I would recommend that instructions include information about the potential need for the NAT feature if the RRAS server is assigning off-network IPs (rather than DHCP IPs from either the internal or external DMZ networks). The NAT feature is not enabled by default, and without it, VPN clients can get an off-network IP assigned by RRAS but can't reach the internal network. This would be at step 9 under "Install the Remote Access role by using Server Manager".
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Hey bryhall,
I am also stuck in same place since my client is connected to VPN but unable to access the internal resources. Could you explain more about this?
I'm the same and am too noob to figure out how to fix this, @dineshazure did you solve this ? @bryhall any chance of explaining ? thank you !
I'm so sorry @dineshazure / @gabrielmccoll. I never noticed the notifications about these messages. It's probably way too late to be useful to you but to answer your question (based on my experience):
While RRAS is capable of assigning an off-network IP (one that is different than the networks that are physically connected to the RRAS server and is really an additional network attached to RRAS), any client with those IPs won't be able to get anywhere outside of that network without NATing. The NAT feature is needed to allow those clients to reach the other networks attached to RRAS.
Perhaps there's a way to route them, but I did not find a method during my time troubleshooting the issue.
Most helpful comment
I'm so sorry @dineshazure / @gabrielmccoll. I never noticed the notifications about these messages. It's probably way too late to be useful to you but to answer your question (based on my experience):
While RRAS is capable of assigning an off-network IP (one that is different than the networks that are physically connected to the RRAS server and is really an additional network attached to RRAS), any client with those IPs won't be able to get anywhere outside of that network without NATing. The NAT feature is needed to allow those clients to reach the other networks attached to RRAS.
Perhaps there's a way to route them, but I did not find a method during my time troubleshooting the issue.