How to Configure Windows Server 2016 RAS Gateway
The Remote Access Service (RAS) Gateway in Windows Server 2016 is a software-based, multitenant-capable router and gateway designed for use in Software Defined Networking (SDN) environments. It supports site-to-site VPN, point-to-site VPN, BGP routing, and GRE tunneling. RAS Gateway is particularly important in cloud and datacenter environments where network virtualization using Hyper-V Network Virtualization (HNV) is deployed. It enables tenant virtual networks to communicate with external networks or with other tenant virtual networks through policy-based routing.
Windows Server 2016 introduces significant improvements to RAS Gateway, including multi-site redundancy, enhanced BGP support, and tight integration with the Network Controller component of SDN. This guide walks through setting up a standalone RAS Gateway for site-to-site connectivity.
Prerequisites
Before configuring RAS Gateway, you need: Windows Server 2016 installed with at minimum two network adapters (one for the internal/private network and one for the external/public-facing network), the Remote Access role available for installation, a valid external IP address for VPN termination, and the necessary firewall ports open (UDP 500 and 4500 for IKEv2, TCP/UDP 1723 for PPTP, or UDP 1194 for OpenVPN-based setups).
Step 1: Install the Remote Access Role
Open PowerShell as an Administrator and install the Remote Access role with the required role services:
Install-WindowsFeature RemoteAccess -IncludeManagementToolsFor RAS Gateway functionality including routing and VPN:
Install-WindowsFeature DirectAccess-VPN, Routing -IncludeManagementToolsAfter installation, restart the server if prompted:
Restart-ComputerStep 2: Configure Remote Access
After the role is installed, open the Routing and Remote Access console by running:
rrasmgmt.mscRight-click on the server name in the console and select “Configure and Enable Routing and Remote Access”. The setup wizard will launch. Select “Custom configuration” and check “VPN access” and “LAN routing”. Click Next and then Finish to complete the wizard, then start the Routing and Remote Access service when prompted.
Step 3: Configure a Site-to-Site VPN Connection
To create a site-to-site VPN demand-dial interface, right-click “Network Interfaces” in the RRAS console and select “New Demand-dial Interface”. Follow the wizard to specify the remote site IP address, connection type (IKEv2 is recommended for Windows Server 2016), and shared secret or certificate credentials.
Alternatively, use PowerShell to add a VPN connection:
Add-VpnS2SInterface -Name "SiteB" -Destination 203.0.113.50 -Protocol IKEv2 -AuthenticationMethod PSKOnly -SharedSecret "YourSecretKey123!" -IPv4Subnet @("10.20.0.0/24:100")Step 4: Enable BGP on the RAS Gateway
Windows Server 2016 RAS Gateway supports Border Gateway Protocol for dynamic route exchange. To enable BGP on the RRAS instance:
Add-BgpRouter -BgpIdentifier 10.0.0.1 -LocalASN 65001Add a BGP peer representing the remote site gateway:
Add-BgpPeer -Name "RemotePeer" -LocalIPAddress 10.0.0.1 -PeerIPAddress 10.20.0.1 -PeerASN 65002 -OperationMode MixedStep 5: Verify the Gateway Configuration
Check the status of the VPN interfaces to confirm they are connected:
Get-VpnS2SInterfaceVerify BGP peers and their state:
Get-BgpPeerCheck the routing table to confirm routes are being exchanged:
Get-BgpRouteInformationStep 6: Configure Firewall Rules
Ensure the Windows Firewall allows the necessary traffic for the VPN protocol being used. For IKEv2, the following ports must be open:
netsh advfirewall firewall add rule name="IKEv2 VPN UDP 500" protocol=UDP dir=in localport=500 action=allow
netsh advfirewall firewall add rule name="IKEv2 VPN UDP 4500" protocol=UDP dir=in localport=4500 action=allowStep 7: Enable Multitenant Mode for SDN
In a full SDN deployment, RAS Gateway operates in multitenant mode to support multiple tenants on shared infrastructure. Enable multitenant mode with:
Set-RemoteAccess -MultiTenancy EnabledThis enables the gateway to handle multiple routing domains simultaneously, essential for cloud service provider deployments and enterprise SDN environments. Each tenant is isolated in its own virtual routing and forwarding (VRF) domain.
Troubleshooting
If the VPN tunnel does not establish, review the RRAS event logs in Event Viewer. Common issues include mismatched pre-shared keys, incompatible IKE proposals, or firewall blocking. Use the following to check the RRAS service status:
Get-Service RemoteAccessReview connection statistics for active tunnels:
Get-RemoteAccessConnectionStatisticsWindows Server 2016 RAS Gateway is a flexible and powerful solution for both traditional site-to-site VPN connectivity and modern SDN deployments, offering BGP support, multitenancy, and deep integration with the broader Microsoft networking stack.
