Introduction to Routing and Remote Access Service
Routing and Remote Access Service (RRAS) is a built-in Windows Server 2019 feature that provides routing, remote access, and virtual private networking capabilities. RRAS can function as a software router to forward packets between network interfaces, as a dial-up or VPN remote access server, or as a site-to-site VPN gateway. In enterprise environments, RRAS is frequently deployed to enable branch offices to connect to headquarters over the internet using encrypted tunnels, and to provide mobile employees with secure remote access to internal resources. Windows Server 2019 supports IKEv2, SSTP, L2TP/IPsec, and PPTP tunneling protocols through RRAS.
Prerequisites
Before configuring RRAS, prepare the server environment. The server must have at least two network interface cards if functioning as a router between two network segments. If deploying as a remote access server, one NIC connected to the internet or DMZ and another connected to the internal network is the standard architecture. Ensure the server has a static IP address on all interfaces. Install the Remote Access server role and optionally the Routing role service. The RRAS service account will run as Local System by default.
Installing the Remote Access Role
Install the Remote Access role and its role services using PowerShell or Server Manager:
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature DirectAccess-VPN, Routing -IncludeManagementToolsVerify the installation:
Get-WindowsFeature RemoteAccess, DirectAccess-VPN, Routing | Select-Object Name, InstallStateConfiguring RRAS with the Setup Wizard
After installation, launch the Routing and Remote Access console from Server Manager under Tools. Right-click the server name in the left pane and select Configure and Enable Routing and Remote Access. The wizard presents several configuration options:
Remote access (dial-up or VPN) configures the server to accept incoming VPN or dial-up connections from remote clients. Network address translation (NAT) enables the server to share an internet connection with internal clients. VPN access and NAT combines both. LAN routing enables the server to route packets between connected subnets. Custom configuration lets you select individual services to enable manually.
Select Custom configuration to have maximum control, then check the services you need such as VPN access, NAT, LAN routing, and demand-dial connections. Click Finish and then Start Service when prompted.
Configuring LAN Routing
LAN routing allows RRAS to forward packets between multiple directly connected subnets or to act as a router in your network. After enabling RRAS with LAN routing, expand the server in the console, then expand IPv4, and then expand General. Right-click General and select New Routing Protocol to add OSPF or RIP if dynamic routing is needed. For static routing, right-click Static Routes and select New Static Route:
route add 10.30.0.0 mask 255.255.0.0 192.168.1.1 metric 1 -p
netsh routing ip add persistentroute dest=10.30.0.0 mask=255.255.0.0 gateway=192.168.1.1 metric=1View the current routing table:
route print -4
Get-NetRoute -AddressFamily IPv4 | Format-Table DestinationPrefix, NextHop, RouteMetric, InterfaceAliasConfiguring NAT
Network Address Translation allows multiple internal clients to share a single public IP address. In the RRAS console, expand IPv4, right-click NAT, and select New Interface. Add the public-facing interface and configure it as the public interface connected to the internet with NAT enabled. Add the internal interface and configure it as a private interface connected to the private network.
To configure NAT port mappings for inbound connections such as allowing external access to an internal web server:
netsh routing ip nat add portmapping name="External" tcp 0.0.0.0 80 192.168.1.100 80Alternatively use PowerShell with the NetNat module:
New-NetNat -Name "CorpNAT" -InternalIPInterfaceAddressPrefix "192.168.1.0/24"
Add-NetNatStaticMapping -NatName "CorpNAT" -Protocol TCP -ExternalIPAddress 0.0.0.0 -ExternalPort 80 -InternalIPAddress 192.168.1.100 -InternalPort 80Configuring Demand-Dial Routing
Demand-dial interfaces allow RRAS to establish VPN connections to remote sites on demand, creating a site-to-site routing connection. In the RRAS console, right-click Network Interfaces and select New Demand-dial Interface. Provide a name matching the remote RRAS server’s computer name exactly since RRAS uses this for credential matching. Select VPN as the connection type and specify the remote server’s IP address or hostname. Choose the VPN protocol, typically IKEv2 for security. Configure the remote network routes that should be reachable through this interface. Set credentials for the connection under the Security tab.
