In the previous post, we introduced the objectives and architecture of Remote Network Access. Assuming you have prepared your servers, we can get directly into the fun stuff and begin the process of installing and configuring the SSTP servers to support and implement our client’s VPN Connection. Also be sure to read the third installment of this series, “Remote Network Access: Configuring an SSTP Client.”
In this post, our objective is to deploy and configure the services necessary to support SSTP for use with our Windows 7 and newer client computers. As part of this deployment, we will integrate the SSTP server with Remote Authentication Dial-In User Service (RADIUS) server, so that we can assign some access and accounting control for the users whom will ultimately connect via this service.
Once all the server work is complete, we will proceed to configure the client and verify that the configuration works as planned.
Prior to beginning any configuration on our Routing and Remote Access Server (RRAS), on the server that we have chosen to use as our Network Policy Server (NPS/RADIUS), we will first create an entry for the RRAS server, to enable it as a client on our RADIUS/NPS server. If you do not already have a NPS server deployed, you can use the Windows Server Manager to deploy this role. No special choices are required to install the role.
Once the role is deployed we can proceed to launch the NPS console and create an entry for our RRAS Server (otherwise known as the RADIUS client).
With an entry now in place for the RRAS Server on our Network Policy Server, we can proceed to now define the Policy, which we will use to determine if the connecting user or computer is indeed Authorized to establish the connection. In the sample policy I will define an Active Directory Group, which will contain a list of user accounts which are permitted to connect to the service.
We now move our focus to the server, which will host the Routing and Remote Access Services. As with the NPS server, if you do not have the role already deployed then using the Windows Server Manager we can add the Routing and Remote access feature. Again, nothing special will be required during the installation of the role.
On the RRAS server, my configuration contains only a single NIC, and it will be tuned to only implement SSTP services. Additionally, on the router/firewall we must create a NAT configuration on TCP 443 to make this server available on the Internet. The server name on the Internet will be added to the public DNS service (for example SSTP.DIGINERVE.NET), and I will utilize a SSL certificate with the same FQDN on the RRAS server to secure the connection.
It’s your decision whether to utilize a private or public certificate for establishing the SSL tunnel. However, if you choose to use a private certificate for the task, you must also ensure that any client that will attempt to connect to the service will already have a copy of the associated Root Certificate in the client’s Trusted Root Certificates store.
With the RRAS role deployed, we will tune the configuration, disabling the RRAS server from supporting tunnels based on IKEv2, L2TP, and PPTP. At the same time, we will also enable support for multiple simultaneous SSTP connections.
Our next task is to point the Routing and Remote Access Service to our NPS/RADIUS Server and also bind the SSL Certificate for the SSTP tunnel. Before we being this configuration, you must ensure that you have installed your chosen SSL certificate to the Local Computer certificate store. You must also make sure that the FQDN of the certificate matches the name you will be using to publish this SSTP service to the Internet. Also, if the RRAS server is hosted in a isolated network, ensure that you allow RADIUS traffic pass between the servers (TCP 1812/1813).
If you have made it to this point, then you are as good as complete! All the work necessary to get your initial SSTP server with RADIUS authentication is now done, and all that really remains is for us to proceed to configure our clients to connect to our SSTP Server.