Server 2012 R2 RRAS Multitenant Gateway GUI

Similar Messages

• Just FYI, new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide

  New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
  This new guide is available on the Web at
  http://technet.microsoft.com/en-us/library/dn641937.aspx. It is also available for download in Word format at TechNet Gallery at
  http://gallery.technet.microsoft.com/Windows-Server-2012-R2-37eb8e17
  If you work for a Cloud Service Provider (CSP) or an organization that's planning on deploying cloud technologies, you might be interested in the new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.
  You may already know that in Windows Server® 2012 R2, the Remote Access server role includes the Routing and Remote Access Service (RRAS) role service. (It also includes DirectAccess and Web Application Proxy, however those role services will not be discussed
  in this article.)
  The new deployment guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable datacenter and cloud network
  traffic routing between virtual and physical networks, including the Internet.
  You can use the gateway with VM networks by using either Hyper-V Network Virtualization or Virtual Local Area Networks (VLANs) - but using Network Virtualization is recommended due to VLAN limitations such as difficult management and a limited number of
  available VLAN IDs.
  If you're using System Center Virtual Machine Manager (SC VMM), you can use SC VMM to deploy Windows Server Gateway; however even if you are using SC VMM, you can manage the gateway with the same Windows PowerShell commands that are used for the RRAS Multitenant
  Gateway. (Some Windows Server Gateway features are configurable only with Windows PowerShell.)
  For information on deploying Windows Server Gateway with SCVMM, see the Test Lab Guide: Windows Server 2012 R2 Hyper-V Network Virtualization with System Center 2012 R2 VMM, at
  http://www.microsoft.com/download/details.aspx?id=39284
  With the RRAS Multitenant Gateway, you can create site-to-site VPN connections between your tenants' physical locations and your cloud datacenter. You can also provide tenants with point-to-site VPN connections that allow tenant Administrators to access
  and manage their VM resources from anywhere. The RRAS Multitenant Gateway also allows you to configure Network Address Translation (NAT), so that tenant VMs can access the Internet, and you can deploy dynamic routing by configuring the gateway and tenant gateways
  with BGP.
  Thanks -
  James McIllece

  Hi,
  It is very useful , thanks for your sharing .
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Just FYI, new blog post "Deploy Border Gateway Protocol (BGP) with the RRAS Multitenant Gateway"

  This is just FYI about the new blog post for Windows Server 2012 R2, "Deploy Border Gateway Protocol (BGP) with the RRAS Multitenant Gateway," at
  http://bit.ly/OfDkty
  James McIllece

  Hi,
  Thanks for sharing and it would be greatly helpful to anyone who has requirements for that.
  Best regards,
  Susie

