Windows Server 2012 – Deploying SSTP VPNs

KB ID 0000819

Problem

SSTP gives you the ability to connect to your corporate network from any location that has an internet connection, and is not filtering https. This port is usually open for normal secure web traffic. Traditional VPN connections require ports and protocols to be open for them to work, which makes a solution that runs over TCP port 443 attractive.

Thoughts: While I can see why this is a good idea, Microsoft has basically changed some existing protocols so they work on a port that wont be blocked by most firewalls. This is not a new approach, (Microsoft did it before with RPC over HTTP). I can’t help feeling that the more traffic we push over ports 80 and 443, sooner or later security/firewall vendors are going to statefully inspect/block traffic that isn’t supposed to be on that port. (If you think ‘that would never happen!’ Try running an Exchange Server through a Cisco firewall with SMTP inspection turned on). Anyway, it’s there, I’ve been asked to do a walkthrough, so read on,

Solution

I’ve got a Windows 2012 Server already setup, it’s a domain controller, and is running DNS. You don’t have to have the same server running SSTP/RRAS but in this lab environment that’s what I’m doing. In addition my remote VPN clients will get an IP address from my normal corporate LAN.

1. On the server I have two network cards installed, the first (NIC1) is the normal network connection for the server, the second (NIC2) will be the one that the remote clients get connected to (once they have authenticated to NIC1).

Dual Netwrok Cards

2. Make sure the Internet facing NIC has good comms, and works OK.

Find IP Address

3. NIC2 as you can see, does not even need a default gateway.

NIC Properties

Windows Server 2012 Add Certificate Services

I’m going to use a ‘self signed’ certificate, if you have purchased one, then skip this section.

4. From Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select > Active Directory Certificate Services.

2012 Add Certificate Services.

5. Add Features > Next > Next > Next > Tick ‘Certificate Authority Web Enrolment’.

Certificate server 2012

6. Add Features > Next > Next > Next > Install > Close > From the warning (top right) > Configure Active Directory Certificate Services on this server.

Additional Cert Auth steps

7. Next.

2012 Role Services

8. Select both Certificate Authority and Certificate Authority Web Enrolment > Next.

2012 add certificate Authority

9. Next > Next > Next > Next > Next > Next > Next > Configure > Close > Close Server Manager.

Certificate Authorty Web Enrollment

10. Open a Microsoft Management Console.

Microsoft Management Console

11. File > Add Remove Snap-in > Certificate Authority > Add > Local computer > Finish > OK.

MMC Certificates SSTP

12. Drill down to Certificate Templates > Manage.

Manage Certificate Templates

13. From the list that appears locate IPsec > Right Click > Duplicate Template.</p:

Duplicate Template

14. General tab > Change the name to SSTP-VPN.

Certificate Template Name

15. Request Handling tab > Tick ‘Allow private key to be exported’.

Request Handling

16. Subject Name tab > Tick ‘Supply the request’ > Click OK when prompted.

Subject Name

17. Extensions Tab > Select the Application Policies entry > Edit.

Application Policies

18. Add > Locate the ‘Server Authentication’ policy > OK > OK > Apply > OK > Close the Certificate Template console.

Server Authentication Certificate

19. From the Certificate templates Folder > New > Certificate Template Issue.

Cert Template Wizard

20. Locate the SSTP-VPN entry > OK > Close the MMC.

Enable Certificate Template

SSTP Firewall Setup

In this example my server is behind a corporate firewall. If yours is internet facing then you may simply want to add an exception/rules for allowing https/TCP443. My server will ultimately have a public IP address that resolves to its public name (vpn.pnl.com) so I just need to allow the ports in. If your server does not have its own public IP address, then you may need to setup port forwarding instead. You will see later I’m also going to use TCP 80 (normal HTTP) to access my certificate services remotely, so I’ve got that open as well. You may want to access certificate services via HTTPS instead in a corporate environment.

21. On this server I’m simply going to disable the firewall > Start > Run > firewall.cpl {enter} > Turn Windows Firewall on or off > Set as appropriate.

Disable Firewall 2012

Grant users SSTP VPN/Dial-in rights.

