I was given the task at my company to come up with a reliable, and most importantly secure VPN solution that didn’t require the use of third party agents. Currently they have a couple of VPN solutions in place. One is the somewhat secure PPTP VPN, and the more secure Cisco VPN with IPSEC. We needed something with the same ease of use as PPTP, but with the reliable security of IPSEC.
Enter SSTP, or Secure Socket Tunneling Protocol. It is one of the “new Hotness” VPN technologies from Microsoft. Actually, the newest hotness is DirectAccess, but unless you are willing to start setting up for IPv6, you might want to go with the next best thing…SSTP. SSTP has all the ease of setup that PPTP does, but with the warm blanket of security that SSL provides.
According to Wikipedia, SSTP is:
…a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
What you will need:
- SSL Certificate (Free SSL Cert from StartSSL FTW!)
- Windows 2008 Server
- IIS Services (For SSL Certificate Request/Install)
- Firewall NAT rule opening up port 443 to your VPN server
- Client running Windows Vista SP1 or later
- In Server manager, go to Roles Summary, and click on Add Roles
- Click on Web Server (IIS) and click next twice
- On the Roles Services page, select all of the Security options and click next, then install, then finish
- Follow these instructions for generating a certificate request: (SSL CSR)
- Once you have your valid cert from a trusted CA, follow their instructions for installing their certificate in IIS. Here is a link to GoDaddy’s instructions: (GoDaddy SSL Install for IIS7)
- In Server manager, go to Roles Summary, and click on Add Roles
- Click on Network Policy and Access Services then click next twice
- Select Routing and Remote Access services then click next, then click install, then click finish.
- Open Routing and Remote Access (Administrator tools> Routing and Remote Access)
- Right click on your computer name and select Configure and Enable Routing and remote Access
- Click next, Select Custom Configuration (You have to do this if you only have one NIC) and click next
- Select all options and click next
- Click finish
- Expand IPv4, then right click on DHCP Relay agent. Insert the IP Address of your DHCP server.
- Right click on your server name, and click properties
- select the option for Local Area Network Routing Only
- Open up TCP 443 on your firewall and create a NAT rule to your server (Use Google for your particular firewall).
- Right click on your server name and select properties
- Click on the IPv4 tab
- Check the radio button that says static address pool
- Enter an unused IP address range for your network.
- Click OK, and Apply