Advertisements

Windows Server 2012 SSTP VPN

fortress03If you want to build a VPN to transfer files securely to and from your server and a remote location and you want to use Windows Server 2012, then an SSL oriented VPN will be method of choice. SSL is the same technology your bank, Amazon, and the rest of the world uses to keep communication over the internet private. SSL uses encryption technology.Basic information about SSL is available here.

SSL can be used for other forms of secure file transfer in the Windows world, such as WebDAV, but this article is about using and building a secure type of VPN known commonly as SSTP. Windows Server has technology built in that make an SSTP VPN relatively simple to build. Windows PC does not include SSTP VPN server technology as a part of Windows desktop, but you can make a Windows desktop PC a secure WebDAV server, if you want. Windows desktop can easily be made into an SSTP client that connects to an SSTP server.

You Have Choices

Windows Server 2012 allows you to build an SSTP VPN in three different ways. They range from ridiculously simple to simple but slightly tedious. By ‘simple’, I mean simple assuming you feel comfortable with SSL and certificates. Enough information to ground you firmly can be found here, here, here, here, and here. I wish I could say the entire concept was ‘snap the fingers easy,’ but if it were, you wouldn’t be reading this and everyone would already know how to do it.

Regardless of the choices you make on the server, the client PC will connect the same way. There’s only one way to make a network connection to an SSTP VPN from a Windows PC.

Port 443 on your router will also need to be forwarded to your VPN server. Don’t forget to install your root certificate on all clients and the server.

I’m going to try to describe all three methods here.

Choice 1: Anywhere Access

If you have Windows Server 2012 Essentials, then you can use the Anywhere Access wizard to create a secure SSTP VPN along with remote access. Read Windows Server 2012 R2 Essentials Anywhere Access. The Anywhere Access wizard is ridiculously simple to use, although managing SSL certificates may be a little confusing if you’ve never been exposed to them in the past. You don’t need to read any more of this page unless you’re curious.

Choice 2: Using the SSL Certificate Bound to Your Web Server

IIS and the Certificate Signing Request describes how to link an SSL certificate to your Windows Server Internet Information Services (IIS) web site. Afterward, you need to load the Routing and Remote Access role and associate the web site certificate with a field on the Security tab of the server Properties by selecting it from a drop down box.

Choice 3: Using AD CS to Make Your SSTP Certificate Without Involving IIS In Any Way

This is a traditional way to build an SSTP VPN. If you look for YouTube videos on this subject, this technique will be the one most often illustrated. You’ll need to load the Active Directory Certificate Services (AD CS) role and the Certification Authority Web Enrollment feature. Since you’re most likely managing a small, one server environment, you’ll configure AD CS as an Enterprise Root Server. If you’re configuring a multi-server environment with many users in an Active Directory domain, then you need more information than I am providing because AD CS can take on an entirely different scope in that instance. After you use AD CS to build your SSTP certificate, you also modify Routing and Remote Access as described above in Choice 2.

How To Do It

Choice 2 & 3: Modify The User Profile

If you are building your own SSTP VPN connection, you need to modify the user profile of every user who will access it. This is the same modification you make for PPTP VPN users.

pptp-r2-12____________________

Choice 3 only: Use AD CS to Create and Install SSTP Certificate Without IIS

In spite of the 29 pictures below, this is not hard, just tedious. Afterward, you configure Routing and Remote Access in the next section.

In summary, you first create an MMC console with the Certificate Template, Certificate Authority, and Certificate snap-ins. When given a choice, you add them to the computer account and / or local computer. If you understand that, you’ve eliminated about 1/3 of the pictures.

Next you duplicate the IPSec template and give the duplicate specific characteristics by flipping though the tabs.

  • Subject Name: Supply in the request
  • General: Give the template display name a friendly name
  • Request Handling: Allow private key to be exported
  • Extensions: Add Server Authentication to Application Policy

Thirdly, you go back to the MMC, select Certificate Authority / Certificate Template, right click, New / Certificate Template To Issue; then select the friendly name you made up in the step above.

Finally, you go back to the MMC, select the Certificates snap in / Personal / Certificates / right click / All Tasks / Request New Certificate. Click through until you see your friendly name. Underneath you’ll see some blue lines. Click for additional configuration. Add a common name and type your URL in the box underneath. Apply it.

Now you’re ready to configure Routing and Remote Access and link the certificate to your secure VPN.

