Windows Small Business Server 2011 installation and configuration – Part 16 Configuring “Configure a virtual private network (VPN)”

Go directly to SBS 2011 index file. With links to all articles from this serie.

After we have finished with Part 15 Configuring “Software update settings” we go to the Network page of the SBS console and choose for the connectivity tab.

In this part we are going to setup virtual private network (VPN) so people can connect to your network from a remote location / connection and access the network as if they are connected in the local office. First we are going to configure the server and further on how to configure a connection from a windows 7 workstation.

Server configuration:

On the right connectivity task bar we choose “Configure a virtual private network”.

The configuration of the server is really easy, choose Allow users to connect to the server by using a VPN.

And the server part is ready. Only thing that could happen is the wizard cannot automatic configure your router. If you choose View Warning Details.

You see that the only thing you have to do is open port 1723 on your router and let it through to your SBS server.

Workstation configuration:

How to setup a VPN connection from a windows 7 workstation, go to the Network and Sharing Center.

Choose Set up a new connection or network, a new wizard will start.

Choose Connect to a workplace (set up dial-up or VPN connection to your workplace.)

Now we choose Use my Internet connection (VPN) Connect using a virtual private network (VPN) connection through the internet.

Now we are going to setup the internet address, this is the fqdn or ip address the vpn connection must connect to. At destination name give a logical name for this connection.

The three other options on the screen are really straight forward, choose use a smart card if smart card logon is configured. Allow other people to use this connection if all people who use this computer may use this vpn connection and don’t connect now if you will not connect the vpn connection directly after configuration is finished.

Give in your user name, password and domain name. My opinion is never use the remember this password, because if anyone takes your workstation they can simply connect to your network.

Setup is finished, you can now choose Connect now to connect your vpn connection.

When you connect and haven’t checked the remember the password option you will get this username and password windows and you just have to enter your password.

And the connection is made, you are now able to access your network as if you were connected on the local area network.

Some additional information:

You can see if your VPN connection is connected, by choosing this icon on the right bottom part of your taskbar. You can also right click the connection to disconnect it.

If you got this Error 812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

Probably the user does not have the right to make a vpn connection. Go to the properties of this user.

And go to the Remote Access part, make sure the “User can access virtual private network” option is enabled.

Additional information: Here is a really good article that describes the whole VPN setup (it is for 2008 but this is almost the same in SBS 2011)

Go back to Part 15 Configuring “Software update settings”

Posted in Blog, Howto, SBS 2011 by ronnypot at March 18th, 2011.
Tags: , ,

38 Responses to “Windows Small Business Server 2011 installation and configuration – Part 16 Configuring “Configure a virtual private network (VPN)””

  1. Gwen says:

    It might important to mention that gre packets (protocol 47) needs to be allowed by the router.

    I like your blog, keep up the good work! It’s always nice to see a fellow SBS fan 🙂

    • Shawna says:

      Sorry if this is a stupid question, but how can I check to see if my router allows gre packets? From the router’s configuration page I assume? (asking this because I’m not in the office and not able to look at the router’s config right now)
      And in the event I need to buy a new router that _will_ allow it, how can I be sure I’m buying the right one? Is this going to be written on the box? Or will I need to do my homework before going to the store to purchase the new router?
      Thx in advance.

      • ronnypot says:

        I’m sorry but routers and firewalls are not my speciality. It should be in the documentation, sometimes it is called pptp passthrough or something like that. But if you are not sure contact the supplier.

  2. Glenn says:

    Thank you for sharing….

  3. Charlie says:

    This setup and deployment guide is comprehensive and easy to follow. It highlights the pitfalls and quirks which SBS has always had, allowing them to be overcome without the usual endless searching on Google !

    This guide reduces the amount of time needed to ‘get it right’ first time and is an excellent reference.

  4. BigTeddy says:

    Nice one, Ronny. Keep up the good work!

  5. Tom says:

    Good job, keep going and good luck

  6. R. says:

    Once again a huge thank you is in order!!

    For some reason I am not able to get to the OWA unless I remote to my home computer (on vacation across the pond). This saves me from having to do all of that 🙂

    I have too much sun over here so I will see if I can send some back home so you may enjoy it also!

