Remote Network Access: Deploying an SSTP Server

by Damian Flynn - October 7, 2013

In the previous post, we introduced the objectives and architecture of Remote Network Access. Assuming you have prepared your servers, we can get directly into the fun stuff and begin the process of installing and configuring the SSTP servers to support and implement our client's VPN Connection. Also be sure to read the third installment of this series, "Remote Network Access: Configuring an SSTP Client."


Remote Network Access: How to Deploying SSTP Servers

In this post, our objective is to deploy and configure the services necessary to support SSTP for use with our Windows 7 and newer client computers. As part of this deployment, we will integrate the SSTP server with Remote Authentication Dial-In User Service (RADIUS) server, so that we can assign some access and accounting control for the users whom will ultimately connect via this service.

Once all the server work is complete, we will proceed to configure the client and verify that the configuration works as planned.

NPS: Add the Routing and Remote Access Server As a Client

Prior to beginning any configuration on our Routing and Remote Access Server (RRAS), on the server that we have chosen to use as our Network Policy Server (NPS/RADIUS), we will first create an entry for the RRAS server, to enable it as a client on our RADIUS/NPS server. If you do not already have a NPS server deployed, you can use the Windows Server Manager to deploy this role. No special choices are required to install the role.

Once the role is deployed we can proceed to launch the NPS console and create an entry for our RRAS Server (otherwise known as the RADIUS client).

  • Expand the RADIUS Clients and Servers branch, and select the node RADIUS Clients.
  • Right-click the RAIDUS Clients node and select New from the context Menu.
  • In the New RAIDUS Clients dialog, check the box Enable this RADIUS Client on the Settings tab.
  • In the Friendly Name field provide a name for your RRAS Server.
  • In the address field (IP or DNS), provide the IP address or Internal DNS name for the RRAS Server.
  • In the Shared Secret area, type a secret password in the Shared Secret field, and then Confirm Shared Secret. This will be used your new RRAS server to trust it with this NPS server a little later.
  • In the Advanced tab select RADIUS client is NAP Capable.
  • Click OK to complete adding your RRAS Server as a RADIUS client.

NPS: Configure the Network Policy for SSTP

With an entry now in place for the RRAS Server on our Network Policy Server, we can proceed to now define the Policy, which we will use to determine if the connecting user or computer is indeed Authorized to establish the connection. In the sample policy I will define an Active Directory Group, which will contain a list of user accounts which are permitted to connect to the service.

  • Launch the Network Policy Server console.
  • Expand the Policies branch, then right-click the Connection Request Policies node and select New from the context Menu.
  • On the Specify Connection Request Policy Name and Connection Type page:
    • In the Policy Name field, type SSTP Access.
    • In the Network Connection Method, Type of network access server section, select Remote Access Server (VPN - Dial Up), then click Next.
  • On the Specify Conditions page:
    • In the Conditions area, click the Add… button
      • From the Select condition list, select the option NAS Port Type and click Add…
      • In the new NAS Port Type dialog, from the Common dial-up and VPN tunnel types group, check the option Virtual (VPN), then click OK.
    • In the Conditions area, click the Add… button
      • From the Select condition list, select the option User Groups and click Add…
      • In the new User Groups dialog, click Add Groups and enter the name of the Active Directory group that contains the users you wish to permit access to the SSTP service. Click OK.
    • Click Next.
  • On the Specify Access Permission page, select the option Access Granted and click Next.
  • On the Specify Authentication Methods page, in the EAP Types area, click Add…, then select the option Microsoft: Secured password (EAP-MSCHAP v2) and click OK.
  • Click the button Add…, then select the option Microsoft: Protected EAP (PEAP) and click OK. Then click Next.
  • On the Configure Constraints page, click Next.
  • On the Configure Settings page, click Next.
  • Review the settings, and click Finish.

RRAS: Host Configuration

We now move our focus to the server, which will host the Routing and Remote Access Services. As with the NPS server, if you do not have the role already deployed then using the Windows Server Manager we can add the Routing and Remote access feature. Again, nothing special will be required during the installation of the role.

