How to Set Up iSCSI Target Server on Windows Server 2025
iSCSI (Internet Small Computer Systems Interface) is a storage networking protocol that allows block-level data storage to be transmitted over standard TCP/IP networks, enabling servers to access remote storage as though it were a locally attached disk. Windows Server 2025 includes a built-in iSCSI Target Server role that lets you provision virtual disks and present them to initiator clients across your network — without any additional SAN hardware. This guide covers the complete configuration of an iSCSI target on Windows Server 2025, from role installation through virtual disk creation, CHAP authentication, firewall configuration, and initiator connection.
Prerequisites
- Windows Server 2025 (Standard or Datacenter edition) for the target server
- Sufficient disk space on the target server for the iSCSI virtual disks
- Network connectivity between target and initiator on TCP port 3260
- The initiator machine must have the iSCSI Initiator service enabled (built into Windows; on Linux, install
open-iscsi) - Static IP addresses recommended for both target and initiator
- Administrator privileges on both target and initiator machines
Step 1: Install the iSCSI Target Server Role
The iSCSI Target Server is part of the File and Storage Services role in Windows Server 2025. Install it using PowerShell or Server Manager. The -IncludeManagementTools parameter installs the iSCSI Target Server snap-in (iscsitgt.msc) and the PowerShell management module.
# Install iSCSI Target Server with management tools
Install-WindowsFeature -Name FS-iSCSITarget-Server -IncludeManagementTools
# Verify the installation
Get-WindowsFeature -Name FS-iSCSITarget-Server
# Import the iSCSI management module
Import-Module IscsiTarget
# List available iSCSI cmdlets
Get-Command -Module IscsiTarget
Step 2: Create an iSCSI Virtual Disk
An iSCSI virtual disk is a .vhdx file stored on the target server that appears as a raw block device to the initiator. You can create fixed-size disks (allocated immediately, better performance) or dynamically expanding disks (grow as data is written). For production storage, fixed-size disks on fast storage (NVMe or SSD) are recommended to avoid performance degradation.
# Create a 100 GB fixed-size iSCSI virtual disk
New-IscsiVirtualDisk -Path "D:iSCSIDisksDataDisk01.vhdx" `
-SizeBytes 100GB `
-Description "Primary data disk for App Server 01"
# Create a 500 GB dynamically expanding disk
New-IscsiVirtualDisk -Path "D:iSCSIDisksBackupDisk01.vhdx" `
-SizeBytes 500GB `
-Description "Backup storage for App Server 01"
# Verify the virtual disks were created
Get-IscsiVirtualDisk | Select-Object Path, SizeBytes, DiskType, Description
Step 3: Create an iSCSI Target
An iSCSI target is the logical entity that the initiator connects to. Each target has a unique IQN (iSCSI Qualified Name) and a list of allowed initiators. You must specify the initiator IQN, IP address, or DNS name to restrict which clients are permitted to connect. Using the wildcard * allows any initiator to connect, which is only appropriate in isolated lab environments.
# First, get the IQN of your initiator client (run on the client machine)
# On Windows: (Get-InitiatorPort).NodeAddress
# On Linux: cat /etc/iscsi/initiatorname.iscsi
# Create an iSCSI target, specifying the allowed initiator by IQN
New-IscsiServerTarget -TargetName "target-appserver01" `
-InitiatorIds @("IQN:iqn.1991-05.com.microsoft:appserver01-target")
# Alternatively, allow by IP address (useful in lab environments)
New-IscsiServerTarget -TargetName "target-appserver01" `
-InitiatorIds @("IPAddress:10.10.1.100")
# Allow multiple initiators (e.g., a cluster with two nodes)
New-IscsiServerTarget -TargetName "target-cluster-storage" `
-InitiatorIds @(
"IQN:iqn.1991-05.com.microsoft:node1-cluster-target",
"IQN:iqn.1991-05.com.microsoft:node2-cluster-target"
)
# Verify targets
Get-IscsiServerTarget | Select-Object TargetName, IsEnabled, InitiatorIds
Step 4: Assign Virtual Disks to the Target
A single iSCSI target can present multiple virtual disks (LUNs) to the initiator. After assigning disks to the target, each disk is identified by a LUN number starting at 0. The initiator will see each assigned disk as a separate block device.
# Assign the data disk to the target as LUN 0
Add-IscsiVirtualDiskToServerTarget `
-Path "D:iSCSIDisksDataDisk01.vhdx" `
-TargetName "target-appserver01"
# Assign the backup disk to the target as LUN 1
Add-IscsiVirtualDiskToServerTarget `
-Path "D:iSCSIDisksBackupDisk01.vhdx" `
-TargetName "target-appserver01"
# Verify the assignment
Get-IscsiServerTarget -TargetName "target-appserver01" | `
Select-Object -ExpandProperty LunMappings
Step 5: Configure Windows Firewall for iSCSI
The iSCSI protocol uses TCP port 3260. You must create a firewall rule on the target server to permit inbound connections on this port. If your environment uses IPsec or dedicated storage VLANs, apply the rule only to the storage network interface for additional security.
