Remote Network Access: Configuring an SSTP Client

If you are following the miniseries so far, you are now in a position get your clients connecting to the new SSTP Server. One of the main limitations of Group Policy is its inability to distribute VPN configurations to clients, but with the launch of System Center 2012 R2 Configuration Manager, this shortfall has finally been addressed. In this post, I will guide you through the steps to manually configure an SSTP client. You can, of course, modify these steps for your specific purposes, but the basic concepts will not deviate too much.

Need to catch up? Check out our first article in the series, in which we introduced the objectives and architecture of Remote Network Access. In part two, we began the process of installing and configuring the SSTP servers to support and implement our client’s VPN Connection.

Remote Network Access: Configure the VPN Profile

Only Windows 7 and newer clients support tunnels in SSTP. You will need to repeat the steps on each client computer that will be connecting to the SSTP server

  • Begin by opening the Network and Sharing Center. Select the option Set Up a new Connection or Network, and the wizard will appear.
  • On the Choose a connection option page, select Connect to a Workplace and click Next.
  • On the Connect to a Workplace page, select No, Create a new connection, and
    click Next.
  • On the How do you connect? page, select Use my Internet Connection (VPN).
  • On the Type the Internet address to connect to page, in the filed Internet address enter the FQDN of your SSTP Server (e.g. SSTP.DIGINERVE.NET).
  • In the filed Destination name enter A Friendly Name for the Connection.
  • Check the option Remember my Credentials.
  • Check the option Allow other people use this connection.
  • Click Create.

The wizard will now complete, and your new profile will be generated. However, before we can make good use of the profile, we do need to apply some changes as the default settings are not secure enough for our requirements.

  • Back in the Network and Sharing Center, from the left actions list select Change adapter settings.
  • In the list of presented adapters, locate your newly created profile (which should be named as you typed in the Destination name field of the wizard). Right-click this node, and from the context menu select Properties.
  • In the Properties dialog, select the Security tab. Next, in the Type of VPN area select Secure Socket Tunnelling Protocol (SSTP) from the dropdown list.
  • In the Authentication area select Use Extensible Authentication Protocol (EAP).
  • From the drop-down list, select Microsoft: Protected EAP (PEAP) (encryption enabled).
  • Click Properties to display the Protected EAP Properties dialog.
  • Enable the section Verify the server’s identity by validating the certificate by selecting the checkbox.
  • Select Connect to these Servers.
  • In the Trusted Root Certification Authorities list, locate and select the root certificate for your Certification Authority. (Note: your Private CA will only be listed here if you have its certificate installed in your computers Trusted Root Certificates Store!)
  • In the Notifications before connecting list, select the option Tell user if the server name or root certificate isn’t specified.
  • In the Select Authentication Method section, select Secure Password (EAP-MSCHAP v2) from the drop-down.
  • Click Configure. In the EAP MSCHAPv2 Properties dialog, select the checkbox for Automatically use my Windows Logon name and password. Then click OK to close the pop-up.
  • Check Enable Fast Reconnection.
  • Check Enforce Network Access Protection.
  • Click OK to close the dialog.
  • Select the tab Networking, then click OK to close the Connection Properties dialog.
  • Under This connect uses the following items select the option Internet Protocol Version 4 (TCP/IPv4), and click Properties.
  • On the Internet Protocol Version 4 (TCP/IPv4) Properties dialog, click Advanced.
  • On the Advanced TCP/IP Settings dialog, uncheck the option Use default gateway on remote network, then click OK.
  • Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties dialog.

Validate and Test a VPN Connection

At this stage we should now be able to verify that everything has worked to plan, and test a VPN connection from our clients to the VPN service. If you have problems with the service at this point, take a look back at each step and ensure that we have all the components in place. Also refer to the logs available on the clients’ NPS and RRAS servers to determine where the challenges are sourced from.

Once the solution is online and working we will take the configuration a step further and enable Network Access Protection support, which will allow us to ensure that users are maintaining their computers and that we can safely trust the devices connecting to our network. Looking forward to next time!