• Server 2012 R2 RRAS NAT VPN connectivity issues

  Hello all,
  I'm having trouble making IKEv2 connections to my VPN server from the Internet after changing my home lab network infrastructure to use Server 2012 R2 RRAS NAT routing. Despite all of the appearances of a proper configuration, it appears that NAT-T is not
  working properly.
  Let me preface my questions/issues with some critical infrastructure disclosures/explanations to help troubleshoot this issue:
  1. This is a home lab environment with no impact to corporate production systems in any way. All information garnered from help in this session is understood to be as-is.
  2. The entire environment is on Server 2012 R2 Hyper-V. I’ve configured trunking on all of the layer 2 (Cisco Catalyst switch) etherchannels, and I’ve configured trunking on the Hyper-V vSwitches. I have no issue with internal routing or NAT or with attaching
  to VPN from an internal VLAN, which indicates that routing (Layer 3) is not at issue here since everything goes where it should.
  3. The NAT server and the VPN server are two separate Windows Server 2012 R2 Std. Hyper-V VMs. The NAT server has 1 NAT uplink to/from my ISP and 5 router interfaces (NICs with no gateways specified). I have a static IP, so it’s not an IP changing anywhere.
  I have all of the port forwarding on the public NAT interface configured properly. Email, web, and application access work fine from out-to-in. The VPN server has 2 NICs: one on a VPN VLAN and the other on an internal VLAN.
  4. I ran Netmon from my corporate office and saw that IKEv2 traffic to my host over UDP 500 was successful (I got a response back), but the connection to UDP 4500 was attempted 3 times and then fails. Since UDP 4500 is the NAT-T port, I’m thinking this is
  where the fault is occurring. I also ran Netmon from the NAT router itself and found that traffic was flowing from the Internet to the VPN server up the stack to Layer 3.
  5. As a test, I turned off Windows firewall on both the VPN server and the NAT server. This made no difference, so firewall is not at play here.
  6. My certificates are configured properly with my external VPN address and appropriate SANs pointing to the public IP address. These same certificates worked without issue prior to the migration to Server 2012 R2 RRAS as my NAT router.
  The actual error I'm receiving is Error 809 which indicates a problem with the connectivity to the VPN server, presumably through the NAT router. Prior to the change to virtual routing, I was using a Linksys E3000 with L2TP/PPTP passthrough enabled and had
  no issues connecting to my VPN server remotely.
  Some questions I have specifically regarding Server 2012 R2 RRAS and NAT:
  1. Is NAT-T "turned on" by default? Are there any settings required through netsh or elsewhere that I might have overlooked to enable NAT Traversal?
  2. How can I test if NAT-T is working outside of VPN testing?
  3. Is it Microsoft's recommendation/requirement that VPN and NAT be collocated on the same server? I noticed in the NAT forwarding rules that the pre-defined L2TP forwarder says "L2TP on this server." Does that indicate that L2TP can't pass beyond
  that server? What are the security implications for running VPN from the router?
  Any help would be appreciated. I've been troubleshooting this issue for 2 weeks and cannot seem to find any documentation or help on this issue. I'm hoping if others have similar issues, this post will help point them in the right direction. I have netmon
  captures to assist with troubleshooting if it comes to that. I'm certain this is NAT-T at this point, but I just can't prove it beyond a shadow of a doubt, and I have customers who have asked about using Microsoft RRAS for routing. I can't, in good conscience,
  recommend it if NAT-T is problematic since most companies want some sort of VPN solution for their environment.
  Respectfully yours,
  Ron Arestia

  Hi Ron,
  Please try to create and configure the AssumeUDPEncapsulationContextOnSendRule registry value.
  For detailed information, please refer to the link below:
  http://support.microsoft.com/kb/926179
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Server 2012 R2 Remote Desktop Gateway. Most Simple and Secure Design For Small Environment?

  We would like users to be able to connect remotely over the Internet from their personal devices to their primary Windows 7 workstation (a physical box on their desk) by using the Microsoft RDP Client For Windows, Mac, iOS and Android.  There is no
  plan to use RDWeb or Remote Apps, or VDI.  Just plain remote access to their desktop PC without VPN plus a third party 2nd factor authentication product that can text them back a code to enter with their AD credentials (AuthAnvil or Duosecurity)
  We do not have TMG or ISA.
  We would like to get these services all running in a single server and be as simple as possible while still being very secure.
  The recommendations I see seem to suggest putting the RDG in a DMZ with either a domain controller on a new domain with a one-way trust to your internal domain or else a read-only domain controller on your domain and then RD Session Host and License server
  located on different servers on your internal LAN.
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  That sounds like a lot of separate servers and cost for not a lot of users in our environment.
  Do we even need a separate session host server if there are no RDP sessions being hosted directly on the servers because  the users are only being redirected to connect to their workstations and will never be using terminal sessions on the server?
  Can the RODC or the Domain controller on new domain with the one-way trust be the same server as the Remote Desktop Gateway server and not separate servers?
  What is the most minimalist way to set this up with good security when opening all the ports needed to authenticate with internal DC is not secure enough?