# Create an inbound firewall rule for iSCSI (port 3260)
New-NetFirewallRule -DisplayName "iSCSI Target (TCP-In)" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 3260 `
-Action Allow `
-Profile Domain,Private
# Scope the rule to a specific network interface (storage NIC only)
New-NetFirewallRule -DisplayName "iSCSI Target Storage NIC (TCP-In)" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 3260 `
-Action Allow `
-InterfaceAlias "Storage NIC" `
-Profile Any
# Verify the rule is active
Get-NetFirewallRule -DisplayName "iSCSI*" | Select-Object DisplayName, Enabled, Direction
Step 6: Configure CHAP Authentication
Challenge-Handshake Authentication Protocol (CHAP) secures the iSCSI session by requiring the initiator to provide credentials before connecting. Windows Server 2025 supports both one-way CHAP (target authenticates the initiator) and mutual CHAP (both sides authenticate each other). Use CHAP in environments where the iSCSI network is shared with other traffic.
# Set CHAP credentials on the iSCSI target (one-way CHAP)
Set-IscsiServerTarget -TargetName "target-appserver01" `
-ChapUserName "iscsi-user01" `
-ChapPassword (ConvertTo-SecureString "C0mplexP@ssword123!" -AsPlainText -Force) `
-EnableChap $true
# Configure mutual CHAP (target also authenticates to initiator)
Set-IscsiServerTarget -TargetName "target-appserver01" `
-ReverseChapUserName "iscsi-reverse-user01" `
-ReverseChapPassword (ConvertTo-SecureString "R3verseP@ss456!" -AsPlainText -Force) `
-EnableReverseChap $true
# Verify CHAP settings
Get-IscsiServerTarget -TargetName "target-appserver01" | `
Select-Object TargetName, EnableChap, EnableReverseChap, ChapUserName
Step 7: Connect the iSCSI Initiator (Windows Client)
On the initiator machine (the server that will consume the iSCSI storage), use either the iSCSI Initiator control panel (iscsicpl.msc) or PowerShell to connect to the target. The iSCSI Initiator service must be running before attempting the connection.
# Run on the initiator machine (Windows Server or Windows client)
# Start and set the iSCSI Initiator service to auto-start
Start-Service msiscsi
Set-Service msiscsi -StartupType Automatic
# Add the target portal (target server IP or hostname)
New-IscsiTargetPortal -TargetPortalAddress "10.10.1.10" -TargetPortalPortNumber 3260
# Discover available targets
Get-IscsiTarget
# Connect to the target (without CHAP)
Connect-IscsiTarget -NodeAddress "iqn.1991-05.com.microsoft:iscsiserver-target-appserver01" `
-TargetPortalAddress "10.10.1.10" `
-IsPersistent $true
# Connect with CHAP authentication
Connect-IscsiTarget -NodeAddress "iqn.1991-05.com.microsoft:iscsiserver-target-appserver01" `
-TargetPortalAddress "10.10.1.10" `
-IsPersistent $true `
-AuthenticationType ONEWAYCHAP `
-ChapUsername "iscsi-user01" `
-ChapSecret "C0mplexP@ssword123!"
# Verify the active session
Get-IscsiSession | Select-Object InitiatorNodeAddress, TargetNodeAddress, IsConnected
Step 8: Initialize and Format the iSCSI Disk on the Initiator
Once connected, the iSCSI virtual disk appears in Disk Management on the initiator as an offline, uninitialized raw disk. You must initialize, partition, and format it before use. Use GPT partition style for disks larger than 2 TB.
# Run on the initiator machine
# Find the new offline disk presented over iSCSI
$iscsiDisk = Get-Disk | Where-Object { $_.BusType -eq "iSCSI" -and $_.OperationalStatus -eq "Offline" }
# Bring the disk online
$iscsiDisk | Set-Disk -IsOffline $false
# Initialize with GPT (recommended for disks > 2 TB)
$iscsiDisk | Initialize-Disk -PartitionStyle GPT
# Create a partition and format with NTFS
$iscsiDisk | New-Partition -AssignDriveLetter -UseMaximumSize | `
Format-Volume -FileSystem NTFS -NewFileSystemLabel "iSCSI_Data" -Confirm:$false
# Verify the disk is accessible
Get-Volume | Where-Object { $_.FileSystemLabel -eq "iSCSI_Data" }
Conclusion
The Windows Server 2025 iSCSI Target Server provides a cost-effective, software-defined block storage solution that can replace dedicated SAN hardware in many scenarios. By completing this guide, you have installed and configured the iSCSI Target role, created virtual disks and assigned them to secured targets with CHAP authentication, opened the appropriate firewall ports, and successfully connected and formatted the storage on a client machine. For production deployments, consider using Multipath I/O (MPIO) on the initiator to provide redundant paths to the target for both high availability and load balancing, implement regular Snapshot scheduling on the virtual disk files using Windows Server Backup, and isolate iSCSI traffic on a dedicated VLAN to avoid contention with production network traffic. When combined with S2D or Storage Spaces, iSCSI Target Server becomes a powerful building block for flexible, scalable storage infrastructure on Windows Server 2025.