  7. Justin says:

    Hi Ronny:

    I hope you can guide me in solving this mysterious (to me)problem with my newly (and clean) installed sbs2011. After installation, from a remote computer, I:

    1. CAN access owa by typing http:// rmote . mydomain . com / owa.
    2. CAN rdp into the server.
    3. CAN access my sharepoint main page IF I type in: https: // remote . mydomain . com : 987. However,
    4. If I simply typed in http: // remote . mydomain . com, the server does NOT know how to redirect to the proper port and to https. Instead, it gives me the ‘Internet Explorer cannot display the webpage.’ message. It wasn’t like this on the day sbs 2011 was first installed. It only happed after I updated the system with sharepoint 2010 sp1 and ran the configuration wizard. (before that, when I typed in http: // remote . mydomain . com, it will automatically redirect me to https: // www . mydomain . com / remote to display the valid page).

    Do you know what I need to do to fix this glitch?

    Thanks so much!

  8. karbec says:

    Check that you have Port 80 open on your router and pointing to you server.

  9. Pakomann says:

    Reaky a good installation and configuration manual.

    Cheers Mate.



  10. Erdula says:

    Hello Ronny,
    thank you for such a exhausting SBS 2011 tutorial. Totally awesome for a newbie.

    Just let me know if you drink beer. I’ll buy you one 🙂

  11. Ken says:

    Hi Ronny,

    Thnaks for creating this site…it’s been really helpful.
    I have a problem though…I am currently attempting a server migration form sbs2003 to sbs2011 Std.

    I hit some problems, as reported by the BPA (Best Practice Analyzer) and have cleared them all but one.

    The remaining error that I cannot fix is as follows: (on SBS2003);
    Missing FQDN in service principal name
    The computer account for Exchabge server [SERVERNAME.DOMAINNAME.local] does not not appear to contain
    the fully-qualified domain name of Exchange SMTP virtual server ‘Default SMTP Virtual Server’. This may cause Kerberos authentication to fail when sending messages between servers. The tool expected to find ‘SMTPSVC/DOMAINNAME.co.uk’ in the ‘servicePrincipalName’.

    So I logged into the SBS2003 server and in the Command prompt typed:
    setspn.exe -a SMTPSVC/mail.DOMAINNAME.co.uk SERVERNAME

    I get an error:”Failed to bind to DC of domain DOMAINNAME, erro 0x6d5/1749 -> The security context is invalid”

    I’m really stuck here… can you please help?

    • ronnypot says:


      Thanks for the reply, I am not realy sure what this error is about, but I would suggest to post it on the SBS Technet Forum. There are all kind of it professionals helping people so you will get help from others either.

  12. Marcus says:

    Very good guide. Works a treat!
    No need to configure via my firewall now.

  13. Dick says:

    How long does it take for the remote.xxx.xx and MX records for it to resolve eg just done it 2 hours ago how long before i should be able to access VPN ?

    • ronnypot says:

      you mean how does it take before the dns changes are active? This all depends on the settings of your dns/isp provider but it could take up to 48 hours before all dns changes are replicated worldwide.

  14. Steph says:

    I’m trying to configure a VPN on SBS 2011 server. And I have that famous wizard “cannot automatic configure your router” asking me to open manually the port 1723.

    In the SBS server firewall, I checked that the rules for PPTP (TCP 1723) and RCP are activated for incoming and outgoing.

    But I still have the same wizard when trying to configure VPN.

    Any idea?
    Thank you

    • ronnypot says:

      It is not the SBS firewall you need to open port 1723 but it is on your internet router/firewall. Also as said in a earlier post you need to let gre packets (protocol 47) through.

  15. Sonu says:

    Hi Ronny,

    I really appreciate the effort you had put into make the sbs 2011 , i follwed this step by step and it was really helpful in setting up exchange.
    I feel or may be i have followed few things properly after completing i have come up with set of very valid questions that will be helpful for even future user who want to set up sbs exchange 2011.
    1. Since by default the server is create as test.local the id gets created as test@test.local , i have made the changes as test.com and made it default, but still the id gets create as @test.local. my question is how to create ids a user@test.com rather than user@test.local.

    2. after creating the id and making it as default when i tested with outlook , it resolved the name but gave a error- “unable to create folder …….” from client pc i got error server unavailable.

    3. Is this the right way to configure the test.local as test.com in the accepted domain ?

    4. Regarding outlook anywhere it is not working for outside users?

    5. Where to configure the public ip in sbs 2011 exchane so that outlook owa is available for the outside world, and outlook anywhere also works

    6. is there any dns change to be done locally ?

    7. The testing part and scenario after completing the setup of sbs exchange 2011 .

    • ronnypot says:


      I am not clear about all your questions, but I will try to answer as I think you mean.

