Configuring an SSTP VPN on Small Business Server 2008

SSL based VPN’s are great. In short it is VPN without firewall or NAT issues (both of which you get with PPTP and IPSec VPN’s). But SBS 2008 does not enable SSTP VPN’s by default. It uses RRAS, so SSTP is possible, but it is not as easy as it first looks! The following is a brief guide to the steps. Exact step by step instructions are not included, as you should be someone with RRAS and certificates experience before approaching this, and if you are not but have a business need for SSTP VPN (and who doesn’t!) then call C7 Solutions in the UK on 0845 257 1777 for help and assistance. This is not at all easy to configure and get working.

  1. Ensure that you have run the connecting to the internet wizard, and that you are using a third party certificate (as there are less steps if you do this). With the default self signed certificate SSTP will not work as the client on the internet will not be able to reach the certificate revocation location. Using the installed Certificate Services and creating your own issued certificate requires publishing to the internet the certificate revocation information and so adds steps that are not entirely necessary given that certificates are inexpensive and would cost less to buy than the time taken to go through all the extra steps needed with your own issued certificates.
  2. Enable remote access from the SBS Console > Network > Connectivity page and choose Configure a Virtual Private Network link under Connectivity Tasks on the right-hand side of the window.
  3. Add some SSTP ports to the VPN in the Routing And Remote Access management program. Right-click Ports and choose Properties and enable SSTP for remote access inbound connections and set the number of connections to a suitable number for your organization. Leave PPTP enabled as Windows XP does not support SSTP VPN tunnels (only Vista SP1 and later will do so).
  4. Create an MMC and add in the local computers Certificate snap-in. View the properties of your trusted certificate that you are using for Remote Web Workplace and note down the Thumbprint value of this certificate.
  5. Ensure that this certificate is associated with 0.0.0.0:443 and [::]:443 network bindings on the server. Type netsh http show ssl from elevated command prompt to get this information. You typically get four entries with IP:port being the first line of each. Check for IP:port reading “0.0.0.0:443″ and [::]:443 as this shows the IPv4 and IPv6 mappings for SSL certificates on the server. Ignore the :8172 and :987 entries (these are for IIS Management Service and companyweb).
  6. If the certificate hash is not the same for both the remote web workplace certificate and the netsh bindings information in the previous two steps or if you are missing the IPv6 binding then you need to reset the bindings. If they are same then jump to step 7.
    a) Ensure that the certificate bound to the remote web workplace is correct. From the client machine browse to http://remote.your_domain.com. You should be automatically forwarded to https://remote.your_domain.com/remote and the login page. If you get any certificate errors during this in the web browser you must fix them now before continuing.
    b) If the certificate on the remote web workplace site is incorrect then run the Fix My Network wizard and the Set Up Your Internet Address wizard in the SBS Console (both found in the Network > Connectivity > Connectivity Task pane).
    c) Repeat the test in step a and if the certificate that is now associated with the site is incorrect also run the Add A Trusted Certificate wizard which is found in the same place as above. This step should not be needed if a trusted certificate has already been installed on the server and it matches the remote.your_domain.com name and the wizards in step b will associate the correct certificate to the website.
    d) From an elevated command prompt delete the certificate binding for IPv4 by typing netsh http delete sslcert ipport=0.0.0.0:443. The binding should be deleted successfully.
    e) From an elevated command prompt delete the certificate binding for IPv6 by typing netsh http delete sslcert ipport=[::]:443. The binding should be deleted successfully if an IPv6 binding existed, otherwise expect to see an error which can be ignored.
    f) Delete the certificate binding in the RRAS configuration by deleting these registry keys, if they exist, “HKLM\ System\ CurrentControlSet\ Services\ Sstpsvc\ Parameters\ Sha256CertificateHash” and “HKLM\ System\ CurrentControlSet\ Services\ Sstpsvc\ Parameters\ Sha1CertificateHash
    g) Connect the correct certificate to the IPv4 and IPv6 bindings by typing the following entries from an elevated command prompt where xxx is the certificate hash of the trusted certificate used for the Remote Web Workplace. netsh http add sslcert ipport=0.0.0.0:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY and netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY.
    h) Close any open copy of IIS Manager and restart the program. Ensure that the bindings for the SBS Web Applications site is correctly bound to your trusted remote web workplace certificate.
    i) Note that binding SSTP to the IPv4 and IPv6 listeners on port 443 will cause TS Gateway administration to display error messages (specifically that the certificate is not bound and that the IIS web site is not configured). These errors can be ignored on SBS 2008 but if you click the links to fix the errors then all will work fine. The only condition is that this fixing of errors must be done after SSTP is configured correctly (so ensure SSTP connectivity works and then come back to this step to fix). Future changes to the certificate in IIS or TS Gateway might break the SSTP binding.
  7. From a client machine browse to https://remote.your_domain.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ and ensure that no errors occur. Note that you will not see anything in the web browser. View the properties of the certificate, specifically the CRL Distribution Points (CDP) value. Note that you should not have got any certificate errors when browsing to this site and if you did you need to resolve them before continuing further in these steps.
  8. Browse to the CDP URL in the above certificate – you should be able to reach this location on the web without error. The web browser should attempt to download the CDP file.
  9. On a Vista (SP1 or later) or Windows 7 client create a new VPN connection and in properties of the connection object choose the Security tab and ensure that the Type of VPN is set to SSTP. For regular everyday use set this to Auto, and it will find a working protocol (starting with PPTP) and so if PPTP does not work due to NAT or firewall/proxy issues SSTP will be tried and succeed (but for testing set the VPN connection specifically to SSTP). Also ensure that the name of the server you are connecting to is the same name that the certificate uses for the certificate common name.
  10. Connect the VPN and all should work. Errors regards certificate trust will appear if you have used the self issued certificate, even if you have added the certificate to your certificate store and have the certificate working in Internet Explorer. Once you have connected you can confirm from the RRAS management console that you are connected over an SSTP VPN connection. To confirm this click Ports in the RRAS management console and the active connection should be utilizing an SSTP port.
  11. Congratulate yourself on getting this far – this is not easy!

