This is the fifth part of the Availability Anywhere series. For your convenience you can find other parts in the table of contents in Part 1 – Connecting to SSH tunnel automatically in Windows

Today I include some various notes around remote connectivity which I was fixing over the years. Nothing new here, things you can easily find on the Internet. This is mostly dump of my Evernote.

How to configure VPN in Windows Server 2012 (for Azure)

Based mostly on Stack Overflow answer

Server Role

1. Click on Server Manager -> Manage -> "Add Roles and Features"
2. Add “Remote Access”, include VPN and Routing (needed for NAT) role services and restart
3. Click on Server Manager -> Notifications -> "Open the Getting Started Wizard"
4. Select “Deploy VPN only”

Server Certificate

1. Open an elevated CMD prompt
2. Use SelfSSL (IIS6 Resource Kit, custom install only this component) to generate an SSL certificate for the SSTP:

selfssl.exe /N:cn=CN/V:3650

1	selfssl.exe /N:cn=CN/V:3650

(3650 == 10 years, “CN” represents the fully-qualified domain name, FQDN)
3. Confirm prompt with “y”, ignore metabase error (if it appears)
4. Run mmc.exe, add snap-in for Certificates -> Computer account
5. Click on Personal -> Certificates
6. Right-click on the CN certificate, then on All Tasks -> Export, include private keys and protect with password

Server RRAS

1. Run Routing and Remote Access (RRAS) tool
2. Right-click on the server and then on “Configure and Enable RRAS”
3. Choose “Custom configuration”, select “VPN access” and NAT
4. Right-click on the server and then on Properties -> Security
5. Select the CN certificate
6. Click on the IPv4 tab
7. Enter a “Static address pool” for the number of clients, e.g.: 192.168.1.1 – 192.168.1.20 (otherwise the connection will fail with error 720), then close the dialog
8. Don’t enter a range that is too short. The OS keeps a lock on a used IP address for a while, so reconnecting often or from multiple devices may use up the pool and the connection will fail with error 0x8007274C
9. Expand the IPv4 node, then right-click on NAT, then on “New Interface”, select the external interface (e.g. “Ethernet 2”)
10. Click on “Public interface connected to the Internet” and check “Enable NAT on this interface”

Server User

1. Open “Computer Management” console
2. Click on “Local Users and Groups”, then on Users, double click on your account
3. Click on Dial-in and change “Network Access Permission” to “Allow access”

Client Certificate

1. Install exported server certificate to client’s “Local Machine” store
2. Click on “Place all certificates in the following store”, then on Browse
3. Select “Trusted Root Certificate Authorities”, if you store the certificate in the personal store, the connection will fail with error 0x800B0109

Client Connection

1. Go to Network and Sharing Center, click on “Setup a new connection or network”
2. Select “Connect to a workplace”, then VPN
3. Enter CN, name and create
4. Click on Network tray icon
5. Right-click on new VPN connection, then show properties
6. Click on Security, set VPN type to SSTP and allow only MS-CHAP v2
7. Connect using same credentials used to create the VM and for RDP
8. Test your internet connectivity
9. Use a web site that shows your external IP, it should be an IP from the Azure datacenter

Make sure to unblock ports 1701 (L2TP UDP), 500 (IPsec UDP) and 4500 (IKEv2 UDP).

L2TP over IPsec

1. On the Server, open the “Windows Firewall with Advanced Security”, create a rule called IKEv2 and allow inbound traffic to UDP port 4500 (otherwise the connection will fail with error 809)
2. Using the RRAS tool, right-click on the server and then on Properties -> Security
3. Check “Allow custom IPsec policy for L2TP/IKEv2 connection” and enter a preshared key
4. On the client, right-click on new VPN connection, then show properties
5. Click on Security, then on click on “Advanced settings” and enter the same preshared key

Fix for Windows 7 L2TP

Add to registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule as DWORD with value 2.

Fix for Windows XP L2TP

Add to registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec as DWORD with value 2.