  #2 sounds like we would need 2 Essentials servers and we will not have that.
  We currently have Server 2008 R2 and have 2012 Standard licenses that are not yet used.
  We have much more than 75 users total, but 75 is more than the number of users that will probably take advantage of using RD Gateway any time soon.  It will probably take time to catch on.
  If RD Gateway usage was to get super popular and more than 75 users were depending on access to it, then we could financially justify paying to buy all the CALs needed to run RD Gateway without Essentials.  Right now, they are skeptical that it will
  be worth spending much money on this and don't want to invest a lot  of money up front.
  My understanding is that if we have 75 or fewer users using RD Gateway then we need to by no CALs, just apply a Server Standard Edition License to the server, but if we had 76, we would need to turn off Essentials and buy 76 new CALs.
  Or would we need to add 50 CALs to the 25 that automatically come with Essentials?
  Also does "turning off" Essentials mean we would have to reinstall and redeploy the RDG or is it just a matter of enabling the RD license server and adding purchased CALs?
  No, when you buy essentials you get the right to create 25 users that access the server, when you create the 26th user you will need to have 26 CAL and RDS CAL. 

• Windows server 2012 Essential vs Foundation

  Hi, i am debating if i should obtain win server 12 Essential vs Foundation licencing.  Only at most two users will be using this server, and it is critical for me to have remote desktop access to this server.  Based on the wiki summary across
  the different editions, it said Win Server 2012 Essential only offer "Gateway Only" for Remote desktop Services, what does "gateway only" here mean?  Whereas the Foundation edition, it allows 50 remote desktop connections.
  Given i don't have many users using this server, and mainly using remote access to control this server, what server licensing would fit best?
  Tks.

  It depends if you mean Remote Desktop for Application usage, or Remote Desktop for Administration.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• Remote Desktop Connection Client 9.3.9600 unable to connect to Server 2012 RDS via Gateway

  Hi,
  I have a Windows Sever 2012 R2 RDS environment with two Gateways servers configured in high availability mode (RD Web Access, RD Gateway, RD Connection Broker roles installed) and four Windows Server 2012 R2 RDS Session Hosts. The servers are all running
  the most recent public server updates. With this configuration I when connecting externally using a Windows 7 computer with the older Remote Desktop Connection client (6.1.7601) I am able to connect without any problems however when I try connecting with a
  newer client from a computer running Windows 8.1 and the 9.3.9600 client I am unable to connect. 
  At the moment a NAT rule is configured to pass 80/443 traffic to only one of the RDS gateway servers, I've removed our load balancer from the configuration for the moment to reduce the complexity. 
  No error is generated by the client when it tries to connect it just stops trying to connect after a while.
  On the Gateways servers event logs for 
  Things I have looked into so far.
  - I've double and triple checked the RDS configuration and checked it against one of my other clients configurations that is working and they are identical. 
  - Connecting from an older client version works fine.
  I'm not sure what else can be checked does anyone have any ideas?

  Hi,
  1. What entries are you seeing in the RD Gateway's log?  Event Viewer\ Applications and Services Logs\ Microsoft\ Windows\ TerminalServices-Gateway
  2. How come you are not forwarding UDP port 3391 in addition to TCP port 443?  It should work without UDP, but you will not have UDP support which is one of the benefits of RDP 8.0/8.1.
  3. Are there any non-default group policy settings being applied to the servers and/or client PCs?  To be clear, I'm asking if any changes have been made to the default local and domain security policies, group policy objects, new GPOs that may have
  been added, etc., that are applicable to the servers and or client PCs.
  -TP

• [Forum FAQ]How to upgrade Windows Server 2008 R2 with a GUI to Windows Server 2012 Server Core

