Tutorial: Setting up SSTP on Windows Server 2012
Tutorial: Setting up SSTP on Windows Server 2012 (part 1) – prereqs
In this tutorial I’ll write about how to setup SSTP on Windows Server 2012 in a limited lab environment. It’s not a tough job, although you need some basic RRAS, DNS and Certificate knowledge. Before we start the prereqs: In my lab I use a domain controller which also is my enterprise root CA. My RRAS server is also my Online Responder. I’m going to assume you already installed these roles.
First you need to determine a host record you wish to use for your setup. eg. sstp.mylab.com. If you run this (like me) in a home setup configure the record to your public IP address and forward port 443 to your RRAS server. I also forwarded port 444 to my RRAS server for the online responder service. Do not forget to open up the ports on your windows firewall. If you’re already lost at this point don’t bother reading any further.
Tutorial: Setting up SSTP on Windows Server 2012 (part 2) – Certificates
Part 2 of this tutorial coveres the certificates. We need 3 different types of certificates:
- A website certificate with common name sstp.mylab.com
- A copy of the Root CA certificate
- An Online Responder Signing certificate
Now before we begin requesting the different certs we first need to modify the config of our Certificate Authority. You need to open up the Certificate Authority console and open the properties of the server.
Then select the Extensions tab and in the Select Extension dropdown select AIA. Add the external address of the responder service. In this example eg. https://sstp.mylab.com:444/ocsp – I use port 444 cause we’re going to use 443 for our SSTP connections and I have only 1 public IP available. Make sure you check the Include checkbox else the AIA info will not be available on your certs.
Since we’re in the CA console we’re going to setup the Online Responder template as well. Rightclick Certificate Templates and click manage. Make a Duplicate of the OSCP Signing Template. On the security tab assign the machine account of the Online Responder server the read and enroll permission. Now click OK to save your template and close the templates console.
Back in the CA console rightclick Certificate Templates > New > Certificate Template to issue and select your OSCP Response Signing duplicate.
Now the easy part is the website certificate. I covered requesting certificates a lot on my blog. But since we have the online responder role installed (and therefore also IIS, just use IIS to create a domain based certificate).
- Open up IIS
- Click your server
- Double-Click Server Certificates
- Select Create domain certificate
- Common name: sstp.mylab.com
- Fill in the rest
- Select an online CA. If your CA is up and running you can request the certificate there.
- That’s that for the webserver cert.
Now when you click your cert and select view you can browse the certificate chain to save a copy of the root ca cert. In the view of your certificate you should also see the AIA information. It’s good habit to export your cert to a .pfx file which contains your private key and public key. Export the cert without private key as well, in a test later on we need it to test our Online Responder.
So job done. 1 webserver cert, 1 root ca cert and the template is ready! Let’s proceed with part 3.
Tutorial: Setting up SSTP on Windows Server 2012 (part 3) – The Online Responder
So now the fun part. Setting up your Online Responder. Fire up the Online Responder console. I did not change the Online Responder properties but went straight away to Revocation Configuration where you can add a configuration.
- Next in the welcome screen
- Give it a name > next
- Now I chose select cert from an Enterprise CA (cause mine is one, but you can chose different if you like 😉 )
- Browse for the CA, if setup correct it will find it.
- Now I chose to Automatically Select the Signing Certificate and also chose to auto-enroll. When you setup your OCSP Signing Certificate Template like you should the template should be visible.
At the end of your wizard you should get an OK
Now the last part is to setup IIS. When you have installed the Online Responder a virtual directory should exist under the default website /ocsp. The folder is empty and browsing it will result in a HTTP500, so don’t bother. Click the bindings of your default website. Add https on port 444 and remove the other bindings. If you’re using your default website for other purposes find a way around them, or move the OSCP virt.dir. (don’t know how – but it should be possible). Your seeing the internal IP address of my machine here, cause I use NAT to translate.
Now how to check if your online responder is functioning. Open an Administrative Command Prompt. If you exported your certificate to a .cer file (like I mentioned in part 2) you can type in the following command: certutil -url CertFile.cer
The URL retrieval tool will open. Select OCSP (from AIA) and click retrieve. When you get a verified your setup is working.
Tutorial: Setting up SSTP on Windows Server 2012 (part 4) – Routing and Remote Access
Ok, were finishing up. We got a working CA. The necessary certs. A working Online Responder. Now to setup Routing and Remote Access. Open up the RRAS console. Right-click the server and select configure and enable Routing and Remote Access.
- Select Remote Acces
- Check VPN
- Select your NIC – Disable the Enable Security checkbox
- I had some issues with DHCP so I just chose a range
- I chose not to use Radius
Your RRAS service will now start. Now first thing to do is clean up a little. Clean op all the L2TP, IKE and PPTP ports if you don’t want to use them. Limit the number of SSTP ports.
Now open the properties of your server. On the security tab you need to bind your certificate. Certificates that are visible in this section are bound to the personal certificate store of the machine account. So if you don’t see your certificate you know what to do.
Next you need to launch NPS
I already created a group called VPN users and added my account. In NPS we need to authorize that group.
Right-click Network Policies and select New Policy
- Type in a name – select Remote Access Server
- Click Add and Click Windows groups, Click Add
- Click Add Groups and type in the name of the group, click next
- Select Access Granted > Next
- Only Select MS-CHAPv2 > Next
- You can configure some timeouts if you require. Click next
- Some other options > next
- And finally finish to save your Network Access Policy
So if all is well then you should have a working RRAS Setup now.
Tutorial: Setting up SSTP on Windows Server 2012 (part 5) – The VPN client
I’m not going to dedicate much time writing how to configure a VPN connection. But to make sure you don’t forget, your machine needs to trust your root certificate authority. So if you use a self signed cert like me make sure to fire up an mmc. Add the certificates snap-in for the computer account and import your root ca cert.
When configuring your vpn connection type in the common name of your cert (sstp.mylab.com). In the properties of the connection on the security tab you can select SSTP.
Enjoy configuring RRAS with an Online Responder.
Thanks a lot, worked 100%
Everything worked up until I got to testing the url for the ocsp with certutil; I get win32: 1460 ERROR_TIMEOUT. Any ideas? Thanks for the rest of this guide, SSTP is complicated to do right!
Nevermind, figured it out was missing the s in https, you can delete my posts. Thanks!