Windows Server 2012 R2 provides a variety of remote access solutions, assuming that your clients are running Windows 7 or later. Up until the XP EOL date, the client requirements for the newer technologies meant that many organizations didn’t explore these options, simply because the bulk of their fleets were running operating systems that didn’t support the newer technologies.
If you were running Windows Server 2003 as a remote access server, you could accept connections from clients that used PPTP or L2TP/IPsec. If you upgrade to a Windows Server 2012 R2 as a remote access server, and you have Windows 7 clients, you can also support SSTP and IKEv2 connections. You also have the further “not really VPN but you can use them for remote access” options of using DirectAccess and Remote Desktop Gateway.
These “new” (some of them have been around a while, but might be new to you if you haven’t had a look for a while) options do the following:
- SSTP: VPN over HTTPS. The advantage of this protocol is that it works through most firewalls.
- IKEv2: This protocol supports automatic VPN reconnection without requiring reauthentication. It has the advantage of allowing disruptions to occur for up to 8 hours. When you use an IKEv2 VPN, you can switch network connections whilst retaining the VPN connection. For example, switching from an Airport lounge WiFi access point to a cellular connection is seamless if you have an IKEv2 connection.
- DirectAccess. This is an “always on computer authenticated IPv6 VPN”. The advantage of DirectAccess is that it grants remote access without requiring people to manually authenticate. The moment the computer detects an internet connection, it establishes a DirectAccess connection. If you’ve only got an IPv4 connection, then it tunnels IPv6 across IPv4.
- Remote Desktop Gateway. This isn’t a traditional remote access connection. Instead remote desktop gateway can be used to make a remote desktop connection to a computer on an internal network by having the remote desktop gateway on the perimeter network.
Still, even with all these options, many organizations are probably going to stick with using dedicated hardware devices to handle VPN connections. If you’re using Windows Server 2003 to function as authentication for an edge hardware device that supports RADIUS, you’ll want to migrate the Internet Authentication Server (IAS) role from the computer running Server 2003 to a computer running the Network Policy Server (NPS) role on Windows Server 2012 R2. Microsoft provides detailed guidance on how to do this in the following TechNet article: https://technet.microsoft.com/en-au/library/hh831652.aspx