RRAS Management Console
After installing the RRAS role, the administrator uses the RRAS management console (rrasmgmt.msc) to perform initial configuration. The RRAS management console can also be used to view client connection status by expanding the server and highlighting Remote Access Clients.
Connection Details
To view connection details for a specific connection, the administrator can right-click a connection and choose Status, or simply double-click the connection.
High level information about the connection including duration, data transfer, errors, and IP address assignment can be obtained here. In addition, the administrator can terminate the VPN connection by clicking the Disconnect button.
RRAS Management Console Limitations
Using the RRAS management console has some serious limitations. It offers only limited visibility into client connectivity status, for example. In addition, the client connection status does not refresh automatically. Also, the RRAS management console offers no historical reporting capability.
Remote Access Management Console
The Remote Access Management console (ramgmtui.exe) will be familiar to DirectAccess administrators and is a better option for viewing VPN client connectivity on the RRAS server. It also offers more detailed information on connectivity status and includes an option to enable historical reporting.
Dashboard
The Dashboard node in the Remote Access Management console provides high-level status for various services associated with the VPN server. It also provides a high-level overview of aggregate VPN client connections.
Operations Status
The Operations Status node in the Remote Access Management console provides more detailed information regarding the status of crucial VPN services. Here the administrator will find current status and information about service uptime.
Remote Client Status
The Remote Client Status node in the Remote Access Management console is where administrators will find detailed information about client connectivity. Selecting a connection will provide data about the connection including remote IP addresses, protocols, and ports accessed by the remote client, in addition to detailed connection information such as authentication type, public IP address (if available), connection start time, and data transferred.
Double-clicking an individual connection brings up a detailed client statistics page for the connection, as shown here.
Custom View
The Remote Access Management console includes the option to customize the data presented to the administrator. To view additional details about client connections, right-click anywhere in the column headings to enable or disable any of the fields as required.
Recommended Columns
From personal experience I recommend adding the following columns in the Remote Access Management console.
- IPv4 Address (this is the IP address assigned to the VPN clients by RRAS)
- Connection Start Time
- Authentication Method
- Total Bytes In
- Total Bytes Out
- Rate
Drawbacks
The only real drawback to using the Remote Access Management console is that it supports viewing connections from just one VPN server at a time. If you have multiple RRAS servers deployed, you must retarget the Remote Access Management console each time to view connections on different VPN servers in the organization.
You can retarget the Remote Access Management console at any time by highlighting the Configuration node in the navigation pane and then clicking the Manage a Remote Server link in the Tasks pane.
Reporting
Remote Access reporting is not enabled by default on the RRAS VPN server. Follow the steps below to enable historical reporting for RRAS VPN connections.
1. Highlight the Reporting node in the Remote Access Management console.
2. Click Configure Accounting.
3. Uncheck Use RADIUS accounting.
4. Check Use inbox accounting.
5. Review the settings for data retention and make changes as required.
6. Click Apply.
Optionally, historical reporting can be enabled using PowerShell by opening and elevated PowerShell command window and running the following command.
Set-RemoteAccessAccounting -EnableAccountingType Inbox -PassThru
Database Management
A Windows Internal Database (WID) is automatically installed and configured for data storage when inbox accounting is enabled. WID is nothing more than a basic instance of Microsoft SQL Server. As such, the database will require periodic maintenance to perform optimally. I have published the InboxAccountingDatabaseManagement PowerShell module to address many of the required and optional administrative tasks associated with inbox accounting. You can learn more about this PowerShell module and its functions here.
https://directaccess.richardhicks.com/2022/03/21/inbox-accounting-database-management/
Important Note! There is a known issue with the inbox accounting database that can result in high CPU utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. To correct this issue, be sure to run the Optimize-InboxAccountingDatabase function included in my InboxAccountingDatabaseManagement PowerShell module.
Additional Information
Always On VPN Inbox Accounting Database Management
Always On VPN Inbox Accounting Database Management PowerShell module on Github
Windows 10 Always On VPN and Windows Routing and Remote Access Service (RRAS)