Oct 12, 2009

How To Setup A SSTP VPN in Windows 2008

I was given the task at my company to come up with a reliable, and most importantly secure VPN solution that didn’t require the use of third party agents. Currently they have a couple of VPN solutions in place. One is the somewhat secure PPTP VPN, and the more secure Cisco VPN with IPSEC. We needed something with the same ease of use as PPTP, but with the reliable security of IPSEC.
Enter SSTP, or Secure Socket Tunneling Protocol. It is one of the “new Hotness” VPN technologies from Microsoft. Actually, the newest hotness is DirectAccess, but unless you are willing to start setting up for IPv6, you might want to go with the next best thing…SSTP. SSTP has all the ease of setup that PPTP does, but with the warm blanket of security that SSL provides.
According to Wikipedia, SSTP is:

…a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
sstp vpn
What you will need:
  1. SSL Certificate (Free SSL Cert from StartSSL FTW!)
  2. Windows 2008 Server
  3. IIS Services (For SSL Certificate Request/Install)
  4. Firewall NAT rule opening up port 443 to your VPN server
  5. Client running Windows Vista SP1 or later
Now you have what you need all set, here is what you need to do:
  1. In Server manager, go to Roles Summary, and click on Add Roles
  2. Click on Web Server (IIS) and click next twice
  3. On the Roles Services page, select all of the Security options and click next, then install, then finish
  4. Follow these instructions for generating a certificate request: (SSL CSR)
  5. Once you have your valid cert from a trusted CA, follow their instructions for installing their certificate in IIS. Here is a link to GoDaddy’s instructions: (GoDaddy SSL Install for IIS7)
  6. In Server manager, go to Roles Summary, and click on Add Roles
  7. Click on Network Policy and Access Services then click next twice
  8. Select Routing and Remote Access services then click next, then click install, then click finish.
  9. Open Routing and Remote Access (Administrator tools> Routing and Remote Access)
  10. Right click on your computer name and select Configure and Enable Routing and remote Access
  11. Click next, Select Custom Configuration (You have to do this if you only have one NIC) and click next
  12. Select all options and click next
  13. Click finish
  14. Expand IPv4, then right click on DHCP Relay agent. Insert the IP Address of your DHCP server.
  15. Right click on your server name, and click properties
  16. select the option for Local Area Network Routing Only
  17. Open up TCP 443 on your firewall and create a NAT rule to your server (Use Google for your particular firewall).
NOTE: If you don't have a DHCP server on your network you can route requests to, RRAS can assign addresses for you as well. To do that just do the following:

  1. Right click on your server name and select properties
  2. Click on the IPv4 tab
  3. Check the radio button that says static address pool
  4. Enter an unused IP address range for your network.
  5. Click OK, and Apply

That’s about it people! Now when you want to remote back in on your Windows Vista or better yet, Windows 7 laptop, you just create a new VPN connection like you use to for PPTP, except this time you select SSTP as the protocol!
Now I wrote most of this from memory, so if you get hung up on a step, hit me up in my comments so I can better explain it… or update the post. Good luck, and happy remoting!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam