Windows Server 2025 is the latest Microsoft Server Operating system released recently. The OS brings many new features and additions while also improves security. Through the evolution of the product, Microsoft also phasing out certain elements and protocols. Today, we’ll explore what Microsoft has changed in Routing and Remote Access Services (RRAS) compared to previous releases of Windows Server 2025 and we’ll run the process of installation and configuration of the component.
As you know, RRAS has been part of Windows Server family for a very long time. However, two of the protocols used, PPTP and L2TP, are not used by default for VPN connections, but rather the SSTP and IKEv2 connections are privileged. Yhe older PPTP and L2TP protocols can still be used, however, by default they are deactivated and rather the SSTP and IKEv2 connections are pre-configured for remote access.
If you do an in-place upgrade (yes, available for Windows Server 2025), the existing configurations keep its configuration and protocols for connections. For example, if you run Windows Server 2019 with PPTP and L2TP connections configured as VPN, then after upgrade to Windows Server 2025, those connections are still accepted.
As you can see, the number of ports is zero for the L2TP and PPTP types of connections, meanings that the default, the number of ports is set to zero. It means that by default, RRAS setups don’t accept VPN connections based on PPTP and L2TP protocols. You can still use them if you want, but those type of connections aren’t secure and Microsoft is phasing out those two protocols. They are deprecated. Microsoft says that:
“Deprecation refers to the stage in the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases.”
What is RRAS good for?
RRAS with WS 2025 is good for remote administration and secure your remote VPNs, but many users prefer using dedicated hardware VPNs.
There might be use cases for both, hardware or software-based VPNs. Why not using the one provided by Microsoft while you already pay for CALs for your co-workers.
The Routing and Remote Access service (RRAS) supports remote user or site-to-site connectivity by using virtual private network (VPN) or dial-up connections.
When using a RRAS, you can deploy VPN connections and allow end users to connect your co-workers with remote access to your organization’s network. You can also create a site-to-site VPN connection between two servers at different locations.
If you’re using Hyper-V, you can also use RRAS as multitenant gateway where you have VMs Networks deployed with VLANs, then you can deploy RRAS in a VM which will be used as a software gateway and router that allows routing between cloud network traffic and virtual and physical networks.
Lastly, you can configure the RRAS Multitenant Gateway with Border Gateway Protocol used for dynamic routing where you can enable Network Address Translation (NAT) to provide Internet access for VMs on your VM networks.
What are system requirements for RRAS in Windows Server 2025?
The system requirements are similar to what they were in 2022 or 2019:
- You’ll need to mee the hardware requirements (if you’re installing on physical box) first, then install WS 2025.
- You’ll need to use an account with enough privileges (account in the local administrator’s group if the system is outside of a MS domain, or an account with administrative rights on the system).
How to Install and configure RRAS on Windows Server 2025
Open Server manager and start Add Roles and Features wizard. Then go ahead and:
- Select Remote Access > Check Remote access in the roles section
- Check the box DirectAccess and VPN (RAS) and click the Add features button, with then add all the necessary tools the systems ask you for.
- Follow the wizard and reboot the host at the end.
- Open the RRAS console by typing RRAS in the search box. Then right click the node and select Configure and Enable Routing and Remote Access.
- After successful configuration, make sure that your firewall ports accept connections on 443 for SSTP and 500/4500 for IKEv2.
- Make sure that the host has at least 2 Network interface cards (NICs).
- Your host should not be a domain controller
For VPN access, your AD users should be configured with following:
Each user has to be enabled to use Dial-In. (In AD > User properties > Dial-In tab > Allow access under Network Access Permission).
Installation via PowerShell
Within the Microsoft documentation we can find that it is also possible to script the installation and there is a cmdlet.
Enter and run the following cmdlet:
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
You should see the following output:
Now you’re done.
Final Words
By supporting modern VPN protocols like SSTP and IKEv2, RRAS ensures encrypted connections and reliable access to internal resources, making it ideal for hybrid and remote work environments.
When comparing software-based VPNs to hardware-based VPNs, several advantages become evident, such as that software-based solutions are generally cost-effective, easier to deploy and manage, and offer greater scalability. They also provide compatibility across various operating systems and devices. However, you should always proceed with some kind of proof of concept (POC) before implementing in production.
The choice between software and hardware VPNs depends also on the specific needs and resources of an organization. Microsoft RRAS and VPN is fairly popular between IT admins as it allows you to quickly setup a VPN without spending additional funds.