      1. When you run the Setup your internet address SBS configures your server (exchange) to use the given domain name as deafult domain so during this wizard you need to enter “test.com”.

      2. The only time I see this error is when you try to add an additional mailbox but do not have enough rights to that additional mailbox.

      3. As described under 1. if you ran the setup your internet address wizard and enter test.com as domain, both test.local as test.com are accepted domains. And Test.com is used as default within the email address policy. If you want to use multiple domains please see this blog post: http://blogs.technet.com/b/sbs/archive/2011/04/13/how-to-configure-sbs-2011-standard-to-accept-e-mail-for-multiple-authoritative-domains.aspx

      4. Did you setup a trusted third party certificate? If not you probably need to import the self signed certitifcate on the clients using outlook anywhere. Second you need to make sure there is a dns record for (remote.test.com, or which other domain name you entered during the setup your internet address wizard) and make sure the A record points to your external ip address of your router / firewall and the router transfers port 443 to your SBS server.

      5. you do not have to configure the public ip address in SBS, you need to add an A dns record on your external DNS zone for remote.test.com and point that to your public ip address as described in 4.

      6. No if you setup your SBS server using the predefined wizards you do not need to change any local dns entry.

      7. I have no clue what you mean by this one.

      Hope this helps

  16. Bondi says:

    Hello Ronny,

    I would like to kindly ask You for your help.

    I have set up the SBS 2011, and succesfully created a VPN connection for my colleague, who uses win xp.

    Yesterday I tried to do make a VPN for myself, to be able to reach the server from my laptop (win7), but failed.
    I think the VPN connection is OK, becouse I appear on the server as a “remote access client”, but I cannot add a new network driver in win7.

    If I browse, I see only my laptop in the “network”, and if i tipe in the IP adress, it says it “couldn’t establish a connection”.

    Could You help me and tell me what to do?

    thanks in advance


    • ronnypot says:

      Hi Bondi,

      Sorry to say, but I do not have much experience with the built in vpn solution, most of the time we cisco router/firewalls with vpn built in.

      I would suggest you post your question on the Technet Small business Server forum there are a lot of it professionals helping others.


  17. Dave says:

    Hi Ronny,

    I’m trying to connect a Lenovo think pad android tablet to sbs 2011. I can connect using a xp laptop and an iPhone. I also have the same scenario with a sbs 2003 server. I know subs is your go but have you any ideas?

    By the way I think your stuff is about the best I’ve come across.



    • ronnypot says:

      Hi Dave,

      thanks! Just some questions: You mean you want to configure email sync for the android tablet or you want file access or something? Do you get any error at anytime? Is this an admin account you are trying to connect?

  18. Dave says:

    Just trying to connect to run remote desktop. Account is an admin. In both cases we can connect multiples xp machines from multiple locations (different homes & mobile connections) & an iphone. However when setup std vpn with tablet it just says unsuccesful. Note we tried anyconnect but after being prompted with message regarding certificate the connection fails.

  19. Fantastic – Brilliant – Saved my life!!!
    My vote is you take over microsoft and demistify them.
    I am forever in your debt you have saved me days.

  20. Enchantnet says:

    Nicely done! Easy to follow and setup. Thanks!

  21. Bahabaha says:

    I would like to thanks the owner of the idea to share I.T knowledge.

  22. Abdul Gaffar says:

    Hi, fantastic article. I used this to set up 2 SBS servers in a network and one as a premium add-on with SQL on it.

    I did try configuring VPN and it seems to break the entire network. As soon as I removed it, it was working fine and computers could access server and vice versa.

    I now have a new server to configure. Is simply following the wizard and ensuring port forwarding is correct simply work? Do we need to have 2 NICs on the server to enable VPN to work?

    Please advise

  23. Dylan says:

    Hey all i need some help with a query. With regards to the VPN, i have set it up and all is working. The one thing i need to get right is to allow vpn traffic to resolve to the IP address of the server i.e to Server01 and then all internet traffic to go over the primary conenction on the vpn client and not over the vpn istelf. I have tried changing the setting that makes the vpn client use its default gateway and not the vpn default gateway but that then breaks any name resolution to ip for Server01 and is only accessible via ip

  24. K says:

    Hi Ronny,

    Thanks for your blog, really great stuff! I configured the VPN and it works fine. The only problem is that Internet (both LAN and Wireless) become ‘limited’ after connecting. Mapped drives, file access and RDP access are all ok. Any suggestions?


Leave a Reply

Sharing Buttons by Linksku