Set a Static IP Address Pool for Your 2016 VPN

I’m in the process of migrating from Windows Server 2012 R2 Essentials to Windows Server 2016 Standard with the Essentials role. It is astonishing and somewhat concerning how poorly documented the 2016 version is and how difficult it can be to find solutions.

Part of my normal procedure for setting up 2012 R2 Essentials was to add a static IP address pool to Routing and Remote Access so the VPN could get IP addresses even through DCHP is hosted on my router. For 2012 R2, this is well documented under error 720 at https://blogs.technet.microsoft.com/sbs/2014/06/11/troubleshooting-common-vpn-issues-on-windows-server-2012-r2-essentials/.

What Failed

In PowerShell, I ran this command

Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT

then opened the RRAS management UI:

2016 Essentials VPN 1

Huh? “Legacy mode is disabled”? I guess can’t access RRAS options that way. (I never found a way to enable Legacy Mode.)

The message says to “use RemoteAccess PowerShell cmdlets”, so I started poking around in the RemoteAccess Module reference:

https://technet.microsoft.com/en-us/itpro/powershell/windows/remoteaccess/remoteaccess

Get-RemoteAccessHealth tells me I have a Services error:

2016 Essentials VPN 2

Couldn’t figure out how to get details on that error in PowerShell, but I found that there is a separate console for RemoteAccess administration, which tells me that Rasman is not running:

2016 Essentials VPN 3

Under the Services console, sure enough, the Remote Access Connection Manager is not only stopped, it’s Disabled:

2016 Essentials VPN 4

I enabled the service and tried to start it. Got this error:

Log Name:      System
Source:        Service Control Manager
Date:          8/3/2017 3:35:19 PM
Event ID:      7024
Description:
The Remote Access Connection Manager service terminated with the following service-specific error:
{TDI Event Pending} The TDI indication has entered the pending state.

Good grief. This is going nowhere fast. I’m backing out of this rabbit hole while I still can—and ignoring the RemoteAccess Services error.

Later I realized I might as well uninstall the useless RRAS console:

Remove-WindowsFeature –Name RSAT-RemoteAccess-MGMT

What Worked

Finally I was able to track down the PowerShell command to change from DHCP to Static IP addressing and assign an IP range:  Set-VpnIPAddressAssignment. To add an IP range (make sure it’s excluded from DCHP on your router):

Set-VpnIPAddressAssignment -IPAssignmentMethod "StaticPool" -IPAddressRange "30.1.1.10", "30.1.1.30" -PassThru

That command also supports setting an IPv6Prefix, but I left that off and it shows up as empty.

Once I’d done that, a laptop with the Essentials connector installed, running outside my LAN, was able to establish a VPN connection.

For reference, if you ever take DHCP off the router and put it on the server, you’ll probably want to remove the static IP pool and change the assignment method back to DHCP:

Set-VpnIPAddressAssignment -IPAssignmentMethod "Dhcp" -PassThru

To check the IP Assignment Method without changing it:

(Get-RemoteAccess).IPAssignmentMethod

To check the IP range without changing it:

(Get-RemoteAccess).IPAddressRangeList

To see additional info about your Remote Access setup, including the installed certificate:

Get-RemoteAccess

Update November 14, 2017

Glenn at Glennopedia has posted a couple of great articles on this topic:

  • This one covers setting up Remote Access using PowerShell, including updating the certificate.
  • This one describes how to re-deploy the VPN in legacy mode so you can manage it through a GUI.

Update December 26, 2020

RRAS on a DNS server (as is any Essentials server) may register a second IP address in DNS. See this article on how to tell DNS to ignore the second IP.

8 thoughts on “Set a Static IP Address Pool for Your 2016 VPN

  1. Brian

    You are a genius. Hours of searching and hair pulling. Works perfectly. I needed to share resources on a port of the server only with specific Ip addresses and this was a requirement.

    Thanks a million

  2. Uli

    If you already have static IPs, the set command won’t work. You have to add the range. If your new range overlaps with the old range, you have to remove the old range before adding the new range. However, you have to keep at least one range, so you have to add a temporary range before and then remove it later when your actual new range is added :-D

    Example:

    In my case our router DHCP assigns IPs from 192.168.178.20 – 192.168.178.200
    The VPN server was configured with a static pool 192.157.178.104 – 192.168.178.247
    Because the VPN range overlapped with the DHCP range we had to change VPN static pool to 192.168.178.201 – 192.168.178.247:

    Add-VpnIPAddressRange -IPAddressRange “192.168.178.101”,”192.168.178.103″
    Remove-VpnIPAddressRange -IPAddress “192.168.178.104”
    Add-VpnIPAddressRange -IPAddressRange “192.168.178.201”,”192.168.178.247″
    Remove-VpnIPAddressRange -IPAddress “192.168.178.101”
    Restart-Service RemoteAccess

  3. Uli

    I set the static ip pool, because I wasn’t able to access remote resources when connected via VPN. However, these steps didn’t solve the problem. I researched for hours without success. Now it turned out, that a simple server reboot was the solution :-D I didn’t reboot, because I already restarted the “RemoteAccess” service.

  4. Mark Berry Post author

    Uli, I don’t quite follow your example. Does the Remove-VpnIPAddressRange command only require that you specify the first IP in the range?

    Since you wanted to change the range, I wonder if it would have been simpler to temporarily revert to DHCP mode with

    Set-VpnIPAddressAssignment -IPAssignmentMethod “Dhcp” -PassThru

    then set the new range.

  5. Uli

    Yes, you’re right. You have to keept at least a single range. You cannot change a range but just add and remove it. You cannot add a range which overlaps with another range. Thus my workaround with multiple add and remove commands.

    However, without validating, I think your approach of temporarily switching to “dhcp” will work and will be simpler. It just didn’t come to my mind ;-)

  6. Jo

    I had to set the manual range, because even though the DHCP Server service is installed and running on the 2016 WSE, it does not assign an IP within the LAN-range in Remoteaccess.

    When setting the manual range, I can connect, and I get an address within that range, but I cannot see any other devices on the network. Nor ping the server-name, only its IP-address replies.

    Is there a powershell command to set what DNS address(es) the remoteaccess clients should be assigned?

  7. Mark Berry Post author

    @JO, I’ve never looked before, but I don’t see a DNS setting in the list of properties when I run Get-RemoteAccess, so I’m guessing there is no way to set that. What you are describing sounds like a kind of device isolation, to keep devices from seeing each other. I don’t have a VPN running right now to test if that’s normal. After connecting, when you run ipconfig /all, what DNS server(s) are shown?

  8. Gary Switzer

    Thanks a million Mark Berry! Took me hours to diagnose my problem and finally land on your page. The Powershell commandlet worked perfectly and allowed me to continue using DHCP from my Untangle UTM. An old thread, but still a very helpful.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.