I want to configure Always On VPN User & Device Tunnel in our small office network. Here is my scenario:
The problem is that all deployment guides assume that every office has multiple servers and the official Microsoft deployment guide assumes that a Windows server will be used as the remote access server. But in my setup, I only have a single MikroTik router and a single Windows Server machine (which is also my certification authority in the network).
I’ve read tons of documentation on both MikroTik and Windows Server, but I’m still confused about certain steps - this must be a very typical setup for many businesses. Is there any definitive guide how to set this up for reference? I would very much appreciate that
I don’t know if Windows domain has any special requirements, but can’t you simply split it into two “independent” parts?
VPN for clients that will allow them to access 192.168.0.0/24
domain-joined devices that are either in different subnet (could be VPN as well as just another subnet connected to router), or even in same subnet but without L2 connectivity (using proxy ARP)
And then it would just “click” together. Access to VPN could have either separate credentials, or maybe it could be controlled by domain too, but unfortunately I can’t tell you much about that (IPSec identity has auth-method=eap-radius, so maybe that could be used).
Hello, sorry for my late reply, I wasn’t checking the forum very often.
I tried that - a Mikrotik SSTP server… I almost made it work, I could ping everything within my business network (including hostnames) and I could even connect to the server via remote desktop, but I wasn’t able to access my shared files, the SQL server and so on. It said something about “failing to connect to the domain controller in order to authenticate”. I asked about this on Microsoft forums, without any resolution.
For Active Directory to work, you will need to make sure that your DNS settings for the client needing to access AD resources are pointing at one of the domain controllers.
Thank you for the reply. On the Mikrotik SSTP server, the DNS server record was pointing to the domain controller itself (hence being able to ping hostnames on the corp network), and I still got the error.
