Setting Up the Test Lab for VPN Reconnect

Applies To: Windows 7, Windows Server 2008 R2

The VPN Reconnect test lab network consists of three computers, which perform the following services:

  • DC1: A computer running Windows Server 2008 R2 that is acting as a domain controller, a Domain Name System (DNS) server, and a file server on a private (intranet) network.


Alternatively, DC1 can run Windows Server 2008 or Windows Server 2003.

  • VPN1: A computer running Windows Server 2008 R2, with two network adapters installed. VPN1 is configured with the Network Policy and Access Services (NPAS) and Active Directory Certificate Services (AD CS) server roles. The RRAS role service is installed to allow VPN1 to acts as a VPN server. In addition, VPN1 is configured with Network Policy Services (NPS) to configure and enable remote access policies required for a VPN connection.

  • CLIENT1: A computer running Windows 7 that acts as a VPN client on a public (Internet) network.

The following diagram shows the configuration of the VPN test lab.


The firewall illustrated in the diagram is not a separate device or computer; instead it is the Windows Firewall that runs as part of Windows on VPN1. In a production environment, the scenario likely does include a separate firewall through which the VPN tunnel must be able to pass. For more information, see the next section.

Windows Firewall with Advanced Security and VPN Reconnect traffic

VPN Reconnect requires that the firewall rules on VPN1 and CLIENT1 allow UDP ports 500 and 4500 for IKE traffic, as well as IP Protocol ID 50 for Encapsulating Security Protocol (ESP) traffic.When you install Routing and Remote Access Services on VPN1, Windows Firewall rules are automatically created to allow this traffic. On CLIENT1, outbound traffic that CLIENT1 initiates is automatically allowed.

Unless you or another service alters the firewall rules, this traffic will not be blocked. However, if the firewall configuration on either VPN1 or CLIENT1 has been modified, you may need to create inbound and outbound firewall rules on these computers to allow this traffic. For more information about creating firewall rules, see Windows Firewall with Advanced Security and IPsec.