SSTP FAQ - Part 2: Client Specific
In this FAQ, I will cover client specific queries of SSTP
1) How to enable SSTP based VPN connection on the client side?
SSTP based -connection can be enabled on native RAS client UI (i.e. inside “network and sharing center”). For further details, refer to https://blogs.technet.com/rrasblog/archive/2007/01/16/using-secure-socket-tunneling-protocol-sstp-for-vpn.aspx
Connection manager administration kit (CMAK) is enhanced to support SSTP and hence CM profile can be used to establish SSTP based VPN connection.
2) How does Automatic VPN Tunnel type WORKS with SSTP?
On the client side, if the VPN tunnel type is selected as “Automatic”, then the order is PPTP->L2TP->SSTP. i.e. try PPTP first, if that fails try L2TP, if that fails try SSTP.
Note: The tunnel type which the client is able to successfully connect will be used for next reconnection and the automatic -tunnel selection logic is not retried till it fails. For example, first connection will be tried with PPTP->L2TP->SSTP and say SSTP is successful. On next re-connection, the client will retry SSTP first and if that fails then tries PPTP followed by L2TP.
3) What kind of NAT, Web proxy and firewall traversal is supported by SSTP client?
Outgoing SSTP connection can pass through any kind of NAT and firewalls – as long as TCP port 443 is allowed (which is normally the case).
If the VPN client is behind a web proxy, then outgoing SSTP connection can go through in normal web proxy. SSTP does not support “authenticated” web proxies (i.e. proxies which require some form of authentication during HTTP CONNECT request).
4) How to block SSTP based VPN connections to traverse out of corporate network?
For any reason, if the network administrator wants to block all outgoing SSTP based VPN connection, then it can be done at the web proxy level. If there is a web proxy (i.e. forward proxy) deployed inside the corporate network which can do filtering of different attributes inside HTTP CONNECT header, then SSTP based connections can be blocked as it adds a fixed field (SSTP_VERSION: *) inside the HTTP CONNECT header.
5) How to set proxy address in SSTP client?
SSTP client picks up the web proxy settings of current user’s context from Internet explorer.
6) Is WinLogon using SSTP based VPN connection is supported? If yes, how is it enabled?
Yes – Winlogon over SSTP based VPN connection is supported. The VPN connection should be created for “all users”.
Additionally if the VPN connection goes through a web proxy, then the web proxy settings need to be picked up from the system store. This is because in case of Winlogon – the user establishes the VPN connection first and then logs on. The web proxy settings can be configured inside the system store using “netsh winhttp set proxy” command
7) What is the authentication protocol used by SSTP? Is it done at HTTPS layer or PPP layer?
Client is not authenticated to server at the HTTPS layer. SSTP client is authenticated to server at the PPP layer. So various PPP authentication algorithm (like MSCHAPv2, EAP-MSCHAPv2, EAP-Smart-card, PEAP) can be used with SSTP. For further details, refer to https://blogs.technet.com/rrasblog/archive/2007/01/10/how-sstp-based-vpn-connection-works.aspx
8) Is the encryption done at MPPE layer or at HTTPS layer?
MPPE encryption at PPP layer is turned off when tunnel is SSTP (this is similar to L2TP/IPSec scenario). The encryption (or data confidentiality) is achieved at the SSL layer.
9) Which OS release will support SSTP?
SSTP client will be supported on Vista SP1 and Longhorn server (i.e. Windows server 2008). SSTP server will be supported on Longhorn server via RRAS and Vista SP1 via VPN "incoming connections".
Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]
Comments
Anonymous
January 01, 2003
Microsoft is working on a remote access tunneling protocol for Vista and Longhorn Server that lets clientAnonymous
January 01, 2003
Yes SSTP will provide full network access. Application specific access can be enabled by enforcing tight filtering on the server sideAnonymous
January 01, 2003
Microsoft se encuentra trabajando en una nueva tecnología destinada al acceso remoto mediante VPN seguras.Anonymous
January 01, 2003
free myspace music video codes forAnonymous
January 01, 2003
Now that TMG Beta 3 is released you can enjoy the best of both words for VPN access. In the past I wasAnonymous
January 01, 2003
Q: Once the SSTP connection is up, is there a new network interface with an IP assigned by the remote server ? A: Yes - same like PPTP or L2TPAnonymous
January 01, 2003
Yes SSTP will provide full network access.Anonymous
January 01, 2003
Q: Will Microsoft put this feature(SSTP client) on Windows XP also ? A: Currently SSTP client is only suppor on Vista SP1 and the client plans on XP are being investigated. Stay tuned for more updatesAnonymous
January 22, 2007
Does SSTP provide full access to the network? In other words, does it work for only limited applications? Thanks.Anonymous
January 26, 2007
Once the SSTP connection is up, is there a new network interface with an IP assigned by the remote server ?Anonymous
February 05, 2007
Will Microsoft put this feature(SSTP client) on Windows XP also ?