SSTP FAQ - Part 1: Generic

Hi All,

I am sure lot of queries may be running in your minds related to SSTP. To clarify it further, I am starting a series of frequently asked questions (FAQ) related to SSTP. Please feel free to send your comments on the blog site or to our blog email address if you have further queries.

In this part, I will cover some generic queries related to SSTP

1) Can SSTP be deployed along with other VPN tunnels?

Yes – absolutely.

The same RRAS based VPN server can support all flavor of tunnels or any combination of these at the same time. In-fact L2TP/IPSec and SSTP can share the same machine certificate on the server side.

2) Can SSTP be used for site-to-site VPN tunnels?

No – SSTP is currently supported for remote access (or remote user) scenarios only. 

3)  What HTTP and SSL version is supported by SSTP?

HTTP 1.1 with 64 bit content length encoding and SSL 3.0

4)  What encryption algorithms are supported by SSTP?

The same as supported by SSL - i.e. AES, RC4

5) What kind of certificate is required on client and server side?

On the server side a machine certificate is required in order for SSTP based connection to go through. The client gets this certificate as part of SSL hand-shake and validates the same. This certificate should be with EKU as server authentication.

On the client side, a certificate is required inside the trusted root CA machine store which goes back to the certificate chain on the server certificate. This will be used to validate the server certificate in addition to certificate validity, certificate expiry, certificate EKU and certificate revocation check.

6)   Does SSTP support IPv6?

Yes – SSTP based VPN connection can be established on top of IPv6 based network (like Internet).

Also IPv6 (or PPPv6) can be carried on top of SSTP based VPN tunnel.

7) Will NAP be supported by SSTP? What changes are required to support it?

Yes – NAP VPN support remains same as PPTP/L2TP VPN tunnel. This is because NAP VPN support is enabled via PEAP authentication which is part of PPP stage and remains same as PPTP, L2TP or SSTP based VPN tunnel. This means same remote access policies inside NPS can be used to support all form of VPN tunnels - with no explicit extra configuration for SSTP. Same way same client configuration (PEAP, etc) can be used for all form of VPN tunnels.

In the next series, I will try to cover the server related FAQ. Stay tuned for more information and looking forward to hear from you too

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://securitytnt.com/microsoft-developing-new-vpn-protocol-called-sstp/

  • Anonymous
    January 01, 2003
    Comme promis lors de notre présentation Session Approche globale pour la sécurisation des accès distants

  • Anonymous
    January 01, 2003
    Comme promis lors de notre présentation Session Approche globale pour la sécurisation des accès distants

  • Anonymous
    January 01, 2003
    Yes it is  base64. VPN connections are normally longed lived with large data transfer compared to tranditional web connections and hence we decided to use 64 bit content length encoding

  • Anonymous
    January 01, 2003
    Portail ISA Server 2004/2006 sur Microsoft.com http://www.microsoft.com/isaserver/default.mspx Portail

  • Anonymous
    January 01, 2003
    Comme promis lors de notre présentation Session Approche globale pour la sécurisation des accès distants

  • Anonymous
    January 01, 2003
    Comme promis lors de notre présentation Session Approche globale pour la sécurisation des accès distants

  • Anonymous
    January 01, 2003
    Comme promis lors de notre présentation Session Approche globale pour la sécurisation des accès distants

  • Anonymous
    January 01, 2003
    Comme promis lors de notre présentation Session Approche globale pour la sécurisation des accès distants

  • Anonymous
    January 01, 2003
    Portail ISA Server 2004/2006 sur Microsoft.com http://www.microsoft.com/isaserver/default.mspx Portail

  • Anonymous
    January 01, 2003
    Portail ISA Server 2004/2006 sur Microsoft.com http://www.microsoft.com/isaserver/default.mspx Portail

  • Anonymous
    January 01, 2003
    Happy New Year to everyone! There is some exciting news being announced on the RRAS blog around a new

  • Anonymous
    January 22, 2007
    What is "64 bit content length encoding"? Do you mean base64?