Windows Server 2012 R2 Essentials Anywhere Access

4-green-arrowsAnywhere Access is the mother of all VPN configurations. After completing a rather simple installation, you have a choice of browser based access to shared folders, a remote desktop session if you have administrator privileges, or you can link in using a traditional SSTP VPN connection. While rather simple installation may sound pompous to someone unfamiliar with server VPN configuration, comparatively speaking, it really is easy.

No client PC needs to be in a domain to use Anywhere Access.

Implicit is the assumption you are building a private network and will not be offering SSL access to your web server to the world.

Before beginning your Anywhere Access installation, you need to get a few things out of the way.

User profiles must be configured to allow use of Anywhere Access. For best results, use the Windows Server Essentials Dashboard to access the user profiles.  This feature is optimized for some aspects of Windows Server 2012 Essentials, especially concerning Anywhere Access. For most day to day uses, the Windows Server Essentials Dashboard is too simplistic for basic administration, but it is the go-to place for a few things.

As always, you need to ensure DDNS is on and ports 80 and 443 on your router are forwarded to your Windows server.

You need to export the Active Directory Certificate Services (AD CS) root certificate from your server to all PCs not in the domain and browsers that will connect using Anywhere Access.

You will use AD CS and not OpenSSL with Anywhere Access. OpenSSL will not work for Anywhere Access and would be rather silly to use even if it did work. AD CS is foundational with respect to Windows Server 2012. It’s installed by default along with many other roles in Windows Server 2012 Essentials. The other versions of Windows Server 2012 come out of the box with no roles installed. You decide what it needs. In that case, you could use OpenSSL to configure an SSTP based VPN or bind an SSL certificate to IIS without installing the AD CS role, if you wanted to.

These are the rest of the steps:

Use Internet Information Services (IIS) to create a domain certificate.

Export the domain certificate to a file on the desktop. Later, you will import it into the Anywhere Access setup wizard.

Run the Anywhere Access wizard.

Go connect from a client PC using a browser and HTTPS://your-domain.com/remote. You’re done with that part.

If you plan to use the VPN, you need to add a line to the registry of each client PC.

Run the connect to a workplace wizard for each client PC that will connect using the VPN

Create the Domain Certificate Using IIS

Start the Internet Information Services Manager and select Server Certificates.

aa01###

Click Create Domain Certificate.aa01a###

Fill out the form. Make sure the URL you will use goes into the top line.aa01b###

Select the root certificate to use. It will probably be the only file available. Type in the friendly name. This  is the name you will use to recognize the domain certificate later.

aa01c###

Select the certificate you just created and click Export.

aa01d###

Save your file to the Desktop, type in a password you can remember and click OK.aa01e###

Done. You don’t even have to worry about binding the certificate to port 443. The Anywhere Access wizard does it all.

Run the Anywhere Access Wizard

Click to Configure Anywhere Access. You will see the following screens in more or less the following order. The screens differ a little between R1 and R2. The wizard allows you to set up or reconfigure or repair Anywhere Access easily. The screens you see will depend on your objective. You can install the VPN and/or the browser access. If you change your mind, just rerun the wizard.

R1 includes a Media Extensions check box. The BranchCache option on R2 can only be used by clients running Windows 7 Ultimate or Enterprise or the equivalent Windows 8 client. BranchCache provides distributed document synchronization that keeps all the edits among all users organized. Most advanced home servers probably won’t need this feature.

aa03a###

Since you’re using DDNS and your own URL, type it below. If you were Google, you would type google.com.

aa03b###

Set up your domain manually.

aa03c###

If your URL is aaa.bbb.com, type aaa in the box. If your URL is aaa.com, blank out the box. You want to use an existing SSL certificate.

aa03e###

Check the box and keep going.

aa03d

###

Import the certificate you saved to the Desktop earlier. Click Next. The wizard will go to work and configure everything.

aa03f###

Done.

Go use Anywhere Access from a Client Browser

If you’ve installed the AD CS root certificate on the local PC in the trusted root certificate store of the local machine or the certificate store in your Firefox browser, then type HTTPS://your-url.com/remote. You will see a screen similar to this.

aa04a

###

If you enter a user id with administrative privileges, you will get access to both files and the remote desktop. A standard user will have access only to files.

aa04b

###

Done.

Configuring The PC for VPN Use

The only tricky part here is to add a value named NoCertRevocationCheck to the Windows registry. The spelling and capitalization have to be identical. Otherwise, the VPN will not connect.

This change would also be required if you added an SSTP VPN the old fashioned way by duplicating the AD CS IPSec template and installing the Routing and Remote Access role on Windows Server 2012. The Anywhere Access wizard saved you from all that work.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters

aa07aaa07b###

Open the Network and Sharing Center and click Set up A New Connection or Network. Then Connect to a Workplace.

aa05b###

Click Use my Internet Connection (VPN)

aa05c

###

Fill in the blanks. Don’t connect to the internet just yet.
aa05d###

Type in the designated user and password.

aa05e

###

Next, you need to change a tab on the properties of the connection you just created. Find the VPN connection by left clicking on the network icon in the lower right corner of the Desktop. Right click on the new VPN connection and select Properties. Change it to look like this. Then Connect.

aa05f###

If you return to the Network and Sharing Center and  find the connection while it is open, the status should look like this. It confirms you are on a secure VPN.

aa05g

###

Done.


13 Comments on “Windows Server 2012 R2 Essentials Anywhere Access”

  1. pjbeeee says:

    I have re-worded and corrected my last comment. Pity I can’t just edit it, but nevermind….