MMC Snap-In Selections:

sstp01

sstp02sstp03sstp04sstp05sstp06sstp07sstp08____________________

Duplicate the IPSec Template

In the right, select Certificate Templates. In the center, select IPSec. Right Click. Duplicate Template.

sstp09###

Fill in the following tabs as illustrated below.

sstp10sstp11sstp12sstp13sstp14sstp15sstp16sstp17____________________

Issue the New Template

Return to the MMC and select Certificate Authority. Expand it. Select Certificate Template / Right click / New / Certificate Template to Issue. Select your new template.

sstp18sstp19sstp20Add the Certificate to the Certificate Store

In these final steps, you go back to the MMC and select the Certificates snap-in. Select Certificates / Personal / Right Click / All Tasks / Request New Certificate. Keep clicking through until you see the screen with your certificate and the blue underlined text. Click on the blue text and configure as illustrated, except use your URL and not the one in the picture.

sstp21

sstp22sstp23sstp24sstp25sstp26sstp27sstp28sstp29____________________

Done. Now for Routing and Remote Access.

Choice 2 and 3: Install and configure Routing and Remote Access

The following images were copied from Windows Server 2012 PPTP VPN since, except for the last image, the installations are identical. Once you’ve loaded the Routing and Remote Access role, you could use the following images to configure a VPN on Windows Server 2008 R2 if you wanted to.

Install the Routing and Remote Access Role

pptp-r2-01

Configure Routing And Remote Access Services

Right click the selection next to the red mark. Select Configure and Enable Routing and Remote Access. The wizard will nag you about including DirectAccess. Just select VPN only. DirectAccess is an always on SSTP VPN.  The client must be in a domain and running Windows 7 Enterprise or Ultimate or the equivalent Windows 8 version. DirectAccess is more complicated to install than a typical SSTP VPN or a secure WebDav Server.

pptp-r2-02

###

Click Next.

pptp-r2-03###

Select Custom Configuration.

pptp-r2-04###

Select VPN Access

pptp-r2-05###

Done.

pptp-r2-06

###

Start the Service.

pptp-r2-07

###

Right click the server name and select Properties.

pptp-r2-08###

Select the IPv4 tab. Select static address pool. Click Add.

pptp-r2-09###

Type in a range on your local network for IP addresses. The VPN server will give the client PC a local IP address within this range. Make it relatively wide so it won’t conflict with one already in use on your local network. Or, better yet, sign on to your router and reserve a range if your router has this feature. Enter that range here.

pptp-r2-10###

Select the Security tab. In the drop down box toward the bottom, select your SSL certificate.

Done. Now Add A Network Connection to your Client PC.

sstp30

____________________

Configuring The PC for VPN Use

The only tricky part here is to add a value named NoCertRevocationCheck to the Windows registry. The spelling and capitalization have to be identical. Otherwise, the VPN will not connect.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters

aa07aaa07b

###

Open the Network and Sharing Center and click Set up A New Connection or Network. Then Connect to a Workplace.

aa05b###

Click Use my Internet Connection (VPN)

aa05c

###

Fill in the blanks. Don’t connect to the internet just yet.

aa05d###

Type in the designated user and password.

aa05e###

Next, you need to change a tab on the properties of the connection you just created. Find the VPN connection by left clicking on the network icon in the lower right corner of the Desktop. Right click on the new VPN connection and select Properties. Change it to look like this. Then Connect.

aa05f###

If you return to the Network and Sharing Center and  find the connection while it is open, the status should look like this. It confirms you are on a secure VPN. Done.

aa05g____________________

Advertisements

17 Comments on “Windows Server 2012 SSTP VPN”

  1. StephenF says:

    Excellent guide, set this up on a test server and worked flawlessly. Many thanks.

  2. Kurt Martin says:

    What a great article! I was struggling with the certificate requirement and your article was the only source I found that set forth an easy to follow procedure to create an internal certificate that not only serves the SSTP-vpn function, but Remote Access (Anywhere Access), as well.

    I, mistakenly, created a separate certificate for each. One for the Anywhere Access configuration wizard and a second by the Direct Access wizard for IP-HTTPS. This was because I utilized different “A” words in the public domain address fields: remote.contoso.com for the Anywhere Access wizard and just contoso.com for the Direct Access wizard. They need to be the same for both. This created connections failures with all the VPN security protocols (except PPTP) that rely on a certificate as the base of authentication. The two certificate installation would result in one certificate being assigned to IIs for the public domain name and the other to the vpn security protocol(s). As vpn authentication cannot accommodate the two separate certificates, the connection and/or login attempts would fail.

    I can’t seem to find a method in which I can print your articles to include with my installation notes in the event I suffer a catastrophic failure and have to perform a bare metal install at some point in the distant future. I’d hate to re-learn this these lessons. Any chance you could email me the files for your articles related to Server 2012?

