Enable access to organization resources

  • 3 minutes

With Windows Server 2016 or later and Windows 10 or later clients, there are several ways to access your local network infrastructure, when connecting from the outside. When you use a traditional way to access internal network from the outside, you usually do it by establishing a VPN connection. Windows Server has a Remote Access server role, that can be configured as a server that terminates and routes VPN connections established from the internet or other external networks. In Windows environments, VPN connections were mostly established on-demand, and based on PPTP, L2TP or SSTP protocol. However, you can also choose other ways to access internal resources, from the outside, or you can choose to publish internal resources on external networks such as the internet.

In Windows Server 2016 and later, you can find several services that you can use to make internal resources accessible from the outside. You can use Work Folders, to synchronize content from specific folders on Windows machines with file servers, even when your client is located outside the internal network. If you want to publish internal apps and services to the internet, by using specific web-based protocols, you can use the Web Application Proxy service in Windows Server.

To create seamless connections between internal servers and clients located outside, Microsoft originally introduced the DirectAccess technology. This technology provided the ability not just to access internal resources without manually establishing a VPN connection, but also to manage external clients with management tools such as Microsoft Endpoint Configuration Manager and Group Policy, even when they are not in the internal network. This technology evolved to Always On VPN, available in Windows Server 2016 and later. Most technologies for remote access or publishing of internal resources are based on the Remote Access server role in Windows Server.

The Remote Access server role is a logical grouping of the following related network access technologies: Remote Access Service (RAS), Routing, and Web Application Proxy. These technologies are the role services of the Remote Access server role. When you install the Remote Access server role with the Add Roles and Features Wizard or Windows PowerShell, you can install one or more of these three role services.

Important

Do not attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Using Remote Access in Microsoft Azure is not supported. You cannot use Remote Access in an Azure VM to deploy VPN, DirectAccess, or any other Remote Access feature in Windows Server 2016 or earlier versions of Windows Server.

When you install the DirectAccess and VPN (RAS) role services, you're deploying the Remote Access Service Gateway (RAS Gateway). You can deploy the RAS Gateway as a single tenant RAS Gateway virtual private network (VPN) server, a multitenant RAS Gateway VPN server, and as a DirectAccess server.

  • RAS Gateway - single tenant. By using RAS Gateway, you can deploy VPN connections to provide end users with remote access to your organization's network and resources. If your clients are running Windows 10 or later, you can deploy Always On VPN, which maintains a persistent connection between clients and your organization network whenever remote computers are connected to the internet. With RAS Gateway, you can also create a site-to-site VPN connection between two servers at different locations, such as between your primary office and a branch office, and use Network Address Translation (NAT) so that users inside the network can access external resources, such as the internet. In addition, RAS Gateway supports Border Gateway Protocol (BGP), which provides dynamic routing services when your remote office locations also have edge gateways that support BGP.
  • RAS Gateway - multitenant. You can deploy RAS Gateway as a multitenant, software-based edge gateway and router when you're using Hyper-V Network Virtualization or you have VM networks deployed with virtual Local Area Networks (VLANs). With the RAS Gateway, Cloud Service Providers (CSPs) and enterprises can enable datacenter and cloud network traffic routing between virtual and physical networks, including the internet. With the RAS Gateway, your tenants can use point-so-site VPN connections to access their VM network resources in the datacenter from anywhere. You can also provide tenants with site-to-site VPN connections between their remote sites and your CSP datacenter. In addition, you can configure the RAS Gateway with BGP for dynamic routing, and you can enable Network Address Translation (NAT) to provide internet access for VMs on VM networks.
  • Always On VPN. Always On VPN enables remote users to securely access shared resources, intranet websites, and applications on an internal network without connecting to a VPN.