  We found that some customers willing to upgrade Windows Server 2008 R2 GUI to Windows Server 2012 Server Core recently. This article provides detailed steps to perform the upgrade.
  Analysis
  Upgrading from Windows Server 2008 R2 with a GUI installation to Windows Server 2012 with Server Core directly
  is not supported. If you do that, you will receive the error message below(Figure 1) in Compatibility report: 
  Figure 1.
  In these scenario, you can upgrade to Windows Server 2012 firstly. After the upgrade process is completed, you can switch freely between Server Core and Server with a GUI modes.
  Produces
  You can follow the steps below to perform an upgrade from Windows Server 2008 R2 with a GUI installation to Windows Server 2012 Server Core mode:
  1. Upgrade to Windows Server 2012 with a GUI mode
  1) Firstly, please boot into Windows Server 2008 R2 with a Windows Server 2012 installation DVD inserted.
  2) Select the operating system you want to install with a GUI mode.
  We can see 2 options (Server Core Installation or Server with a GUI) for each operating system version. (Figure 2)
  Figure 2.
  Note: Please make sure you have enough disk space on system partition. Or you will get such an error in Compatibility report.(Figure 3)
  Figure 3.
  After the Compatibility check, the installation will continue. It will take several minutes until upgrading is done.(Figure 4)
  Figure 4.
  2. Switch the GUI mode to Server Core
  Method 1: Using Server Manager
  1) Open Server Manager, click
  Manger and select “Remove Roles and Features” to start the
  Remove Roles and Features Wizard.
  2) In Features,
  uncheck the box next to the “User Interfaces and Infrastructure” option, and then click “Next”. (Figure 5)
  Figure 5.
  Now tick the “Restart the destination Server automatically if required” box, then click “Remove”. (Figure 6)
  Figure 6.
  Method 2: Using Windows PowerShell
  There are multiple ways to remove the GUI via Windows PowerShell, we introduce the way of using the ServerManager module.
  You can also run the commands in Windows PowerShell with an administrator to remove the GUI feature:
  “Import-Module ServerManager”
  “Uninstall-Windowsfeature Server-Gui-Shell –Restart”
  or
  “Uninstall-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra –Restart”
  It will take a period of time to remove the GUI feature and reboot. When the system boots up, you will get into the Windows Server 2012 with Server Core mode. (Figure 7)
  Figure 7.
  More information:
  Switch between Full and Server Core in Windows Server 2012 using PowerShell 3.0
  http://blogs.technet.com/b/puneetvig/archive/2012/10/16/switch-between-full-and-core-in-windows-server-2012-using-powershell-3-0.aspx
  Windows Server Installation and Upgrade
  http://technet.microsoft.com/en-us/windowsserver/dn527667.aspx
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hi,
  Brian is right, for mange the Server 2008r2 sp1 we recommend use the Windows 7 or 7.1 platform.
  More information:
  Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
  http://www.microsoft.com/en-us/download/details.aspx?id=7887
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to setup default gateway in a DHCP client. The default gateway will be the Ip address of the server that has RRAS installed, hence routing cabalities.

  How to setup default gateway in a DHCP client. The default gateway will be the Ip address of the server that has RRAS installed, hence routing cabalities.

  Hi Bill,
  Thank you for replying back...Yes, I was actually asking how do you set the default gateway address on the DHCP server?,
  I believe I got the answer below:
  To configure the DHCP default gateway option Click Start, point to Administrative Tools and then click DHCP. In the console tree, expand the applicable DHCP server, expand IPv4, and then right-click Scope Options Click Configure Options, check 003
  Router, type the applicable Server name and IP address, and then click OK.
  Thank you

• Running Server 2012 R2 as a VM; but no GUI

  Using VMWare Player 5.5. The ISO installs just fine but when I try to add the GUI in PowerShell via:
  Enable-WindowsOptionalFeature -online -Featurename ServerCore-FullServer,Server-Gui-Shell,Server-Gui-Mgmt
  I get an error that the source files could not be downloaded. "Use the "source" option to specify the location of the files that are required to restore the feature." There is a reference to a go.microsoft.com/fwlink/?LinkId=243077. I've
  tried just ServerCore-FullServer but that too had the same error.
  I'm trying to learn Server 2012, so my question may be from ignorance.
  RON

  Using VMWare Player 5.5. The ISO installs just fine but when I try to add the GUI in PowerShell via:
  Enable-WindowsOptionalFeature -online -Featurename ServerCore-FullServer,Server-Gui-Shell,Server-Gui-Mgmt
  I get an error that the source files could not be downloaded. "Use the "source" option to specify the location of the files that are required to restore the feature." There is a reference to a go.microsoft.com/fwlink/?LinkId=243077. I've
  tried just ServerCore-FullServer but that too had the same error.
  I'm trying to learn Server 2012, so my question may be from ignorance.
  RON
  ServerCore has no GUI, and the OC payload is Disabled + Removed.
  so, you will need to provide PoSH/DISM with access to the source files to install the GUI-Shell.
  This article series gives a few good tips:
  http://yungchou.wordpress.com/2014/01/08/windows-server-2012-r2-installation-options-and-features-on-demand-part-2-of-5/
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• RRAS - Server 2012 Core - How to enable 'LAN Routing'

