AWS, Cloud Computing

4 Mins Read

A Guide to Setup Windows Machine as a Customer Gateway Device

Voiced by Amazon Polly


In today’s interconnected digital landscape, the role of a Customer Gateway Device (CGD) is paramount in establishing secure and efficient communication between networks. In this comprehensive guide, we delve into the intricacies of configuring a Windows Server as a CGD. From network segmentation to VPN setup, this blog provides step-by-step instructions and invaluable insights to streamline the process and ensure a reliable gateway solution. Whether you are a seasoned IT professional or a novice administrator, this guide equips you with the knowledge and tools needed to transform your Windows Server into a powerful customer gateway device.


Deploying Windows Server as a customer gateway device within a Virtual Private Cloud (VPC) presents a reliable solution for enterprises aiming for secure and effective network connectivity.

Regardless of whether Windows Server operates on an Amazon EC2 instance or a dedicated server, the setup process entails multiple stages to guarantee smooth integration and peak performance.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Configuring your Windows instance

  • If you’re setting up Windows Server on an Amazon EC2 instance launched from a Windows AMI, follow these steps:
  • Disable source/destination checking for the instance:
  • Go to the console at
  • Select your Windows instance, navigate to Actions > Networking > Change source/destination check. Choose Stop, then Save.


Update adapter settings to route traffic from other instances:

  • Connect to your Windows instance.
  • Go to the control panel and access the device manager. In the Network adapters section, locate the appropriate adapter (such as Amazon Elastic Network Adapter or Intel 82599 Virtual Function), select it, and navigate to Action>Properties.\
  • Deactivate the settings for IPv4 Checksum Offload, TCP Checksum Offload (IPv4), and UDP Checksum Offload (IPv4) located in the Advanced tab, and then confirm the modifications by clicking OK.


  • Assign an Elastic IP address to your account and link it with the instance. Note this address for customer gateway creation in your VPC.
  • Ensure the instance’s security group rules allow outbound IPsec traffic. Default settings usually allow all outbound traffic, but if modified, ensure rules include IP protocol 50, IP protocol 51, and UDP 500.
  • Take note of the CIDR range about the network where your Windows instance is situated (e.g.,

Step-by-Step Guide

Step 1: Establish a VPN connection and set up your Virtual Private Cloud (VPC) configuration

  • Set up a virtual private gateway and connect it to your VPC.
  • Establish a VPN connection and create a new customer gateway, specifying the public IP address of your Windows Server as the customer gateway. Choose static routing and input the CIDR range for your network where the Windows Server is located (e.g.,

After creating the VPN connection, configure the VPC for communication over it.

  • Create a private subnet in your VPC if not already available for launching instances to communicate with the Windows Server.
  • Update the route tables for the VPN connection by adding a route to your private subnet’s route table with the virtual private gateway as the target and the Windows Server’s network (CIDR range) as the destination, and ensure route propagation is enabled for the virtual private gateway.
  • Create a security group for your instances, allowing communication between your VPC and network.

Step 2:  Get the VPN configuration file

  • Access the Amazon VPC console via
  • Go to Site-to-Site VPN Connections.
  • Choose your VPN connection and click on Download Configuration.
  • Specify Microsoft as the vendor, Windows Server as the platform, and 2012 R2 as the software, then proceed to download the file.


Step 3: Configure the Windows Server

To install Routing and Remote Access Services:

  • Log on to your Windows Server.
  • Access Server Manager from the Start menu.
  • Install Routing and Remote Access Services.
  • Navigate to the “Add Roles and Features” option within the Manage menu, then proceed through the wizard, selecting Network Policy and Access Services, Remote Access, DirectAccess and VPN (RAS), and Routing.

Enable Routing and Remote Access Server:

  • Access the Notifications section on the dashboard, then click on the “Open the Getting Started Wizard” link and select “Deploy VPN only” from the options provided.
  • Choose the server name within the Routing and Remote Access dialog box, then click Action, followed by Configure and Enable Routing and Remote Access.


  • Follow the wizard to complete the configuration.

Step 4: Set up the VPN tunnel

Configure the VPN tunnel using the netsh scripts from the downloaded configuration file.

Copy the netsh script from the configuration file and replace variables.


Step 5: Enable dead gateway detection

Modify the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to enable TCP to detect when a gateway becomes unavailable.

To enable dead gateway detection:

  • Launch Registry Editor from your Windows Server.
  • Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
  • Create a new DWORD (32-bit) Value named EnableDeadGWDetect.
  • Set the value data to 1, then reboot the server.

Step 6: Test the VPN connection

Verify the VPN connection’s functionality by deploying an instance into your Amazon VPC to confirm its lack of internet connectivity; subsequently, execute a ping command from your Windows Server to the private IP address, initiating the VPN connection.



Configuring Windows Server as a customer gateway device is pivotal in building a secure and efficient network environment within a Virtual Private Cloud. By following the steps outlined in this guide, administrators can confidently navigate the complexities of setting up Windows Server as a customer gateway device, ensuring reliable connectivity and enhanced data security.

Drop a query if you have any questions regarding Customer Gateway Device and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery PartnerAWS Microsoft Workload PartnersAmazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


1. Can I configure Windows Server as a customer gateway device on my server, or must it be on an Amazon EC2 instance?

ANS: – You can configure Windows Server as a customer gateway device on an Amazon EC2 instance within a Virtual Private Cloud (VPC) or your server.

2. How can I verify the configuration of the VPN tunnels?

ANS: – You can verify the configuration of VPN tunnels by checking the properties of connection security rules in Windows Firewall with Advanced Security. Confirm that the settings match the requirements outlined in the configuration file.

WRITTEN BY Rohit Lovanshi

Rohit Lovanshi works as a Research Associate (Infra, Migration, and Security Team) at CloudThat. He is AWS Developer Associate certified. He has a positive attitude and works effectively in a team. He loves learning about new technology and trying out different approaches to problem-solving.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!