Windows Server 2012 R2 Essentials Anywhere Access
Anywhere Access is the mother of all VPN configurations. After completing a rather simple installation, you have a choice of browser based access to shared folders, a remote desktop session if you have administrator privileges, or you can link in using a traditional SSTP VPN connection. While rather simple installation may sound pompous to someone unfamiliar with server VPN configuration, comparatively speaking, it really is easy.
No client PC needs to be in a domain to use Anywhere Access.
Implicit is the assumption you are building a private network and will not be offering SSL access to your web server to the world.
Before beginning your Anywhere Access installation, you need to get a few things out of the way.
User profiles must be configured to allow use of Anywhere Access. For best results, use the Windows Server Essentials Dashboard to access the user profiles. This feature is optimized for some aspects of Windows Server 2012 Essentials, especially concerning Anywhere Access. For most day to day uses, the Windows Server Essentials Dashboard is too simplistic for basic administration, but it is the go-to place for a few things.
You will use AD CS and not OpenSSL with Anywhere Access. OpenSSL will not work for Anywhere Access and would be rather silly to use even if it did work. AD CS is foundational with respect to Windows Server 2012. It’s installed by default along with many other roles in Windows Server 2012 Essentials. The other versions of Windows Server 2012 come out of the box with no roles installed. You decide what it needs. In that case, you could use OpenSSL to configure an SSTP based VPN or bind an SSL certificate to IIS without installing the AD CS role, if you wanted to.
These are the rest of the steps:
Use Internet Information Services (IIS) to create a domain certificate.
Export the domain certificate to a file on the desktop. Later, you will import it into the Anywhere Access setup wizard.
Run the Anywhere Access wizard.
Go connect from a client PC using a browser and HTTPS://your-domain.com/remote. You’re done with that part.
If you plan to use the VPN, you need to add a line to the registry of each client PC.
Run the connect to a workplace wizard for each client PC that will connect using the VPN
Create the Domain Certificate Using IIS
Start the Internet Information Services Manager and select Server Certificates.
Select the root certificate to use. It will probably be the only file available. Type in the friendly name. This is the name you will use to recognize the domain certificate later.
Select the certificate you just created and click Export.
Done. You don’t even have to worry about binding the certificate to port 443. The Anywhere Access wizard does it all.
Run the Anywhere Access Wizard
Click to Configure Anywhere Access. You will see the following screens in more or less the following order. The screens differ a little between R1 and R2. The wizard allows you to set up or reconfigure or repair Anywhere Access easily. The screens you see will depend on your objective. You can install the VPN and/or the browser access. If you change your mind, just rerun the wizard.
R1 includes a Media Extensions check box. The BranchCache option on R2 can only be used by clients running Windows 7 Ultimate or Enterprise or the equivalent Windows 8 client. BranchCache provides distributed document synchronization that keeps all the edits among all users organized. Most advanced home servers probably won’t need this feature.
Since you’re using DDNS and your own URL, type it below. If you were Google, you would type google.com.
Set up your domain manually.
If your URL is aaa.bbb.com, type aaa in the box. If your URL is aaa.com, blank out the box. You want to use an existing SSL certificate.
Check the box and keep going.
Import the certificate you saved to the Desktop earlier. Click Next. The wizard will go to work and configure everything.
Go use Anywhere Access from a Client Browser
If you’ve installed the AD CS root certificate on the local PC in the trusted root certificate store of the local machine or the certificate store in your Firefox browser, then type HTTPS://your-url.com/remote. You will see a screen similar to this.
If you enter a user id with administrative privileges, you will get access to both files and the remote desktop. A standard user will have access only to files.
Configuring The PC for VPN Use
The only tricky part here is to add a value named NoCertRevocationCheck to the Windows registry. The spelling and capitalization have to be identical. Otherwise, the VPN will not connect.
This change would also be required if you added an SSTP VPN the old fashioned way by duplicating the AD CS IPSec template and installing the Routing and Remote Access role on Windows Server 2012. The Anywhere Access wizard saved you from all that work.
Open the Network and Sharing Center and click Set up A New Connection or Network. Then Connect to a Workplace.
Click Use my Internet Connection (VPN)
Type in the designated user and password.
Next, you need to change a tab on the properties of the connection you just created. Find the VPN connection by left clicking on the network icon in the lower right corner of the Desktop. Right click on the new VPN connection and select Properties. Change it to look like this. Then Connect.
If you return to the Network and Sharing Center and find the connection while it is open, the status should look like this. It confirms you are on a secure VPN.