netsh ras ip set access mode=all
netsh ras set conf confstate=enabledConfiguring IP Address Assignment for Remote Clients
Remote access clients need IP addresses when they connect. Configure RRAS to use a DHCP server or a static address pool. In the RRAS console, right-click the server and select Properties. On the IPv4 tab, select Dynamic Host Configuration Protocol or Static address pool. For a static pool, add address ranges:
netsh ras ip set addrassign method=pool
netsh ras ip add range from=192.168.100.100 to=192.168.100.200Verify the pool configuration:
netsh ras ip show addrassign
netsh ras ip show rangeConfiguring RRAS Authentication
RRAS can authenticate remote users against Active Directory using Windows Authentication or via RADIUS for centralized policy management. To configure Windows Authentication directly, in the RRAS server Properties on the Security tab, select Windows Authentication. For RADIUS authentication with Network Policy Server, select RADIUS Authentication and add your NPS server IP address and shared secret:
netsh ras set authtype authtype=radius
netsh ras add authtype authtype=mschapv2Set the RADIUS server details:
netsh ras add registeredserver domain=contoso.com server=NPS01Configuring Remote Access Policies
Network Policy Server (NPS) manages the policies that govern who can connect and under what conditions. Install NPS if not already present:
Install-WindowsFeature NPAS -IncludeManagementToolsOpen the NPS console from Server Manager Tools. In NPS, create a new Connection Request Policy and a Network Policy. The Connection Request Policy determines whether requests are authenticated locally or forwarded to a RADIUS server. The Network Policy specifies conditions such as group membership, time of day, and machine authentication requirements, and grants or denies access accordingly. Configure logging to track all authentication attempts:
netsh nps set logging authlogging=accountingonlyConfiguring Routing Protocols
RRAS supports RIP version 2 for dynamic routing in smaller environments. To add RIP, in the RRAS console expand IPv4, right-click General, and add the RIP for Internet Protocol routing protocol. Then right-click RIP and add the interfaces that should participate in RIP. Configure the RIP version, authentication, and update mode for each interface. For environments requiring OSPF, a third-party routing module or a dedicated routing platform is recommended since Windows Server 2019 RRAS OSPF support has been deprecated.
netsh routing ip rip add interface name="Local Area Connection" startupupdatemode=1 acceptdefaultroutes=1 announcedefaultroutes=1 updatemode=1Monitoring RRAS
Monitor active connections and the state of RRAS interfaces using the console and command-line tools:
netsh ras show activeconn
netsh interface show interface
Get-RemoteAccessConnectionStatistics
Get-RemoteAccessHealthReview RRAS logs in Event Viewer under Windows Logs > System and Application, filtering for source RemoteAccess. Enable detailed logging for troubleshooting:
netsh ras set tracing * enabled
# Logs written to C:WindowsTracing
netsh ras set tracing * disabledTroubleshooting Common RRAS Issues
If clients cannot connect, verify the RRAS service is running and that the public firewall allows the required ports. PPTP requires TCP 1723 and GRE protocol 47. L2TP/IPsec requires UDP 500, UDP 1701, UDP 4500, and ESP protocol 50. IKEv2 requires UDP 500 and UDP 4500. SSTP requires TCP 443.
Get-Service RemoteAccess | Select-Object Status
netsh advfirewall firewall show rule name="Routing and Remote Access (GRE-In)"
Test-NetConnection -ComputerName vpn.contoso.com -Port 443
Test-NetConnection -ComputerName vpn.contoso.com -Port 1723Windows Server 2019 RRAS provides a versatile, software-based routing and remote access platform that integrates tightly with Active Directory and NPS, making it a cost-effective choice for organizations that need routing, NAT, and VPN functionality without dedicated hardware appliances.