Split tunneling

On client machine disable using default gateway in remote network (in connection settings). Or with PS

Set-VpnConnection -Name vpn-connection-name -SplitTunneling $true

1	Set-VpnConnection -Name vpn-connection-name -SplitTunneling $true

Or using rasdial settings — go to c:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk and change IpPrioritizeRemote parameter. If you configured connection as for user only (not for global machine), rasphone.pbk will be somewhere in Appdata.

Port forwarding on server

netsh interface portproxy add v4tov4 listenport=12345 connectport=443 connectaddress=192.168.1.1

1	netsh interface portproxy add v4tov4 listenport=12345 connectport=443 connectaddress=192.168.1.1

Fixing FTP on server

Disable Application Level Gateway service otherwise you won’t be able to connect to FTP with split tunneling enabled.

Fixing error 812 – the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile

Open the routing and remote access management console.
Right-click on “Remote Access Logging and Policies” then click on Launch NPS.
Click on “Network Policies” in the left pane Right click on the “Connections to Microsoft Routing and Remote Access server” policy in the right pane and select properties.
Change from “Deny Access” to “Grant Access” on the radio buttons in the middle.
Hit Apply.

Logs

See in C:\windows\system32\logfiles

Configuring RemoteApp Terminal Services

Use RemoteApp Tool

Just make sure to fix full address:s: and alternate full address:s: in generated RDP file (replace hostname with IP address used over VPN).

Configuring firewall for most useful ports

Open those ports for outgoing connections on the client (I open both UDP and TCP):

22 SSH
47 GRE
53 DNS
67 DHCP
68 DHCP
80 HTTP
443 HTTPS
500 IPSEC
554 AirPlay
1701 L2TP
3389 MSTSC
4500 IKEv2
5289 Bonjour
5353 Bonjour/AirPlay
49159 Bonjour/AirPlay
49163 Bonjour/AirPlay
53319 MSTSC

22 SSH

47 GRE

53 DNS

67 DHCP

68 DHCP

80 HTTP

443 HTTPS

500 IPSEC

554 AirPlay

1701 L2TP

3389 MSTSC

4500 IKEv2

5289 Bonjour

5353 Bonjour/AirPlay

49159 Bonjour/AirPlay

49163 Bonjour/AirPlay

53319 MSTSC

Range rule is:

1-21, 23-46, 48-52, 54-66, 69-79, 81-442, 444-499, 501-553, 555-1700, 1702-3388, 3390-4499, 4501-5288, 5290-5352, 5354-7235, 7237-7249, 7251-49158, 49160-49162, 49164-53318, 53320-65535

1	1-21, 23-46, 48-52, 54-66, 69-79, 81-442, 444-499, 501-553, 555-1700, 1702-3388, 3390-4499, 4501-5288, 5290-5352, 5354-7235, 7237-7249, 7251-49158, 49160-49162, 49164-53318, 53320-65535

Bonjour/AirPlay may be for Miracast as well (I’m not sure which are used exactly).

OpenSSH configuration

Use Win32-OpenSSH.

Changing network profile to private

To change the network type please do the following:
Hit Winkey + R to open Run prompt and type gpedit.msc
Navigate to: Computer Configuration | Windows Settings | Security Setting | Network List Manager Policies
Choose your Network name from the right pane. In my case network name was Network 2
Go to Network Location tab and change the Location type from Not configured to Private.

Or via registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Category 0 means public, 1 means private, 2 means domain. Also add CategoryType and set it to 0.

Multiple RDP sessions

Go to HKLM\System\CurrentControlSet\Control\Terminal Server\ and set

fDenyTSConnections (DWORD) = 0
fSingleSessionPerUser (DWORD) = 0

1 2	fDenyTSConnections (DWORD) = 0 fSingleSessionPerUser (DWORD) = 0

Installing RDP client in CentOS

yumdownloader rdesktop
rpm2cpio rdesktop... | cpio -id

1 2	yumdownloader rdesktop rpm2cpio rdesktop... \| cpio -id