22. Make sure that any user who wants to access the SSTP VPN has had their Dial-in set to ‘allow access’.

Allow User SSTP Rights

Windows 2012 Server Install and Configure RRAS for SSTP

23. From Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select > Network Policy and Access Services.

Network Policy and Access Services

24. Add Features > Next > Next> Next > Next > Install > Close.

Complete Wizard

25. Back at Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select ‘Remote Access’.

Add RAS Role 2012

26. Add Features > Next > Next > Next > Tick ‘Routing’ > Next > Install.

RAS Routing

27. Close.

Remote access Role

Note: At this point you may see the warning that there are additional steps to take, (to configure routing an remote access), if so you can launch and then close this wizard because we will do it manually.

28. Close Server Manager > Open a new MMC > File > Add/Remove Snap-in > Certificates > Add > Computer account > Finish > OK.

Add Snap-in

29. Expand Personal > Certificates > All Tasks > Request New Certificate.

Request New Certificate SSTP

30. Locate the SSTP-VPN entry > Click the ‘More information required..’ link.

Enrol Information

31. Change the Type to common name > Enter the public name of the SSTP VPN server > Add > OK.

Note: This will be the common name on the certificate, i.e. vpn.pnl.com, which will need a public A/Host record creating for it in your public DNS, (speak to your ISP or DNS hosting company). That way when your remote clients go to https://vpn.pnl.com they wont get an error, (providing you imported the root cert correctly on THAT machine).

Certificate Common Name SSTP

32. Tick the certificate > Enrol.

SSTP Certificate

33. Finish > Close the MMC.

Enrol Certificate

34. Windows Key+R > rrasmgmt.msc > OK.

rrasmgmt.msc

35. Right click the server > Configure and Enable Routing and Remote Access.

Configure and Enable Routing and Remote Access

36. At the Wizard > Next > Next > Tick VPN > Next.

RRAS VPN

37. Select NIC1, In this case I’m unticking the ‘Enable security’ option, (or is disables RDP and locks the NIC down) > Next.

SSTP NIC configuration

38. I’m going to use this server so select the bottom option > Next.

RRAS DHCP

39. New > Create a range of IP addresses. (Note: You may need to exclude these from your existing DHCP scope) > OK > Next.

VPN Address Scope

40. Next.

No RADIUS

41. Finish > OK > OK > At this point you will see the services restarting.

Configure RRAS

42. Right click the server > Properties.

RRAS 2012 Properties

43. Security tab > Change the certificate to the one we created > Apply > Yes > OK > Close the console.

Change SSTP Certificate

Windows Server 2012 – Connect to SSTP from a Remote Client

At this point I have the correct ports open on the firewall, and I’m on a Windows 7 client outside the corporate network.

44. Because we are using a self signed certificate, we need to get the client to trust it. We can give the user the root certificate, or they can connect and download it, here I’m connecting to the Certificate Services web portal. Note: Remember that’s on the same server.

Certificate Services URL

45. Supply your domain credentials > OK > Download a CA Certificate > Download CA Certificate > Save As.

Domain Credential format

46. Put the certificate somewhere, and call it something sensible.

Save Root Cert CA

47. Now launch an MMC on the client machine, and add the certificate snap-in (for ‘computer account’).

Certificate Console

48. Drill down to Trusted Root Certification authorities > Certificates > All Tasks > Import > Navigate to, and select the certificate you just downloaded.

Note: If you double click the cert and import it manually, then it gets put into the user account NOT the computer account, and this will cause you problems. (Error 0x800b0109).

Import Root Cert

Registry Key Required for SSTP Access

The title is not really true, but as we are using a self signed certificate the client cannot check the CRL for the CA. Even with some purchased certificates you may need to to do this.

49. Open the registry editor and navigate to:

HKLM > SYSTEM > Current > CurrentControlSet > services > SstpSvc > Parameters

SSTPSVC

50. Create a new 32 bit DWORD called NoCertRevocationCheck and set its value to 1 (one).

NoCertRevocationCheck

Setup a SSTP VPN Connection

51. Open the Network and sharing Center.

Network connections

52. Setup a new connection or network.

Setup SSTP VPN

53. Connect to a workplace.

Connect to Workplace

54. Use my Internet Connection.

Use ISP for VPN

55. Supply the Internet Address (that matches the common name you used above) > Next.

Configure Client SSTP VPN

56. Supply your domain credentials > Connect.

VPN Credentials

57. Connected successfully.

Note: If it fails at this point, it usually gives you an error code you can Google, or it gives you the option of logging for you to troubleshoot.

SSTP Connected

58. Just to prove I’m connected, this client can ping the SSTP servers private address.

Test SSTP VPN

 

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On