Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, April 11, 2018 5:48 AM
Hi all,
I'm in the process of implementing Always-On VPN and because we no longer have a perimeter network, both VPN and NPS servers will be hosted within our Internal network. My question is, is it possible to have both RAS and NPS services installed on a single server or it must be installed on separate servers?
Thanks in advance.
Isaac
All replies (5)
Thursday, April 12, 2018 3:34 AM ✅Answered
Hi,
Have a nice day! Thanks for your question.
NPS configuration consists of three areas: RADIUS clients, connection request policies (CRPs), and network policies.
For an object to even talk with your NPS server, it must first be in the RADIUS client list. The RAS with Always-On-VPN has to be as a Radius client and set FQDN and IP address to Friendly server value on the Always-On-VPN server.
Based on this knowledge, you couldn’t implement the two role Always-On-VPN and NPS on a single server.
Here is a link refer to deployment for Always On VPN Remote Access and NPS, it may be helpful.
https://4sysops.com/archives/always-on-vpn-remote-access-and-network-policy-server/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
In addition, based on your specific situation, I’d like to recommend that you may deploy Hyper-V or VMware cluster as a scenario for the resources limitation.
Reference link:
/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server
Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, April 12, 2018 12:33 PM
Hi Isaac,
Yes, you can use the native NPS feature that is installed with RRAS. You don't have to install the NPAS role at all, in fact. This isn't really a best practice though, and should only be used in very small deployments (less than 20 users or so, IMO), but if you meet those requirements it should work just fine. I do it all the time for testing and PoC deployments in fact. Works like a charm. :)
Rich
Thursday, April 12, 2018 9:58 PM
Thanks all. I've decided to implement NPS on a separate server. We do have more than VPN 20 users and it does make sense re the RAS server being a radius client.
Friday, April 13, 2018 6:56 AM
Hi,
I am pleased to know that the information is helpful to you. Thanks for sharing in the forum as it would be helpful to anyone who encounters similar issues. If there is anything else we can do for you, please feel free to post in the forum.
Highly appreciate your effort and time.
Have a nice day!
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, June 19, 2018 7:37 AM
Thanks all. I've decided to implement NPS on a separate server. We do have more than VPN 20 users and it does make sense re the RAS server being a radius client.
I tested VPN server first without NPS, and then the certificates will not be checked. Only with NPS I could witness, that revoking cert really did prohibit user to establish the VPN connection. Without NPS, user with revoked cert could still connect.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.