On the RRAS server, my configuration contains only a single NIC, and it will be tuned to only implement SSTP services. Additionally, on the router/firewall we must create a NAT configuration on TCP 443 to make this server available on the Internet. The server name on the Internet will be added to the public DNS service (for example SSTP.DIGINERVE.NET), and I will utilize a SSL certificate with the same FQDN on the RRAS server to secure the connection.

It's your decision whether to utilize a private or public certificate for establishing the SSL tunnel. However, if you choose to use a private certificate for the task, you must also ensure that any client that will attempt to connect to the service will already have a copy of the associated Root Certificate in the client's Trusted Root Certificates store.

RRAS: Configuring VPN Ports for SSTP ONLY

With the RRAS role deployed, we will tune the configuration, disabling the RRAS server from supporting tunnels based on IKEv2, L2TP, and PPTP. At the same time, we will also enable support for multiple simultaneous SSTP connections.

  • Right-click the Ports node and select Properties.
  • In Sequence, select WAN Miniport (IKEv2), WAN Miniport (L2TP), and WAN Miniport (PPTP) and configure their respective Configure Device dialogs.
    • Clear the checkbox for Remote Access Connections (Inbound Only).
    • Clear the checkbox for Demand-Dial Routing Connections (Inbound and Outbound).
    • Set Maximum Ports to (or 1 in the case of PPTP)
    • Click OK.
  • Select WAN Miniport (SSTP) and again click Configure to present its Configure Device dialog.
    • Check the box for Remote Access Connections (Inbound Only).
    • Set Maximum Ports to 128 (or a number matching the number of concurrent connections you plan to support).
    • Click OK.
  • Click OK to complete the Ports configuration.

RRAS: Configuring RADIUS and SSL Support

Our next task is to point the Routing and Remote Access Service to our NPS/RADIUS Server and also bind the SSL Certificate for the SSTP tunnel. Before we being this configuration, you must ensure that you have installed your chosen SSL certificate to the Local Computer certificate store. You must also make sure that the FQDN of the certificate matches the name you will be using to publish this SSTP service to the Internet. Also, if the RRAS server is hosted in a isolated network, ensure that you allow RADIUS traffic pass between the servers (TCP 1812/1813).

  • Right-click the Server Name node and select Security.
  • For the Authentication Provider:
    • In the drop-down select Radius Authentication.
    • Click Configure… to launch the Radius Authentication dialog.
      • For each RADIUS server you wish to utilize, Click Add…
        • In the Add Radius Server dialog, provide the following: In the Server Name field, enter the Fully Qualified Domain Name of your RADIUS server.
        • Click OK to add your server.
      • Click OK to complete the Radius Authentication servers list.
    • Click the button Authentication Methods… to display the dialog.
      • Check the box for Extensible Authentication Protocol (EAP).
      • Check the box for Microsoft encrypted authentication version 2 (MS-CHAP v2).
      • Clear all the remaining check boxes, then click OK.
  • For the Accounting Provider, in the drop-down select Radius Accounting.
    • Click the Button Configure… to launch the Radius Accounting dialog. For each RADIUS server you wish to utilize, Click Add…
    • In the Add Radius Server dialog, provide the following: In the Server Name field, enter the Fully Qualified Domain Name of your RADIUS server. Click OK to add your server.
    • Click OK to complete the Radius Accounting servers list.
  • Finally, for the SSL Certificate Binding, clear the check for Use HTTP.
  • In the drop-down select the SSL Certificate you have installed for the public FQDN of your service.
  • Click OK to complete the configuration.

If you have made it to this point, then you are as good as complete! All the work necessary to get your initial SSTP server with RADIUS authentication is now done, and all that really remains is for us to proceed to configure our clients to connect to our SSTP Server.



Join The Petri Insider - Weekly IT Tutorial and Tips, Whitepaper and Webinars