Latest posts by Geoff Kendal (see all)
- How to add holidays to the Exchange calendar with PowerShell - Wed, Apr 23 2014
- How to change the domain name in Exchange Server 2010 - Tue, Apr 8 2014
- How to enable Unsolicited Remote Assistance in Windows 7 / 8 - Tue, Oct 1 2013
I’m sure most network administrators will know how useful a VPN can be, although we have probably all encountered issues with firewalls not always letting the required traffic through which can prevent them from working. For example for PPTP VPN’s require your router to handle GRE protocol traffic, similarly L2TP requires ESP protocol traffic. The whole point of VPNs is to allow access to your network form anywhere, which is why SSTP VPNs are so great.
SSTP (Secure Socket Tunnelling Protocol) transports your VPN traffic by encapsulating the traffic via an SSL link, all over the standard HTTPS port (TCP 443), which is rarely blocked (most web browsing wouldn’t work without it!). So not only does SSTP get through 99% of firewalls, but it also ensures that your VPN traffic is encrypted.
SSTP is supported on Windows Vista SP1 and later versions of Windows. If you’re also a Mac shop, it isn’t integrated into the OS yet, but there are open source SSTP clients that may help you.
If you’re running Windows 2008/2008R2/2012, you’ve already got everything you need to get started, as it is powered by the Routing and Remote Access Services in Windows server. I’ll be going through setting it up on Windows Server 2012, although the steps on 2008 are essentially the same.
Installing the required roles ^
Start the ‘Add roles & features’ wizard from server manager, and add the ‘Remote Access’ to the server of your choice. You’ll be prompted to add some other requested roles/features, such as IIS – you will need to add these too.
As part of the wizard, we’ll be asked which role services we wish to install, for this go with the default ‘Direct Access & RAS’. Continue through the wizard, and allow the server to restart if required.
Generating & installing the SSL certificate ^
Once the server has restarted, we will want to obtain a SSL certificate for use by the VPN. For my internal domain, I use a .local extension, so will be generating a certificate signing request (CSR) for my external domain name, then sending it to a certification authority (StartSSL.com in this instance, as they offer free SSL certificates.)
From Server Manager, select ‘Internet Information Services (IIS) manager’ from the tools menu. Once the IIS console has started select the server name in the tree on the left. Once selected, click the ‘Server certificates’ icon in the main area, and select the ‘Create new certificate request’ option from the actions pane on the right.
When creating the CSR, it is critical that the common name is set to the hostname that clients will use to connect to the VPN. For instance, your server may be internally called RAS02.4sysops.local – this obviously won’t resolve externally, so we point vpn.4sysops.com at the server for external clients to use. Further to this, you may need to setup port-forwarding and firewall rules, so that traffic connecting to this external address on port 443 gets directed to your VPN server.
In this example we must enter vpn.4sysops.com as the common name. On the next screen in the CSR wizard, ensure that the bit-length is set to 2048 if you are using StartSSL – they won’t accept 1024 bit CSRs.
Finally save the CSR to a file, then open the file in notepad and copy all of the contents to your clipboard.
We will now need to get a certification authority to sign a certificate for us. Provide your certification authority of choice the CSR we just generated via the wizard. Once they have verified your details, they should provide you with a certificate file that we can load into IIS to complete the SSL steps.
Once you have the certificate file, select ‘complete certificate request’ from the IIS actions pane on the right, and browse to the certificate file. You should now see the certificate listed in IIS.
Setting up the VPN ^
We now need to configure the RAS service. Select ‘Routing and Remote Access’ from the tools menu of server manager. Once the MMC has loaded, right click the server name on the left, and select the configure option. From the wizard, choose the ‘custom’ option at the end of the list. On the following page, tick the VPN checkbox. The wizard will complete, and start the service.
All being well, clients should now be able to connect to the VPN via SSTP, as long as they can make a HTTPS connection to the server name you specified when creating the certificate. You can double check that things are OK by testing with a web browser (i.e. https://vpn.4sysops.com) – You’ll probably just see a 404 error, but as long as there are no certificate errors and you can see the padlock icon, then all is well.
The final stage before we make the connection is to make sure that any users requiring access have dial-in/VPN rights. Find your users in ‘Active Directory Users & Computers’, under the dial-in tab select allow (We’re not using NPS in this basic setup, so that option won’t work).
Connecting a client ^
From a client system, create a new VPN connection (Via the Network & Sharing Center ). When creating the connection, ensure that the internet address is the same one as used in the certificate. Once the connection has been created, click the ‘Change adapter settings’ link on the left side of the Network and Sharing Center, and edit the properties of the new VPN connection. On the security tab, change the type to SSTP.
Once this change has been made, we should be able to connect to our SSTP VPN successfully from practically anywhere!
In my next article, we’ll look at how we can deploy our SSTP VPN connection to all of our client systems.