SSTP Makes Secure Remote Access Easier

You’ve probably been in this situation: You’re at a hotel or conference and you need to connect to your company’s network through a virtual private network, but your PPTP- or L2TP-based VPN connection doesn’t go through. Argh! Unfortunately, the problem is usually something beyond your control — a network address translator (NAT) is present or a perimeter firewall blocks a needed port. Well, guess what: Windows Vista Service Pack 1 and Windows Server 2008 now include a new VPN technology called Secure Socket Tunneling Protocol (SSTP), which is designed to make secure remote access a heck of a lot easier and significantly reduce VPN-related help-desk calls.

SSTP is designed to enable VPN tunneling for virtually any scenario you can imagine — behind a NAT, across a firewall, through a Web proxy — as long as TCP port 443 is open (which it usually is for HTTPS traffic). And SSTP is more than just another SSL-based VPN that only works with Web clients. It’s fully integrated into the remote access architecture of Windows, which means you can use it with Winlogon authentication or with strong authentication such as smart card or RSA SecurID; or, you can create and manage CMAK profiles, remote access policies, and the like. Plus, it uses only one HTTPS channel between the SSTP client (Windows Vista) and the SSTP server (Windows Server 2008) for each SSTP VPN connection, which makes it straightforward to load-balance SSTP sessions across servers.

SSTP basically works by encapsulating PPP or L2TP traffic over an HTTPS session. And SSTP is secure because it uses SSL 3.0 over HTTP 1.1 and supports Advanced Encryption Standard (AES) encryption. About the only limitations with this release of the feature is that it can’t be used for site-to-site VPNs and can be used only to provide remote access to users.

Configuration Made Easy

Figure 1

Configuring SSTP on the client is straightforward. First, you use the Connect To A Network wizard to create a VPN connection by selecting the Connect To A Workplace option. Specify the name or IP address of the remote server, your credentials, whether you use a smart card, and so on. The steps for creating a new VPN connection are easy and intuitive in Vista; if you need more detailed information, see Chapter 28, “Connecting Remote Users And Networks,” in the Windows Vista Resource Kit from Microsoft Press.

Once you’ve created your connection, open the Network And Sharing Center, click Manage Network Connections, right-click on the connection and select Properties. Then on the Networking tab, change the Type Of VPN setting from Automatic to Secure Socket Tunneling Protocol (SSTP) and click OK (See Figure 1).

With that, you’re done configuring the client — unless your client computer isn’t part of the same Active Directory domain as the SSTP server, in which case you have to add the server’s certificate to the trusted root certificate authority machine store on the client. If your client belongs to the same domain as the server, however, this should be the case automatically.

But configuring SSTP on the server is a bit more complex. First, you’ll need Active Directory Certificate Services (ADCS) deployed on your network, and you’ll need to install a server certificate on your SSTP server so it can support SSL connections. Then you’ll need to add the Network Policy And Access Services server role to your server with the Routing And Remote Access (RRAS) role service selected (See Figure 2).

Figure 2

Next, open the RRAS console from under Administrative Tools and enable RRAS, which launches the RRAS set-up wizard. Then use this wizard to create a VPN server — the procedure here is almost the same as in Windows Server 2008.

Now you’re ready to test SSTP to see if it works. Make sure your VPN server’s certificate is in your client’s certificate store (use the Certificate Import Wizard if necessary) and then see if you can connect the client to the VPN server using a standard PPTP or L2TP VPN connection to make sure the server is working properly. Then do something to block PPTP/L2TP VPN connectivity, such as blocking the appropriate RRAS inbound rule in Windows Firewall on your server. Your client shouldn’t be able to connect to your VPN server. Now make SSTP the first choice for your VPN client, as shown in Figure 1; start the connection on your client, and you should be able to connect to the server and access resources on the domain, just as if the client was on the LAN instead of being at a remote location.

If you have trouble getting the client to connect to the server, there are a couple of steps you can take. First, try running the netstat -aon |findstr 443 command to see whether TCP port 443 is in the Listening state; if not, then the server won’t be able to accept SSTP client connection requests. Then check the Event log on the server to make sure there were no problems with the configuration of RRAS. Check the server to make sure the server’s certificate is bound to the listener for SSL traffic (you can do this by typing netsh http show sslcert at a command prompt on the server.) And finally, double-check to make sure that the client trusts the server’s certificate — use the Certificates snap-in on the client to check the Personal store under Local Computer.

What’s cool about how SSTP is implemented in Windows Server 2008 is that it uses the HTTP.SYS listener that’s built into the TCP/IP networking stack of Windows Vista. This means that if you wanted to, you could also run an IIS Web server on the same box that’s serving as your SSTP VPN server, or you can leave IIS uninstalled and still enable clients to use SSTP to make SSL connections with the server. 

One final tip: While SSTP listens on all IP addresses on the VPN server and works out of the box with most NATs, port redirection NATs require a registry tweak (found at HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\ListenerPort) to make it work.