How to set up an SSTP VPN to secure your enterprise network Page 1 of 3

SearchEnterpriseWAN.com
How to set up an SSTP VPN to secure your enterprise network
Learn how to set up an SSTP VPN connection in order to secure the remote users on your enterprise wide
area network (WAN). The instructions below explain step by step what is required to create and configure an
SSTP VPN.

For many years now, Layer Two Tunneling Protocol (L2TP) has been the tunneling protocol of choice for
most Windows-Server-based virtual private networks (VPNs). However, in Windows Server 2008, Microsoft
began providing another tunneling protocol option called Secure Socket Tunneling Protocol, or SSTP as it
has come to be known.

The basic idea behind the SSTP protocol is that it is based on Secure Sockets
Resources on SSTP VPNs Layer (SSL) encryption. Since nearly every firewall allows SSL traffic
through Port 443, SSTP isn't as prone to some of the firewall issues
Windows Server 2008 and its experienced with other types of VPNs. (For more background, read this brief
Secure Socket Tunneling history of VPNs.) Furthermore, because the protocol uses SSL, traffic is
Protocol (SSTP). encrypted and checked for integrity. Other reasons why SSL VPNs are
favored over traditional VPNs are described in this article on Web SSL VPN
SSL VPN vs. SSTP VPN: Is advantages.
there a difference?
Believe it or not, the procedure for setting up an SSTP VPN is pretty simple.
Read this Web SSL VPN The key to making it work is to have all of the necessary elements in place
introduction. before you begin the configuration process.

Learn how to configure a Prerequisites before you set up an SSTP VPN

Vista VPN connection to use
SSL.
Fix your Windows 2008
SSTP VPN trouble.
Understand how to authorize
VPN traffic for RADIUS
authentication Windows
2008.
What you first need is a server that can act as the VPN server. This server
can run on physical or virtual hardware. Second, the server must be running
Windows Server 2008 or Windows Server 2008 R2. Additionally, the server
requires at least two network interface cards (NICs). It is technically possible
to complete the configuration using a single NIC, but doing so decreases
security considerably.
Next, you'll need an SSL certificate for your VPN server. This certificate
needs to be properly configured with your VPN server's fully qualified
domain name. If your external domain is different than your internal domain,
be sure your certificate is based on the external domain name.

Another key to making the certificate work is that it must be trusted by the client computers that will connect
to your VPN. Although it is possible to use the Windows Certificate Services to generate a certificate in-
house, those certificates are not automatically trusted by the client computers. Therefore, I would advise you
to use a certificate from a well-known commercial certificate authority. Otherwise, you'll have to configure
each client computer to trust the certificate that you have created in-house. This may not be a problem for
company-owned laptops, but if users connect to the VPN from home machines or from public kiosks, then
the certificate trust issue will present a problem.

Once you have acquired the necessary certificate, you will have to install it on your server. The method for
doing so may differ slightly depending on where you got the certificate. I recommend following the
provider's instructions for installing the certificate onto your server.

Configuring the SSTP VPN

http://searchenterprisewan.techtarget.com/tip/How-to-set-up-an-SSTP-VPN-to-secure-your-enter... 12/18/2010
How to set up an SSTP VPN to secure your enterprise network Page 2 of 3

As I said earlier, configuring the VPN is pretty simple once you have all of the necessary components in
place.

1. Begin by opening Server Manager on your VPN server, and click the Add Roles link found in the
Roles Summary section.

3. Next, click on the Network Policy and Access Services option.

5. Click Next twice and you will be prompted to select the role services that you want to use with the
Network Policy Server.

7. Select the Routing and Remote Access Services option and click Next.

9. You should now see a screen displaying a summary of the options that you have chosen. Assuming that
everything looks good, click the Install button.

11. When the installation process completes, click the Close button.

13. Now, close the Server Manager and open the Routing and Remote Access console, which you can
find on the Administrative Tools menu.

15. When the console opens, right-click on the listing for your server, and then select the Configure and
Enable Routing and Remote Access option from the shortcut menu.

17. At this point, Windows will launch the Routing and Remote Access Setup wizard. Click Next to
bypass the wizard's Welcome screen, and you will see a screen asking what type of configuration you
would like to perform.

19. Choose the Remote Access (dial up or VPN) option, and click Next.

21. Then choose the VPN option, and click Next.

23. You will now be prompted to select the network adapter that connects the server to the Internet. After
making your selection, click Next.

25. Depending on how many network adapters are installed in the server, you may now see a screen asking
you to select the network adapter that should be used by VPN clients. After making your selection,
click Next.

27. At this point, you should see a screen asking how you want to make IP address assignments to remote
clients. Assuming that you have a DHCP server on your network, choose the Automatically option.

http://searchenterprisewan.techtarget.com/tip/How-to-set-up-an-SSTP-VPN-to-secure-your-enter... 12/18/2010
How to set up an SSTP VPN to secure your enterprise network Page 3 of 3

If you do not have a DHCP server, then you can configure the Network Policy Server to act as a DHCP
server by selecting the From a Specified Address Range option. After making your selection, click
Next.

29. You should now see a prompt asking if you want to use a RADIUS server for authentication. Make
your selection, and click Next, followed by Finish.

31. Now that you have completed the wizard, you must tell the server how to handle IP address leases for
the VPN clients. To do so, navigate through the console tree to [your server] | IPv4 | DHCP Relay
Agent. Now, right-click on the DHCP Relay Agent option and select the Properties command from
the shortcut menu. Use the resulting properties sheet to enter the address for your DHCP server.

If you do not have a DHCP server, it is possible to configure the Routing and Remote Access Service
to allocate IP addresses as an alternative to using DHCP (if you have not already done so). To do that,
right-click on your server name, and select the Properties command from the resulting shortcut menu.
When the server's properties sheet appears, go to the IPv4 tab and use the Static Address Pool option
to allocate a pool of IP addresses to the VPN.

33. After you have configured the DHCP server options, you will have to configure the VPN to use the
SSTP protocol. To do so, go back to the console tree and right-click on the listing for your server, and
choose the Properties command from the shortcut menu.

35. When Windows displays the server's properties sheet, go to the Security tab, and select the Use HTTP
check box. You must also select the appropriate certificate from the Certificate drop-down list.

Final tips on how to set up an SSTP VPN connection

In this article, I have shown you how to create a simple SSTP VPN. Keep in mind, though, that the key to
making this SSTP VPN setup work is to configure your certificate correctly. Because certificates can be
expensive, you might consider initially setting up an enterprise certificate authority and generating
certificates in-house. This gives you a way of verifying the required certificate configuration before you
spend money on a commercial certificate.

About the author:

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows
2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once
in charge of IT security for Fort Knox. As a freelance technical writer, he has written for
Microsoft, CNET, TechTarget, ZDNet, MSD2D, Relevant Technologies and other technology
companies. You can visit Brien's personal website at www.brienposey.com.
Brien M.
Posey
13 Jul 2010

All Rights Reserved,Copyright 2009 - 2010, TechTarget | Read our Privacy Statement

http://searchenterprisewan.techtarget.com/tip/How-to-set-up-an-SSTP-VPN-to-secure-your-enter... 12/18/2010