    Again, thank you!

    • Carl Rinker says:

      Your browser print button should work.

      I’m kicking around the idea of turning the site into an ebook and have started with the effort. It involves a lot of busy work reformatting the material and figuring out how to use an ebook editor. If I’m successful it will be available about March or a little later. I’l make it available on Google Play and elsewhere for $1 or $2; just a nominal amount since the main blog will always be available and free.

      • Kurt Martin says:

        You would think so..and it does for all other web pages. I tried a number of different things and just couldn.t get it to go. If and when you complete your book, please drop me a note.

      • Carl Rinker says:

        Given the other comment you emailed to me, I wonder if you’re trying to print from within Windows Server 2012 to a printer that does not have a proper driver. Windows Server 2012 uses special print drivers and most (at least a year ago when I last tried) common inexpensive printers do not support Windows Server 2012. This is another reason why I don’t use Essentials 2012 as a desktop OS. As I recall, it sometimes looked like it would print, but nothing came out anywhere.

  3. Kurt Martin says:

    Carl,

    No, that wouldn’t be the case. All our printers are on network nodes (IP addresses) and I was attempting to print from a Windows 7 Pro client. I’ve printed other web pages from the same client/printer combination without issue.

    We have a number of different printers on the network and I’d tried different printer and driver combinations with no success.

    I do utilize Server Essentials as a printer server for one old Windows 98 machine in which I keep for some special DOS applications that we still need to utilize from time to time. I was never able to actually get Windows 98 to join the domain, but I didn’t need a domain account for the DOS apps. I was able to get there via Netbios/WINS. Apparently, Microsoft did have an active directory application for Windows 98 & NT4.0 (DSclient) to join the domain. It was included with the disks for SBS2000 which just happened to be the server we retired. However, according to what I could find on the web, it had problems that Microsoft resolved in a later Hotfix release. Of course, all bulletins and references to Windows 98 were deleted from Microsoft’s web portals years ago. I searched on-line to see if someone had a site in which I could download the hotfix version, but had no joy. I tried the version packaged with the SBS2000 disk, but it would get hung up on the password during login. I had what I needed on the DOS side, so I didn’t spend much time on it. I kind of likened it to painting a rusted out car.

  4. Frank says:

    Hi there,

    I am trying to configure multiple SSTP certificates in the RRAS Server

    Is it possible to use multiple SSTP certificates at a time ….???

    I yes then how, or any other workaround is available for this..???

  5. Hm. When doing the last step before starting in on client config – binding the cert to the SSL port – I get the following:

    “The certificate used for Secure Socket Tunneling Protocol (SSTP) is different than the certificate bound to the SSL (web listner, HTTP.sys). Configure SSTP to use the default certificate or the certificate bound to SSL. You can configure web server application to use the same certificate used by SSTP.”

    I thought I’d followed the instructions pretty carefully, but I can’t imagine what it was that I might have missed. Help?

    • Carl Rinker says:

      SSTP is straightforward to set up. It just takes a lot of pictures to illustrate the steps. There are videos on YouTube that also illustrate it. In this case, the videos do a pretty good job.The config hasn’t changed since Server 2008. I don’t use this VPN too much any more but, as I recall, you should be using the SSL certificate bound to the website for your VPN configuration.

  6. Kurt Martin says:

    Daryl,

    I believe I had the same issue. Are you installing DirectAccess also? I’d speculate you are and you probably created a separate certificate for it. You need to use the same certificate for both VPN and DirectAccess. I documented the setup fairly meticulously as I spent quite a bit of time figuring it out, as Microsoft instructions are the usual very vague and they leave you to assume. I’m sure you are acquainted with the definition of assume.

    I can scan them, just not sure how to get them to you.

  7. Kurt Martin says:

    OK. I just sent it. The scanned file ended up being 26meg, so the email may be rejected for too large of an attachment. Let me know if you don’t receive it and we’ll go to plan B

    • darrylhadfield says:

      Nothing yet – and looks like it’s been ~90 mins.

      Plan B… gonna cut it up and shuffle with multiple emails?

  8. Kurt Martin says:

    OK, sent again utilizing Google Drive.

    • darrylhadfield says:

      Got it, read through it. shot you a reply back; looks like what you’ve got is actually more in line with direct access, rather than an SSTP VPN.

      I *may* have found out how to resolve my initial issue… more info after I get home and check it out to see if it works as desired…

  9. Stephen Fitzgerald says:

    Great article, helped me so much. Thanks,


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s