  Hi,
  how can i enable 'LAN Routing' on a Server core with RRAS Role installed via command line?
  In GUI it's just 'Enable' -> Custom -> LAN-Routing. How can i do the same via command line (powershell or cmd)?
  Thank you!

  Ok, solved it myself. (Don't know why i always solve a Problem as soon as i make a post in Forums ;D)
  Set-NetIPInterface -Forwarding Enabled
  so for enable Forwarding on all Adapters:
  Get-NetAdapter | Set-NetIPInterface -Forwarding Enabled

• Having trouble switching from Core to GUI with Server 2012...

  Hello,
  I am currently in the early stages of studying for the MCSA - Windows Server 2012 R2 and I'm playing around with an Eval copy of Windows Server 2012 R2 DataCenter.  I have two separate installs where one is the Full - GUI install and the other is Server
  Core.  I've learned in my studies that it is possible to switch back and forth between Core and GUI through Powershell cmdlets.
  Right now I'm trying to switch from Server Core to GUI and I'm using the following Powershell command:
         Install-WindowsFeature Server-Gui-Mgmt-Infra, Server-Gui-Shell
  It starts off like it's going to work but then after about 68% of the way through, I get this:
       Install-WindowsFeature : The request to add or remove features on the specified server failed.
       Installation of one or more roles, role services, or features failed.
       The source files could not be downloaded.
       Use the "source" option to specify the location of the files that are required to restore the feature. For more
       information on specifying a source location, see XXXXXX. Error: 0x800f0906
       At line:1 char:1
       + Install-WindowsFeature Server-Gui-Mgmt-Infra, Server-Gui-Shell
       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            + CategoryInfo          : InvalidOperation: (@{Vhd=; Credent...Name=localhost}:PSObject) [Install-WindowsFeature],
            Exception
           + FullyQualifiedErrorId :       DISMAPI_Error__Cbs_Download_Failure,Microsoft.Windows.ServerManager.Commands.AddWindowsF
     eatureCommand
  Any ideas?  I installed this Server Core image on a Hyper-V Virtual Machine (using Generation 2), allocating 4GB RAM and 65GB HDD space.  I haven't done anything with .Net Framework and I haven't configured the network at all.
  Any advice would be greatly appreciated.

  Hi SLONER,
  You need use the -source option on a non-Internet connected machine.
  PLease try the script below:
  Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart –Source c:\mountdir\windows\winsxs
  And follow this thread:
  PowerShell to Add GUI to Server Core (ServerCore-FullServer)
  I hope this helps.

• Windows 7 64 bit / Server 2012 R2 GUI - Type 4 Print Driver error "Cannot connect to the Printer" 0x00000002

  Hello,  We have multiple Server 2003 Print server and are working on testing a Server 2012 print server.  We have run into an issue where a PRINTER (type 4, normal) works with our Windows 7 32 bit clients, Windows 8.1 64 bit clients and the
  2012 R2 server, but when trying to install to a windows 7 64 bit clients using \\SERVER\PRINTER we are getting the above message.  (The printer is not offered currently in the directory).
  I have been scouring the Google and Bing and have yet to find a satisfactory description that matches this issue.  Nor have I found other information that resolve this issue.  Like, blaming this on the spooler or DLL fixes or Reg hacks (applied
  on the client side). 
  Specifically, we have used the native 2012 R2 drivers "Ricoh Class Driver", "HP LaserJet 4240 PCL6 Class Driver" and "Xerox Phaser 6120 Class Driver"
  If I use a Type 3 driver from Xerox I am able to print from the Windows 7 64 bit client to the print device, but I was hoping to get all of my clients onto 1 driver.  I understand that I might be able to use some sort of WMI filtering in our GPO
  deployments for the Windows 7 64 bit clients when we go live but this sort of <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="55af8faf-887d-4ea5-9032-7c14b199df0f" id="db4a1e65-db1b-4c94-bd84-20ffc96288ce">henky</gs>.
  Please, provide some knowledge.  Either a solution to this issue or acknowledgement that separate driver will be required.  Thank You!!!!!

