C7 Solutions Team Blog This blog contains a variety of useful information from the consultants at C7 Solutions.
Monday, June 23, 2008
SSTP (SSL VPN) on SBS 2008 RC0
SSL based VPN's are great. In short it is VPN without firewall or NAT issues (both of which you get with PPTP and IPSec VPN's). But the current release of SBS 2008 (RC0) does not enable SSTP VPN's by default. It uses RRAS, so SSTP is possible, but it is not as easy as it first looks!
Ensure that you have run the connecting to the internet wizard, and that you are using a third party certificate (as there are less steps if you do this).
Enable remote access from the SBS Console > Network > Connectivity page.
Add some SSTP ports to the VPN in the Routing And Remote Access management program. Right-click Ports and choose Properties and enable SSTP for remote access inbound connections. Leave PPTP enabled as Windows XP does not support SSTP VPN tunnels (only Vista SP1 does at this time).
View the properties of your certificate and note down the Thumbprint value.
Ensure that this certificate is associated with 0.0.0.0:443 and [::]:443: certificate bindings on the server. Type "netsh http show ssl" from elevated command prompt to get this information. You typically get four entries with IP:port being the first line of each. Check for IP:port reading "0.0.0.0:443" and [::]:443 as this shows the IPv4 and IPv6 mappings for SSL certificates on the server. Ignore the :8172 and :987 entries (these are for IIS Management Service and companyweb).
Install the "Certificate Authority Web Enrollment" role service to Active Directory Certificate Services snapin within Server Manager. This adds a virtual directory to the default website in IIS called CertEnroll which contains the certificate revocation list for the certificate you are using. Only do this if you are using the built in default issued certificate. If you are using certificates from a third party then you need to ensure you can reach their CRL publishing site without issue - see the certificate details for information on the CRL publishing site location.
Expand the Certificate Authority on your server and right-click Revocated Certificates. Under tasks choose Publish. This updates the CRL with the new publishing location that SSTP needs to connected to. Again, use a third party certificate to make this easy!
On a Vista SP1 client create a new VPN connection and in properties > networking ensure that the Type of VPN is set to SSTP (for normal use set this to Auto, and it will find the best (starting with PPTP), but for testing set it specifically to SSTP). Also ensure that the name of the server you are connecting to is the same name that the certificate uses for the certificate common name.
I got error 0xc00000e9 when attempting to boot into a new guest Hyper-V image, using an ISO image as my boot CD. Using the real CD in the host worked fine.
So I downloaded the ISO again and all was well this time - must have been a dodgy download - now to go play with Windows Small Business Server 2008.
With the correct BIOS settings enabled on a E8500 processor (see http://processorfinder.intel.com/ for the processors that support EM64T, Virtualisation and Execute Disable which is needed for Hyper-V to work), and with them and the Trusted Execution property set to On in the BIOS I got the following errors with Hyper-V RC1 on Windows 2008 Enterprise Server RTM (running Server Core):
Hyper-V launch failed; Either VMX not present or not enabled in BIOS.
Hyper-V launch failed; at least one of the processors in the system does not appear to provide a virtualization platform supported by Hyper-V.
Fixed this by rebooting and pressing F2 to enter the BIOS and disabling the following settings
Security > Execute Disable (set to Off)
Performance > Virtualization (set to Off)
Performance > VT for Direct I/O Access (set to Off)
Performance > Trusted Execution (set to Off)
Press Esc and save settings. When the server reboots do a hard power off. Power on, and then in the BIOS again ensure that the following is set:
Security > Execute Disable (set to On)
Performance > Virtualization (set to On)
Performance > VT for Direct I/O Access (set to On)
Performance > Trusted Execution (set to Off)
Press Esc and save settings. Hard power off again once the server reboots. Turn power on and let computer boot normally.
At this point I got an Hyper-V error in that the entries in the event log above did not appear anymore, but were replaced by an error indicating that Hyper-V was not installed.
So I removed Hyper-V by running:
ocsetup Microsoft-Hyper-V /uninstall
and reboot.
Reinstall Hyper-V by downloading the latest build and install it using:
wusa
or if you have the latest build already installed, then reinstall using:
