This is the fifth part of the Availability Anywhere series. For your convenience you can find other parts in the table of contents in Part 1 – Connecting to SSH tunnel automatically in Windows
Today I include some various notes around remote connectivity which I was fixing over the years. Nothing new here, things you can easily find on the Internet. This is mostly dump of my Evernote.
How to configure VPN in Windows Server 2012 (for Azure)
Based mostly on Stack Overflow answer
1. Click on
Server Manager -> Manage -> "Add Roles and Features"
2. Add “Remote Access”, include VPN and Routing (needed for NAT) role services and restart
3. Click on
Server Manager -> Notifications -> "Open the Getting Started Wizard"
4. Select “Deploy VPN only”
1. Open an elevated CMD prompt
2. Use SelfSSL (IIS6 Resource Kit, custom install only this component) to generate an SSL certificate for the SSTP:
(3650 == 10 years, “CN” represents the fully-qualified domain name, FQDN)
3. Confirm prompt with “y”, ignore metabase error (if it appears)
4. Run mmc.exe, add snap-in for Certificates -> Computer account
5. Click on
Personal -> Certificates
6. Right-click on the CN certificate, then on
All Tasks -> Export, include private keys and protect with password
1. Run Routing and Remote Access (RRAS) tool
2. Right-click on the server and then on “Configure and Enable RRAS”
3. Choose “Custom configuration”, select “VPN access” and NAT
4. Right-click on the server and then on Properties -> Security
5. Select the CN certificate
6. Click on the IPv4 tab
7. Enter a “Static address pool” for the number of clients, e.g.: 192.168.1.1 – 192.168.1.20 (otherwise the connection will fail with error 720), then close the dialog
8. Don’t enter a range that is too short. The OS keeps a lock on a used IP address for a while, so reconnecting often or from multiple devices may use up the pool and the connection will fail with error 0x8007274C
9. Expand the IPv4 node, then right-click on NAT, then on “New Interface”, select the external interface (e.g. “Ethernet 2”)
10. Click on “Public interface connected to the Internet” and check “Enable NAT on this interface”
1. Open “Computer Management” console
2. Click on “Local Users and Groups”, then on Users, double click on your account
3. Click on Dial-in and change “Network Access Permission” to “Allow access”
1. Install exported server certificate to client’s “Local Machine” store
2. Click on “Place all certificates in the following store”, then on Browse
3. Select “Trusted Root Certificate Authorities”, if you store the certificate in the personal store, the connection will fail with error 0x800B0109
1. Go to Network and Sharing Center, click on “Setup a new connection or network”
2. Select “Connect to a workplace”, then VPN
3. Enter CN, name and create
4. Click on Network tray icon
5. Right-click on new VPN connection, then show properties
6. Click on Security, set VPN type to SSTP and allow only MS-CHAP v2
7. Connect using same credentials used to create the VM and for RDP
8. Test your internet connectivity
9. Use a web site that shows your external IP, it should be an IP from the Azure datacenter
Make sure to unblock ports 1701 (L2TP UDP), 500 (IPsec UDP) and 4500 (IKEv2 UDP).
L2TP over IPsec
1. On the Server, open the “Windows Firewall with Advanced Security”, create a rule called IKEv2 and allow inbound traffic to UDP port 4500 (otherwise the connection will fail with error 809)
2. Using the RRAS tool, right-click on the server and then on
Properties -> Security
3. Check “Allow custom IPsec policy for L2TP/IKEv2 connection” and enter a preshared key
4. On the client, right-click on new VPN connection, then show properties
5. Click on Security, then on click on “Advanced settings” and enter the same preshared key
Fix for Windows 7 L2TP
Add to registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule as DWORD with value 2.
Fix for Windows XP L2TP
Add to registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec as DWORD with value 2.
On client machine disable using default gateway in remote network (in connection settings). Or with PS
Set-VpnConnection -Name vpn-connection-name -SplitTunneling $true
Or using rasdial settings — go to
c:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk and change
IpPrioritizeRemote parameter. If you configured connection as for user only (not for global machine),
rasphone.pbk will be somewhere in Appdata.
Port forwarding on server
netsh interface portproxy add v4tov4 listenport=12345 connectport=443 connectaddress=192.168.1.1
Fixing FTP on server
Application Level Gateway service otherwise you won’t be able to connect to FTP with split tunneling enabled.
Fixing error 812 – the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile
Open the routing and remote access management console.
Right-click on “Remote Access Logging and Policies” then click on Launch NPS.
Click on “Network Policies” in the left pane Right click on the “Connections to Microsoft Routing and Remote Access server” policy in the right pane and select properties.
Change from “Deny Access” to “Grant Access” on the radio buttons in the middle.
Configuring RemoteApp Terminal Services
Use RemoteApp Tool
Just make sure to fix
full address:s: and
alternate full address:s: in generated RDP file (replace hostname with IP address used over VPN).
Configuring firewall for most useful ports
Open those ports for outgoing connections on the client (I open both UDP and TCP):
Range rule is:
1-21, 23-46, 48-52, 54-66, 69-79, 81-442, 444-499, 501-553, 555-1700, 1702-3388, 3390-4499, 4501-5288, 5290-5352, 5354-7235, 7237-7249, 7251-49158, 49160-49162, 49164-53318, 53320-65535
Bonjour/AirPlay may be for Miracast as well (I’m not sure which are used exactly).
Changing network profile to private
To change the network type please do the following:
Hit Winkey + R to open Run prompt and type gpedit.msc
Computer Configuration | Windows Settings | Security Setting | Network List Manager Policies
Choose your Network name from the right pane. In my case network name was Network 2
Go to Network Location tab and change the Location type from Not configured to Private.
Or via registry:
Category 0 means public, 1 means private, 2 means domain. Also add
CategoryType and set it to 0.
Multiple RDP sessions
HKLM\System\CurrentControlSet\Control\Terminal Server\ and set
fDenyTSConnections (DWORD) = 0
fSingleSessionPerUser (DWORD) = 0
Installing RDP client in CentOS
rpm2cpio rdesktop... | cpio -id