Monday, April 06, 2009

Instructions how to enable SSTP VPN s...

Instructions how to enable SSTP VPN server in Windows 2008 simplified


In this brief 10 minutes procedure below you'll learn how to create VPN connection using SSTP (SSL tunnel) to your work/home location from anywhere where HTTPS is allowed.


Guide below assumes you don't want to use your VPN server as Internet Router and you have some other devices doing routing. Steps below will allow you to VPN in your remote location and route everything (including Internet traffic) through that VPN connection. 

Difference from other guides on Internet:


  • Don't need domain controller or certificate services for this to work
  • Don't need 2 network adapters on your server to work
  • Don't need to publish SSL CRL (certificate revocation list)

What is needed:


  • Server SSL certificate (self-signed)
  • Windows 2008 on your local network (single NIC)
  • Vista SP1 or later

Steps:  


  1. Create self-signed certificate and import it into certificate store on client and server

    • Create self-signed certificate with domain name which you'll be using for your VPN server. I used this excellent utility (http://www.pluralsight.com/community/blogs/keith/archive/2009/01/22/create-self-signed-x-509-certificates-in-a-flash-with-self-cert.aspx). What you want to do is to put CN name as external name which you'll be using for your VPN server (like sstp.mydomain.com) and choose to export as PFX file. This will create PFX file with your certificate and designated location. In steps below it would be imported into client and server as Trusted CA.

      • Import certificate on client computer by following this steps: Launch MMC and choose Add Snap-in, choose "Certificates", on next screen choose "Local Computer" and then choose "Trusted Root Certification Authorities" and import your certificate into that store.
      • Import certificate on server computer exactly the same ways it was done on client.

  2. Enabled RRAS role on Windows 2008 and configure SSTP.

    • Install RRAS service on your server

      • Add Server Role called "Network Policy and Access Services". Choose only "Remote Access Service" for service since we don't need routing. Go through installation process.
      • Once server is setup, launch Routing and Remote Access MMC and choose to "Configure Routing and Remote Access server".
      • Choose "Custom Configuration" and choose "VPN access".
      • For your user go to user property pages. Choose "Dial-in" tab and choose "Allow access" under "Network Access Permission".

    • Configure your external router to port forward TCP 443 to your internal IP of your VPN server.

  3. Configure your Vista VPN client.

    • Go to Network And Sharing Center/Setup Connection or network/Connect to a workplace. Choose "Use Internet Connection", put your hostname for connection and go through the rest of the steps. Use "skip" since connection will probably fail since we need to configure connection to use SSTP. Once connection is created, go to properties of connection/Networking and choose as type of VPN - SSTP, uncheck IpV6 since you don't need at this point.

 

At this point you shall be able to VPN into your remote home/office.

 

Post a Comment