A Guide to Setup Windows Machine as a Customer Gateway Device

Overview

In today’s interconnected digital landscape, the role of a Customer Gateway Device (CGD) is paramount in establishing secure and efficient communication between networks. In this comprehensive guide, we delve into the intricacies of configuring a Windows Server as a CGD. From network segmentation to VPN setup, this blog provides step-by-step instructions and invaluable insights to streamline the process and ensure a reliable gateway solution. Whether you are a seasoned IT professional or a novice administrator, this guide equips you with the knowledge and tools needed to transform your Windows Server into a powerful customer gateway device.

Introduction

Deploying Windows Server as a customer gateway device within a Virtual Private Cloud (VPC) presents a reliable solution for enterprises aiming for secure and effective network connectivity.

Configuring your Windows instance

• If you’re setting up Windows Server on an Amazon EC2 instance launched from a Windows AMI, follow these steps:
• Disable source/destination checking for the instance:
• Go to the console at https://console.aws.amazon.com/ec2/.
• Select your Windows instance, navigate to Actions > Networking > Change source/destination check. Choose Stop, then Save.

Update adapter settings to route traffic from other instances:

• Connect to your Windows instance.
• Go to the control panel and access the device manager. In the Network adapters section, locate the appropriate adapter (such as Amazon Elastic Network Adapter or Intel 82599 Virtual Function), select it, and navigate to Action>Properties.\
• Deactivate the settings for IPv4 Checksum Offload, TCP Checksum Offload (IPv4), and UDP Checksum Offload (IPv4) located in the Advanced tab, and then confirm the modifications by clicking OK.

• Assign an Elastic IP address to your account and link it with the instance. Note this address for customer gateway creation in your VPC.
• Ensure the instance’s security group rules allow outbound IPsec traffic. Default settings usually allow all outbound traffic, but if modified, ensure rules include IP protocol 50, IP protocol 51, and UDP 500.
• Take note of the CIDR range about the network where your Windows instance is situated (e.g., 172.31.0.0/16).

Step-by-Step Guide

Step 1: Establish a VPN connection and set up your Virtual Private Cloud (VPC) configuration

• Set up a virtual private gateway and connect it to your VPC.
• Establish a VPN connection and create a new customer gateway, specifying the public IP address of your Windows Server as the customer gateway. Choose static routing and input the CIDR range for your network where the Windows Server is located (e.g., 172.31.0.0/16).

After creating the VPN connection, configure the VPC for communication over it.

• Create a private subnet in your VPC if not already available for launching instances to communicate with the Windows Server.
• Update the route tables for the VPN connection by adding a route to your private subnet’s route table with the virtual private gateway as the target and the Windows Server’s network (CIDR range) as the destination, and ensure route propagation is enabled for the virtual private gateway.
• Create a security group for your instances, allowing communication between your VPC and network.

Step 2:  Get the VPN configuration file

• Access the Amazon VPC console via https://console.aws.amazon.com/vpc/.
• Go to Site-to-Site VPN Connections.
• Choose your VPN connection and click on Download Configuration.
• Specify Microsoft as the vendor, Windows Server as the platform, and 2012 R2 as the software, then proceed to download the file.

Step 3: Configure the Windows Server

To install Routing and Remote Access Services:

• Log on to your Windows Server.
• Access Server Manager from the Start menu.
• Install Routing and Remote Access Services.
• Navigate to the “Add Roles and Features” option within the Manage menu, then proceed through the wizard, selecting Network Policy and Access Services, Remote Access, DirectAccess and VPN (RAS), and Routing.

Enable Routing and Remote Access Server:

• Access the Notifications section on the dashboard, then click on the “Open the Getting Started Wizard” link and select “Deploy VPN only” from the options provided.
• Choose the server name within the Routing and Remote Access dialog box, then click Action, followed by Configure and Enable Routing and Remote Access.

• Follow the wizard to complete the configuration.

Step 4: Set up the VPN tunnel

Configure the VPN tunnel using the netsh scripts from the downloaded configuration file.

Copy the netsh script from the configuration file and replace variables.

Example:

Step 5: Enable dead gateway detection

Modify the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to enable TCP to detect when a gateway becomes unavailable.

To enable dead gateway detection:

• Launch Registry Editor from your Windows Server.
• Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
• Create a new DWORD (32-bit) Value named EnableDeadGWDetect.
• Set the value data to 1, then reboot the server.

Step 6: Test the VPN connection

Verify the VPN connection’s functionality by deploying an instance into your Amazon VPC to confirm its lack of internet connectivity; subsequently, execute a ping command from your Windows Server to the private IP address, initiating the VPN connection.

Conclusion

Configuring Windows Server as a customer gateway device is pivotal in building a secure and efficient network environment within a Virtual Private Cloud. By following the steps outlined in this guide, administrators can confidently navigate the complexities of setting up Windows Server as a customer gateway device, ensuring reliable connectivity and enhanced data security.

Drop a query if you have any questions regarding Customer Gateway Device and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.