Share via


Deploy Remote Access in the Cloud

Updated: August 10, 2012

Applies To: Windows Server 2012, Windows Server 2012 R2

Scenario description

The Remote Access Hosted Cloud Scenario provides a secure way for enterprise to access resources in the private cloud over the Internet. This scenario is designed for enterprise organizations that want to take advantage of the services offered by placing some of their infrastructure in private, hosted clouds, while ensuring high availability.

Cross-premises connectivity to a hosted cloud enables enterprises to connect to private subnets in a hosted cloud network. It also enables connectivity between geographically separate enterprise locations. With cross-premises connectivity, enterprises can use their existing networking infrastructure to connect to hosting providers using the industry standard IKEv2-IPsec protocol.

In this scenario

The Hosted Cloud scenario includes several possible cross-premise configurations from which to choose.

Network and server topology—Decide which cross-premise architecture fits the needs of your organization:

  • Site-to-Site—With this configuration, you can provide both network and site redundancy without the use of a network load balancing device.The Remote Access server is configured with two network adapters that are connected to two separate Internet service provider sites. Each of the ISP sites have two network adapters connected to the on-site Remote Access server. Subnets are hosted outside the customer premises. By creating site-to-site tunnels with the appropriate routes and you can fully optimize all the links and sites (assuming the load across all the subnets is same).

  • Network Load Balancing and Failover—Using this configuration, you can provide both network and site redundancy without the use of a network load balancing device.The Remote Access server is configured with two network adapters that are connected to two separate Internet service provider sites. Each of the ISP sites has two network adapters connected to the on-site Remote Access server adapters. Multiple subnets are hosted outside the customer premises, and mirrored in the ISP’s clouds. By creating site-to-site tunnels with the appropriate routes, you can fully optimize all the links and sites (assuming the load across all the subnets is same).

    The Remote Access server site-to-site gateway can be deployed using Windows Network Load Balancing (NLB), or third party load balancing devices. Network Adapter Teaming (also referred to as NIC teaming) is supported if multiple adapters are available and teaming is supported on the server.

Practical applications

The Remote Access Hosted Cloud Scenarios utilize a private cloud infrastructure using IKEv2 and IPSec to make enterprise resources exclusively available to employees or partners of your company. Authorized users are able to access the services on the internet, and if they are outside the company, via site-to-site Virtual Private Networks (VPN). When your resources are hosted by a third-party service provider (for example, hosters, outsourcers, and increasingly, telecommunications companies), the cloud is referred to as a hosted private cloud. Cloud Bursting and Data Recovery are two practical applications for site-to-site VPNs in the cloud

Cloud Bursting

Cloud bursting, is the function of using virtual private clouds from service providers to meet peak computing demand situations. When resources are stretched during peak times or seasons in the corporate data center, Cloud Bursting allows the excess data to be moved across the cloud to a provider network that can absorb the extra data capacity. The diagram below shows how sit-to-site VPNs are used to facilitate Cloud Bursting.

Disaster Recovery

Disaster Recovery uses virtual private clouds from service providers as backup infrastructure. As the Figure 1 below illustrates, a corporation can use the hoster’s infrastructure with Hyper-V Replica and VPN, to replicate a mission critical application to its hoster. In the event of failure, everything, including the IP address infrastructure fails over to the hosted cloud. In this way clients traffic can seamlessly be routed to the service that’s currently up and running (the hoster’s failover site). Cross-Premises connectivity ensures secure connectivity to resources in the cloud.

Hosted Cloud Disaster Recovery

Figure 1: Disaster Recovery Topology

Roles and features included in this scenario

The following table lists the roles and features required for the scenario:

Role/feature How it supports this scenario

Remote Access role

The role is installed and uninstalled using the Server Manager console. This role encompasses both DirectAccess, which was previously a feature in Windows Server 2008 R2, and Routing and Remote Access Services which was previously a role service under the Network Policy and Access Services (NPAS) server role. The Remote Access role consists of two components:

  1. DirectAccess and Routing and Remote Access Services (RRAS) VPN—DirectAccess and VPN are managed together in the Remote Access Management console.

  2. RRAS Routing—RRAS routing features are managed in the legacy Routing and Remote Access console.

The role depends on the following:

  • Internet Information Services (IIS) Web Server – This feature is required to configure the network location server and default web probe.

  • Windows Internal Database—Used for local accounting on the Remote Access server.

Remote Access Management Tools role

This feature is installed as follows:

  • It is installed by default on a Remote Access server when the Remote Access role is installed, and supports the Remote Management console user interface.

  • It can be optionally installed on a server not running the Remote Access server role. In this case it is used for remote management of a Remote Access computer running DirectAccess and VPN.

The Remote Access Management Tools feature consists of the following:

  1. Remote Access GUI and Command Line Tools

  2. Remote Access module for Windows PowerShell

The role depends on the following:

  1. Group Policy Management Console

  2. RAS Connection Manager Administration Kit (CMAK)

  3. Windows PowerShell 3.0

  4. Graphical Management Tools and Infrastructure

Hardware requirements

The hardware requirements for this scenario will depend on which configuration you choose. Requirements will be specified in detail in the scenario planning guide.

Software requirements

The software requirements for this scenario will depend on which configuration you choose. Requirements will be specified in detail in the scenario planning guide.

See also

The following table provides links to additional information about Remote Access, including DirectAccess and VPN.

Content type References

Product evaluation

Remote Access TechCenter | Remote Access test lab guides, when published

Planning

Links to the other Remote Access deployment scenarios when published.

Deployment

Links to the Remote Access deployment scenarios when published.

Tools and settings

Windows PowerShell cmdlets for Remote Access, when published.

Community resources

RRAS Product Team blog

Related technologies

IKEv2-IPsec