Routing and Remote Access Service

Applies To: Windows Server 2008

The Routing and Remote Access service in the Windows Server® 2008 operating system provides remote users access to resources on your private network over virtual private network (VPN) or dial-up connections. Servers configured with the Routing and Remote Access service can provide local area network (LAN) and wide area network (WAN) routing services used to connect network segments within a small office or to connect two private networks over the Internet.

What does Routing and Remote Access service do?

The Routing and Remote Access service in Windows Server 2008 provides:

  • Remote access

  • Routing

Remote access

By configuring Routing and Remote Access to act as a remote access server, you can connect remote or mobile workers to your organization's networks. Remote users can work as if their computers are physically connected to the network.

All services typically available to a LAN-connected user (including file and printer sharing, Web server access, and messaging) are enabled by means of the remote access connection. For example, on a server running Routing and Remote Access, clients can use Windows Explorer to make drive connections and to connect to printers. Because drive letters and universal naming convention (UNC) names are fully supported by remote access, most commercial and custom applications work without modification.

A server running Routing and Remote Access provides two different types of remote access connectivity:

  • Virtual private networking (VPN)

    VPN is the creation of secured, point-to-point connections across a private network or a public network, such as the Internet. A VPN client uses special TCP/IP-based protocols called tunneling protocols to make a virtual call to a virtual port on a VPN server. The best example of virtual private networking is that of a VPN client that makes a VPN connection to a remote access server that is connected to the Internet. The remote access server answers the virtual call, authenticates the caller, and transfers data between the VPN client and the corporate network.

    In contrast to dial-up networking, VPN is always a logical, indirect connection between the VPN client and the VPN server over a public network, such as the Internet. To ensure privacy, you must encrypt data sent over the connection.

  • Dial-up networking

    In dial-up networking, a remote access client makes a nonpermanent, dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider, such as analog phone or ISDN. The best example of dial-up networking is that of a dial-up networking client that dials the phone number of one of the ports of a remote access server.

    Dial-up networking over an analog phone or ISDN is a direct physical connection between the dial-up networking client and the dial-up networking server. You can encrypt data sent over the connection, but it is not required.


A router is a device that manages the flow of data between network segments, or subnets. A router directs incoming and outgoing packets based on the information it holds about the state of its own network interfaces and a list of possible sources and destinations for network traffic. By projecting network traffic and routing needs based on the number and types of hardware devices and applications used in your environment, you can better decide whether to use a dedicated hardware router, a software-based router, or a combination of both. Generally, dedicated hardware routers handle heavier routing demands best, and less expensive software-based routers handle lighter routing loads.

A software-based routing solution, such as the Routing and Remote Access service in Windows Server 2008, can be ideal on a small, segmented network with relatively light traffic between subnets. Conversely, enterprise network environments that have a large number of network segments and a wide range of performance requirements might need a variety of hardware-based routers to perform different roles throughout the network.

Who will be interested in this feature?

Routing and Remote Access applies to network and system administrators interested in supporting the following remote access and routing scenarios:

  • Remote Access (VPN) to allow remote access clients to connect to the private network across the Internet.

  • Remote Access (dial-up) to allow remote access clients to connect to the private network by dialing into a modem bank or other dial-up equipment.

  • Network address translation (NAT) to share an Internet connection with computers on the private network and to translate traffic between public and private networks.

  • Secure connection between two private networks to send private data securely across the Internet.

  • Routing between two networks for configuring a simple routing, multiple-router, or demand-dial routing topology.

Are there any special considerations?

NAP enforcement for VPN

Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista® client operating system and in the Windows Server 2008 operating system. With NAP, system administrators can establish and automatically enforce health policies, which can include software requirements, security update requirements, required computer configurations, and other settings.

When making VPN connections, client computers that are not in compliance with health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. Depending on how you choose to deploy NAP, noncompliant clients can be automatically updated so that users can quickly regain full network access without manually updating or reconfiguring their computers.

VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection. NAP VPN enforcement is similar in function to Network Access Quarantine Control, a feature in Windows Server 2003, but it is easier to deploy.

For more information, see Network Access Protection.

Remote access policy configuration

Remote access policy configuration is now performed through Network Policy Server (NPS). For more information, see Network Policy Server and the "RADIUS Server for Dial-Up or VPN Connections" topic in NPS product Help.

What new functionality does this feature provide?

SSTP tunneling protocol

Secure Socket Tunneling Protocol (SSTP) is a new form of virtual private networking (VPN) tunnel. SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access. Secure Sockets Layer (SSL) provides transport-level security with enhanced key negotiation, encryption, and integrity checking. Use of SSTP is supported in Windows Server 2008 and Windows Vista with SP1.

Why is this functionality important?

Traffic encapsulated with SSTP can pass through firewalls that block PPTP and L2TP/IPsec traffic.

New cryptographic support

In response to governmental security requirements and trends in the security industry to support stronger cryptography, Windows Server 2008 and Windows Vista support the following encryption algorithms for PPTP and L2TP VPN connections.


  • Only 128-bit RC4 encryption algorithm is supported.

  • 40 and 56-bit RC4 support is removed, but can be added (not recommended) by changing a registry key.


Data Encryption Standard (DES) encryption algorithm with Message Digest 5 (MD5) integrity check support is removed, but can be added (not recommended) by changing a registry key.

IKE Main Mode will support:

  • Advanced Encryption Standard (AES) 256 (new), AES 192 (new), AES 128 (new), and 3DES encryption algorithms.

  • Secure Hash Algorithm 1 (SHA1) integrity check algorithm.

  • Diffie-Hellman (DH) groups 19 (new) and 20 (new) for Main Mode negotiation.

IKE Quick Mode will support:

  • AES 256 (new), AES 192 (new), AES 128 (new), and 3DES encryption algorithms.

  • SHA1 integrity check algorithm.

What existing functionality is changing?

Removed technologies

Support for the following technologies has been removed from Windows Server 2008 and Windows Vista:

  • Bandwidth Allocation Protocol (BAP). Removed from Windows Vista. Disabled in Windows Server 2008.

  • X.25.

  • Serial Line Interface Protocol (SLIP). SLIP-based connections will automatically be updated to PPP-based connections.

  • Asynchronous Transfer Mode (ATM).

  • IP over IEEE 1394.

  • NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.

  • Services for Macintosh.

  • Open Shortest Path First (OSPF) routing protocol component.

Additional references

For information about other Network Policy and Access Services features, see the Network Policy and Access Services Role topic.