How to Set Up Windows Server 2019 RAS Gateway

How to Set Up Windows Server 2019 RAS Gateway

The Remote Access Service (RAS) Gateway in Windows Server 2019 is a software-based router and gateway designed for cloud service providers and enterprises that host multi-tenant virtual networks using Hyper-V Network Virtualization. It provides site-to-site VPN, point-to-site VPN, and GRE tunneling capabilities, enabling connectivity between virtual and physical networks. This guide walks through the complete process of deploying and configuring a RAS Gateway in a Windows Server 2019 environment.

Prerequisites

Before deploying the RAS Gateway, ensure your environment meets the following requirements. You need at least two network adapters: one connected to the external network and one connected to the internal Hyper-V virtual switch. The server must be running Windows Server 2019 Standard or Datacenter edition. You should also have administrative credentials and access to Windows Admin Center or PowerShell remoting. Network Virtualization using Generic Routing Encapsulation (NVGRE) or Virtual Extensible LAN (VXLAN) should be planned in advance.

Installing the Remote Access Role

The first step is installing the Remote Access server role along with the RAS Gateway sub-component. Open an elevated PowerShell session and run the following commands to install the required components:

Install-WindowsFeature RemoteAccess -IncludeAllSubFeature -IncludeManagementTools

This installs the full Remote Access role including DirectAccess, VPN, Routing, and the Web Application Proxy. After installation completes, verify the role was installed successfully:

Get-WindowsFeature -Name RemoteAccess, Routing, DirectAccess-VPN | Select Name, InstallState

Configuring the RAS Gateway for Multi-Tenant Mode

Windows Server 2019 supports RAS Gateway in multi-tenant mode, which is specifically designed for hosting environments where multiple tenants share the same physical infrastructure. Enable multi-tenancy using the following PowerShell command:

Install-RemoteAccess -MultiTenancy

Once installed, configure the gateway for the specific tenant. Each tenant is identified by their routing domain. Add a routing domain for a tenant named Contoso:

Add-VpnS2SInterface -Name "Contoso_GW" `
    -RoutingDomain "Contoso" `
    -Protocol IKEv2 `
    -AuthenticationMethod PSKOnly `
    -SharedSecret "C0nt0so$ecure123" `
    -Destination "203.0.113.10" `
    -IPv4Subnet "192.168.1.0/24:100"

Setting Up Site-to-Site VPN

The RAS Gateway supports IKEv2-based site-to-site VPN connections. This is commonly used to connect on-premises branch offices to datacenter networks. Configure the S2S interface for an IKEv2 connection. First, identify the external IP address of both gateways, then establish the connection configuration:

Add-VpnS2SInterface `
    -Name "Branch_Office_VPN" `
    -Protocol IKEv2 `
    -Destination "198.51.100.5" `
    -AuthenticationMethod PSKOnly `
    -SharedSecret "Br@nchS3cret456" `
    -IPv4Subnet "10.10.0.0/16:10","10.20.0.0/16:10" `
    -PassThru

After adding the interface, bring the connection online:

Connect-VpnS2SInterface -Name "Branch_Office_VPN"

Verify the connection status:

Get-VpnS2SInterface -Name "Branch_Office_VPN" | Select Name, ConnectionState, IPv4Subnet

Configuring BGP on the RAS Gateway

RAS Gateway integrates with Border Gateway Protocol for dynamic route exchange with remote peers. Enable BGP on the gateway and add the router configuration:

Add-BgpRouter `
    -BgpIdentifier "10.0.0.1" `
    -LocalASN 65001 `
    -RoutingDomain "Contoso" `
    -PassThru

Add a BGP peer to exchange routes with the tenant’s remote network:

Add-BgpPeer `
    -Name "Contoso_Peer" `
    -LocalIPAddress "10.0.0.1" `
    -PeerIPAddress "10.0.0.2" `
    -LocalASN 65001 `
    -PeerASN 65002 `
    -RoutingDomain "Contoso"

Configuring NAT on the RAS Gateway

For tenants that require Network Address Translation, the RAS Gateway can act as a NAT device. Configure NAT for the tenant network:

Add-NetNat -Name "ContosoNAT" -InternalIPInterfaceAddressPrefix "192.168.1.0/24"

Add external NAT port mappings as required by the tenant applications:

Add-NetNatStaticMapping `
    -NatName "ContosoNAT" `
    -Protocol TCP `
    -ExternalIPAddress "0.0.0.0" `
    -ExternalPort 443 `
    -InternalIPAddress "192.168.1.50" `
    -InternalPort 443

Monitoring and Verifying the RAS Gateway

After configuration, use the following commands to monitor RAS Gateway status and connected sessions:

Get-RemoteAccessConnectionStatistics

Get-VpnS2SInterface | Select Name, ConnectionState, Destination, Protocol

Get-BgpRouter -RoutingDomain "Contoso"
Get-BgpPeer -RoutingDomain "Contoso"
Get-BgpRouteInformation -RoutingDomain "Contoso"

To view event logs for the Remote Access service and diagnose connection issues:

Get-WinEvent -LogName "Microsoft-Windows-RemoteAccess-MgmtClient/Operational" -MaxEvents 50 | Format-List TimeCreated, Message

High Availability Configuration

For production deployments, configure RAS Gateway in a redundant pool using Windows Server Software Defined Networking (SDN). Add multiple gateway VMs to a pool so that failover occurs automatically when a gateway fails. In an SDN environment managed by System Center Virtual Machine Manager or Windows Admin Center, you can define gateway pools and assign bandwidth policies per tenant. Verify the gateway pool status:

Get-NetworkControllerGatewayPool -ConnectionUri https://nc.contoso.com

The RAS Gateway is a powerful component of the Windows Server 2019 SDN stack. Proper planning of IP addressing, ASN assignments, and tenant isolation ensures a stable and scalable multi-tenant network environment. Regularly review BGP peer states and VPN tunnel statistics to proactively address any connectivity issues before they affect tenant workloads.