  Hi,
  Firstly, please run this "Fix It" tool (Full mode) to reset the print splooer and driver:
  You experience Print Spooler error messages after installing or upgrading a Third-Party print driver  
  http://support.microsoft.com/kb/2793718
  And then follow this guide:
  http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/A_11509-Windows-2012-server-setup-print-server-for-both-32bit-64bit-OS-clients-how-to.html
  Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Karen Hu
  TechNet Community Support

• Server 2012 Built-In IPSec VPN & RAS & HyperV-Switch & Netgear Pro Safe Router, Tunnel Ok, but no Traffic

  Hello,
  i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.
  The Problem: Tunnel is up and running, but no Ping, no traffic at all.
  the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.
  if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.
  the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.
  The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.
  I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.
  If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.
  i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.
  now, after all this time i spend today to this problem i'm a bit confused.
  as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.
  the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?
  i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as
  it is no option inside the gui.
  it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help
  to solve the problem would be great also!
  now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.
  Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access
  the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional
  help out with an explanation?
  Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(
  Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....

  I would definitly recommend the usage of a virtual router instead using windows onboard-firewall to make the site-to-site tunnel!
  as you can see in my linked thread above (Link)
  this scenario is not supported from microsoft! you will run into problems!
  we do run a hyperv virtual machine and install the wonderful distribution pfsense inside this box. pfsense is a software-linux-router with ipsec-functionality, which works like a charm!
  and by the way i recommend to not use the products of netgear! they are expensive, very slow and the service is not good!
  we have good experience with Vigor-Routers! They are less expensive, the Service is very good, and the devices are much faster, AND! ...the vpn-connections stay stable up!
  this experience was very time-intensive to make! hope this will help someone else in the future.

• Enable Lan Routing Windows Server 2012

  Hi!
  I'm trying to setup the RRAS in a Windows server 2012 to route between my two networks. I have a windows server 2012 with two nics and the RRAS installed. I installed "Lan Routing" custom option.
  My configuration is:
  Server nic1 - 192.168.1.254 255.255.255.0 (no dfgateway)
  Server nic2 - 192.168.103.54 255.255.255.0 (no dfgateway)
  Clients subnet1 - 192.168.1.x 255.255.255.0 192.168.1.254
  Clients subnet2- 192.168.103.x 255.255.255.0 192.168.103.54
  The problem is that from a client of subnet1 i can ping 192.168.1.254 and 192.168.103.54 but i can't ping clients of subnet2, and backwards  the same problem.
  Thanks.

  Your client machines need to know how to find the route to the other subnet.
  1) So on a client on subnet 1, open a Command Prompt and type:
  route add -p 192.168.103.0 mask 255.255.255.0 192.168.1.254
  This adds a permanent route which tells the client to go to 192.168.1.254 to find network 192.168.103.0
  2) On the clients on subnet2 you would type:
  route add -p 192.168.1.0 mask 255.255.255.0 192.168.103.54
  Make sure the clients have the appropriate server NIC address as their default gateway and DNS.
  For example, for clients on subnet1:
  IP: 192.168.1.x
  Gateway: 192.168.1.254
  DNS: 192.168.1.254
    That is misleading at best. The original post is a straight forward example of subnet to subnet routing. No additional routes are required because the default routing is quite adequate. If you look at the addresses of the static routes you provide
  you will see that they are the same as the default addresses already set (so they are redundant).
  Ping is not a reliable test of connectivity any more. Built-in firewalls will block it by default. You will need to temporarily disable the firewalls of the clients to test with ping (unless you enable ICMP echo in both directions on all clients).
  Bill