How to Configure Advanced RAS Gateway Settings on Windows Server 2016

How to Set Up Windows Server 2016 RAS Gateway Advanced

The Remote Access Service (RAS) Gateway in Windows Server 2016 is a software-based, multitenant, Border Gateway Protocol (BGP)-capable router designed for cloud service providers (CSPs) and enterprises hosting multiple tenant virtual networks. The RAS Gateway advanced configuration allows you to go beyond basic VPN connectivity and take advantage of dynamic routing, high availability, and multi-site capabilities that are essential in modern software-defined networking (SDN) environments.

This tutorial walks through the process of setting up an advanced RAS Gateway configuration on Windows Server 2016, including enabling the Remote Access role, configuring multitenant mode, and integrating it with your SDN infrastructure.

Prerequisites

Before beginning, ensure you have the following in place:

A Windows Server 2016 server with at least two network interfaces — one for management and one for external/WAN connectivity. The server must have sufficient RAM (at least 8 GB recommended) and be joined to your domain. You will also need administrative credentials and access to the SDN Network Controller if deploying in a full SDN stack.

Step 1 — Install the Remote Access Role

Open PowerShell as Administrator and run the following command to install the Remote Access role along with the RAS Gateway and BGP components:

Install-WindowsFeature RemoteAccess -IncludeAllSubFeature -IncludeManagementTools

After installation completes, verify the features are installed:

Get-WindowsFeature -Name RemoteAccess, Routing, DirectAccess-VPN

Step 2 — Configure RAS Gateway in Multitenant Mode

In Windows Server 2016, RAS Gateway supports multitenant mode which allows a single gateway to serve multiple tenant virtual networks simultaneously. Enable multitenant mode using the following command:

Install-RemoteAccess -MultiTenancy

This configures the server to act as a multitenant gateway capable of routing traffic for multiple virtual networks using isolation provided by NVGRE or VXLAN encapsulation.

Step 3 — Add a VPN Interface for a Tenant

Once multitenant mode is active, you can add site-to-site VPN connections for individual tenants. Each tenant gets its own logical interface. Use the following to add a tenant VPN interface:

Add-VpnS2SInterface `
  -Name "Tenant1-VPN" `
  -Destination "203.0.113.10" `
  -Protocol IKEv2 `
  -AuthenticationMethod PSKOnly `
  -SharedSecret "YourSharedSecretHere" `
  -IPv4Subnet "10.1.0.0/24:100" `
  -Persistent

Replace the destination IP, shared secret, and subnet values with those specific to your tenant environment.

Step 4 — Enable BGP on the RAS Gateway

To enable dynamic routing via BGP, configure the BGP router on the gateway. This is essential for exchanging routing information with tenant networks and remote sites:

Add-BgpRouter -BgpIdentifier "192.168.100.1" -LocalASN 65001

Then add a BGP peer for the tenant network:

Add-BgpPeer `
  -Name "Tenant1-Peer" `
  -LocalIPAddress "192.168.100.1" `
  -PeerIPAddress "192.168.100.2" `
  -PeerASN 65002 `
  -OperationMode Mixed `
  -PeeringMode Automatic

Step 5 — Configure High Availability with Gateway Pools

For production deployments, configure multiple RAS Gateway VMs in a pool to provide redundancy. The Network Controller manages the pool and can automatically fail over traffic if a gateway becomes unavailable. Register the gateway with the Network Controller REST endpoint:

$uri = "https://nc.contoso.com"
$credential = Get-Credential
Install-NetworkControllerOnRas -RestUri $uri -Credential $credential

Step 6 — Verify Gateway Status

After configuration, verify the VPN interface and BGP status:

Get-VpnS2SInterface

Get-BgpRouter

Get-BgpPeer

Check that all interfaces are in a Connected state and that BGP peers show as Established.

Step 7 — Monitor and Troubleshoot

Use the following commands to monitor active connections and troubleshoot any issues with the RAS Gateway:

Get-RemoteAccessConnectionStatistics

Get-BgpRouteInformation -Type All

Event logs related to RAS Gateway activity can be found in Event Viewer under Applications and Services Logs > Microsoft > Windows > RemoteAccess. Look for error codes related to IKE negotiation failures or authentication problems if connections are not establishing correctly.

Best Practices

When operating RAS Gateway in advanced configurations, always use dedicated NICs for data plane traffic to avoid contention with management traffic. Ensure firewall rules on perimeter devices allow UDP 500 and UDP 4500 for IKEv2 VPN negotiation. Regularly rotate pre-shared keys for tenant VPN connections and document the ASN allocations for BGP peers to avoid conflicts across tenants.

For maximum availability, deploy at least two gateway VMs in each gateway pool and configure the Network Controller to balance connections across them. Monitor gateway memory and CPU usage regularly, as high tenant counts can significantly increase resource consumption.

Conclusion

Setting up an advanced RAS Gateway on Windows Server 2016 provides a robust, multitenant-capable routing and VPN platform suitable for both enterprise and cloud service provider environments. By combining multitenant mode, BGP dynamic routing, and integration with the SDN Network Controller, you can build a flexible and resilient network gateway layer that scales with your organisation’s needs. The steps covered in this tutorial give you the foundation to deploy and manage RAS Gateway in production-grade SDN deployments.