly insecure) or L2TP.  They must be manually configured using RRAS and NPS.

Author

Commented:
Do you have a link to steps for configuring the RRAS and NPS to enable L2TP?
Top Expert 2013

Commented:
Can you use the SSTP VPN ?  L2TP is many more steps to configure and with SBS and Essentials you should always use the wizards.
That being said there is a detailed L2TP step by step guide in the following link.  Click on the teal coloured bar and approve the license agreement to download the pdf (28 pages)
https://gallery.technet.microsoft.com/L2TPIPsec-VPN-On-Windows-5cc2c3ae
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
Will the Mac and iPhone OS (via tether) connect to the SSTP VPN?  If yes, do you know of a link to create the client-side connection on the Mac OS using SSTP?

Note: When I use the Essentials 2016 Wizard it produces an error.  It states ports 443 and 80 must be open on the firewall/router (or something of this nature).  I'm pretty sure these ports are already open on the Watchguard M400.
Top Expert 2013

Commented:
I thought SSTP would work with an iPhone or iPad, though I haven't tried it, but Googling suggests not.  I have iPhone/iPad users that access files using Anywhere Access and an SSL browser, which is port 443 as well.  They do not use a VPN.   the default site is https://remote.domain.abc  Anywhere Access is slower to connect but as fast or faster to use once connected.  One serious weakness of a VPN is a wide open tunnel between a remote device and your corporate network over which any traffic, including viruses can travel.

The wizard error is because UPnP is not available on the router, which is a good thing, so it cannot configure the router, you have to do it manually.  Even when you do it will show the error.  You do not need port 80 and I do not recommend enabling it for security reasons.

Alternatively the "modern solution" for file sharing and access would be OneDrive for Business.
Top Expert 2013

Commented:
PS. If you have a WatchGuard router you would be more secure to enable the VPN on it.  You may need a 3rd party client for the phones.

Author

Commented:
Yes, some users use the Web Access, Remote Desktop, or the native Windows Essentials VPN via Windows 7/10 client.  We have some users that use a Mac and would like to directly map to the network shares on the file server.  Additionally some Windows 7/10 users connect via the iPhone hotspot as an alternative when a hotel/café/other blocks VPN traffic.  From what I have read L2TP is required to make it work.  I was wanting to be cautious as I have heard (and as you mentioned) making configuration changes outside of the wizards in 2016 Essential can produce unexpected results.
Top Expert 2013

Commented:
If you enabled the VPN on the WatchGuard they have an iOS VPN client.  That way you don't have to worry about causing problems with the server.  Also it is more secure to have authentication at the network perimeter, the router, than on the server itself.
http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/mvpn/ipsec/mvpn_ipsec_ios_vpn_c.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial