How to configure the RRAS based VPN server to accept SSTP connections
By now, all of you would be aware of what SSTP is and would also have got your questions answered in the FAQ column. We also saw in this blog, how to configure a SSTP client connection.
In this post, let's quickly look at the steps required to configure the VPN server as a SSTP server. We will use Routing and Remote Access on Longhorn server for this.
The VPN server will have two interfaces - public interface facing the internet and the private interface facing the intranet.
Step 1: Configuration of server authentication certificate on VPN server to be used for SSL
- The server authentication certificate can be obtained either by auto enrollment if the server is joined to domain or manually using web enrollment from the certification authority's certificate issue website.
- This certificate should have the Extended key usage (EKU) as "Server Authentication" or "All purpose". Certificates with any other EKU cannot be used.
- The certificate should not have expired and should be valid.
- The certificate's subject name should exactly match the hostname used by the client to connect to the server. [For eg. if the certificate is issued to the FQDN name of the server, then the client should use the FQDN name of the server in the VPN connection while connecting]
- This certificate should be installed in the 'Personal store' in the 'Local Computer' store of the VPN server. This certificate should be trusted by the Certification authority (CA) and the root CA certificate should be present in the 'Trusted Roots store' in the 'Local Computer' certificate store. The same root CA certificate should be deployed on the client in the 'Trusted Roots' store in the 'Local Computer' certificate store.
- When the client connects to the server, it will receive this server certificate through SSL and it needs to perform revocation check for that certificate. For this, the CRL distribution point should be published on the internet side so that the client can access it.
Step 2: Configuring the VPN server
The next step is to configure the RRAS server for VPN. Given below are the different steps that need to be done in order.
- Install the RRAS server role on the machine. Goto Start --> Administrative tools --> Server Manager --> Add roles --> Network policy services and install the Routing and Remote Access role.
- Open the Routing and remote Access console from Start --> Administrative tools.
- Right click on the server, Click on Configure Routing and Remote Access. This will open the Routing and Remote access configuration wizard. Click Next.
- Select 'Remote access (VPN or dialup)' from the menu and click Next. Select 'VPN' and click Next. Select the interface which is the public interface facing internet, then click Next. Then select how you want to assign addresses to VPN clients. If you choose static addressing, then you will need to specify the IP address pool. Click Next. Then choose how to perform authentication - either locally (windows authentication) or on another RADIUS server (RADIUS authentication), Then click Next. Click on Finish to complete the configuration.
- Ensure you have set appropriate remote access policies. If you have used windows authentication, click "Remote Access Logging and Policies" inside routing andremote access console. Right click and select "Launch NPS". Select "Network Policies" and double click on "Connections to Microsoft Routing and Remote Access Server" and ensure "Policy Type" is "Grant access". Ensure all the conditions and settings matches your requirements. If you have used Radius authentication, you may be doing the same - but on the radius server (like NPS).
- RRAS is now configured as a VPN server to accept PPTP and SSTP connections.
As you can see - all the steps given above except need of machine certificate remains same for RRAS server configuration that accepts PPTP connection. Infact the exact same steps are required for RRAS server configuration that accepts L2TP connection (because L2TP/IPSec requires machine certificate to be installed on RRAS server).
Additional troubleshooting and configuration points:
- After performing these steps, execute the command "netstat -aon |findstr 443" to see if the TCP 443 port is in LISTENING state to accept SSTP client connection requests.
- Check the event viewer logs after configuration for information about failures in configuration (if any).
- The RRAS server can be joined to domain if required (like for Windows authentication scenario to authenticate the clients against domain controller). If RRAS server is configured for Radius authentication, then it is not required to join it to domain - but can remain in workgroup and instead radius server can be joined to domain.
Soon - we will be publishing a step-by-step guide which will explain the entire setup in detail.
Janani Vasudevan
Software Design Engineer/Test
RRAS, Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]
Comments
Anonymous
January 01, 2003
PingBack from http://www.security-blog.eu/2007/10/01/sstp-vpns-mit-windows-2008-server/Anonymous
January 01, 2003
SSTP requires a machine certificate on the RRAS server which needs to be set inside HTTPS listener (i.e.Anonymous
January 01, 2003
SSTP by default is configured to listen on all the interfaces (i.e. 0.0.0.0 for IPv4 or ::/0 for IPv6).