Comments & Responses

6 Responses so far.

  1. Loralon says:

    Hello Brian,
    I have enjoyed your post on the SSTP VPN setup, and have successfully configured my server. The only problem that I have now is how to connect while outside of the office? I have tried to configure a client PC running Windows 7 x64 without success. I keep getting error 800 from the VPN connection.
    Basically, what I did was to update the client hosts with the external IP of the NAT router, which is being used to connect to the Internet. Created the connection using as hostname: myserver.office.com. I am not sure this is the proper way to go about this issue.
    I am using GoDaddy’s SSL Certificate, internally everything is working fine.
    I must say that my domain name is local; the server has no public IP. It is behind a NAT router, which I have no control over, so I cannot configure any port forwarding for SSTP (443).
    Is it possible to connect to the server when outside of the office in this scenario? Please give me some advice on this.

  2. Brian Reid says:

    @Loralon, you need to get control over the NAT device as SSTP requires that TCP port 443 is sent to the server. It will not work any other way.

    Im assuming that you have no inbound internet access for port 443 at all to the server then? That you cannot read email’s via Outlook/OWA when outside the office either then. If you can, the TCP port 443 forwarding is already in place.

  3. Loralon says:

    Thanks Brian for your quick reply,

    I just tried accessing OWA from outside but could not. Are there resources regarding configuring access to OWA or Remote Web Workplace out there that I can follow, and see what happens?

    I am new to SBS and still finding my way out.
    I can confirm that internally I was able to access Remote Web Workplace.

    Thank you very much.

  4. Brian Reid says:

    @Loralon. Yes, there are loads of resources on this – but not this blog – this is all for more advanced stuff. Start with the product documentation online, but you need to get access to the router – thats a prerequisite!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>