    If you just want to access IIS via HTTP (non-secure) from outside of the server, just make sure all Window$ firewalls are turned OFF and set up an alternate port (not 80) In IIS for the site in question with no domain name. You can then access IIS directly though any port you’ve set EXCEPT for port 80. At least this worked for me.

    sorry ’bout that.

    • Carl Rinker says:

      I believe I used port forwarding on my router and opened port 80 for the IP address associated with IIS. I did not have to alter firewall settings within Windows. My system was pretty simple, though. You may have a different situation.

      I removed the duplicate comment. Sorry about the no-edits. It’s the WordPress way of doing things.

  2. Rob says:

    Carl, I work in IT, but not in networking at all. I have the Essentials server and a client installed at home in the US behind a Comcast cable modem/router and then a NetGear FW/Router. A family member, working on the other side of the globe, would like to use that client to work more easily to resources in the US–use the Office suite and the web. I’m assuming Access Anywhere is the way to go. I would like a few clarifications on your above procedure.

    1. Do I need to have an SSL cert? Will it be more secure?
    2. Do I need a internet domain name? I have one hosted by a major provider and was thinking of a subdomain for this.
    3. The Comcast modem/router has a DHCP address. How do I that work in this scenario?
    4. Does the Essentials server need to host a website?

    • Carl Rinker says:

      The articles answer all your questions. There are several links to other articles in Advanced Home Server in this one. Each contains another puzzle piece. if you’re coming in with no experience, it will be a project to get Anywhere Access up and running.

      Yes, you need an SSL certificate for Anywhere Access and all services that provide secure access. The certificate provides encryption. You need an internet domain name for most remote services, but can get one using a DDNS provider. Some are free. Netgear has been said to offer one free to owners of some router models at one time. Look it up and see if they still do and if you qualify. DHCP provides local network addresses and is not relevant to your concern. Essentials needs to host a website of sorts, but the article describes it all and you build it indirectly.

      Depending on the resources you need access to, any secure method of access might do. WebDAV allows secure file transfer. A VPN that provides access to file server resources, as opposed to secure pass through to the internet over public wifi could also work.

      TeamViewer is a cinch to set up, allows secure file transfers and remote desktop capabilities, and is free for personal use. TeamViewer provides encryption. I assume you use their certificate, but am only guessing. Even Windows has a remote desktop client. Windows Server provides Remote Desktop Services, but that is an extra cost option and not covered in Advanced Home Server.

      In fact, half of Advanced Home Server deals with secure access and information you need to know to perform secure file access.

  3. T-Bone says:

    I can get to the server sign in screen upon entering my credentials it thinks for a while then times out. I don’t know how to go about fixing this issue.

    • Carl Rinker says:

      I wish I could offer some advice but it’s been a while since I performed an install. I wrote this article to document it if I ever needed to install it again. Lots of people read it daily and nobody has complained so I assume it worked for them, too.

      About all I can offer is go over the details again to see if there was an install or configuration problem. Make sure your security is configured correctly. Make sure your network allows you to get through to the server properly. The fact you got to a sign on screen means you must have done most of it correctly.

  4. runurfund says:

    youe site is so awesome – I think I may have said that before – microsoft has teams of documentation writers and this page has helped me more than anything I ever found on TechNet on simply connecting to a server essentials server with the vpn – i don’t want the connector fanfare. Question: in using your methodology above – is it making the same configuration steps as what is taken by the connector? I just want make sure there is no delta in terms of what the connector does to add that vpn entry and what you show above. If there is, could you detail what the delta is and any costs and benefits with using your method vs connector

    • Carl Rinker says:

      I really don’t know what the connector is. I wrote this article in November, 2013. To me, it was documentation for what I did to make Anywhere Access work in case I needed to set it up again. If you read this article, then you know what I know about the subject. I don’t use Anywhere Access on a regular basis. Today, I use pfSense on a home made router and a TAP connection on OpenVPN to connect remotely and securely to my home network. Once in, I use TeamViewer and WakeOnLan for remote desktop over the local LAN. But, if you’re using Windows Server on a regular basis, Anywhere Access is a major innovation. Conceptually, it’s similar to what I described I do with pfSense, OpenVPN, WakeOnLan, and TeamViewer.

      Agree about Microsoft documentation from Technet and the forum. I found it extremely detailed at times, sparsely detailed at times, and not especially useful most of the time. When I last looked, and perhaps it’s better now, it was written to meet an objective that had nothing in common with being useful. Forum answers often miss the point of the question.

  5. Gabe says:

    On the Anywhere Access home screen (https://advancedhomeserver.files.wordpress.com/2013/11/aa04b1.jpg) why do I only see the ‘Users’ folder in the Shared Folders section? How do I add other folders to this section? We have a ‘Public’ folder that houses all of our company documents and I’d like to see it out there.

    • Gabe says:

      Actually, I just discovered how. From the Dashboard, I went to the Storage tab. There I saw our ‘Public’ share and all users were set to ‘No Access’. Setting this to Read/Write makes it available but WOW did it take a long time for that to complete.

      • Carl Rinker says:

        Thanks for sharing. Please mention anything else that didn’t work as expected.

        After connecting for the first few times, I remember having some problems figuring out how to do things that should have been obvious, but weren’t. it would be nice if everyone who had an experience would share it along with the solution while it’s fresh in their mind.

  6. Papastef says:

    Excellent article, works like a charm. Thanks mate!

  7. Mauricio says:

    Congrats!!! Greate article!!!
    I’m looking for a way to deploy a “Essentials Experience Role” on a Windows Server 2012 R2 Standard, without installing “AD Certificate Services”, once we already have both a domain and a certificate authority running. Any idea???

    Thanks.


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s