If you enable Anywhere Access VPN in WSE 2016, you will no longer be able to access RRAS admin UI. The message "Legacy mode is disabled" appears. This is because Access Anywhere configures the VPN in WS in a way that cannot be represented in the legacy UI. This makes it nearly impossible to setup other RRAS functionality like NAT or RAS, and there does not appear to be PowerSell cmdlets to address these gaps.
As a workaround, do not use Anywhere Access VPN. Instead, configure VPN manually in the RRAS admin UI. If you need to enable NAT + VPN, you will need to take special care to configure NAT first. For some reason, configuring NAT + VPN in one step leads to the NAT not functioning properly.
