Using Secure Socket Tunneling Protocol (SSTP) from Windows VPN client

  • Article

By now, you probably are aware of this new VPN tunneling protocol which can work across NAT, web proxies and firewall. If you are familiar with the Windows Vista way of configuring and using VPN, go to the connection "Properties" page and change the "Type of VPN" to "Secure Socket Tunneling Protocol (SSTP)" instead of the default "Automatic".

If you are not so familiar with the connection configuration steps, here they are.

  1. Open the Control Panel by clicking on the Start->Control Panel
  2. Select Network and Internet
  3. Click on "Network and Sharing Center"
  4. On the Tasks pane (on the Left Hand Side), select Set up a connection or network.
  5. From the resulting set of options, select "Connect to a Work place network" - This option will bring up a wizard for configuring the VPN with the default settings
  6. Configure the VPN server information, user-name, password as required by the wizard.
  7. Once the basic VPN configuration is done, in the "Network and Sharing Center", select the task "Manage Network Connections". This is open the "Network Connections" page.
  8. Over here, right click on the VPN connection and select "Properties".  This will open the connection properties page.
  9. Select the "Networking" page.
  10. Under the "Type of VPN", drop-down box, select the tunnel type to be "Secure Socket Tunneling Protocol (SSTP)" instead of the default "Automatic" tunnel type selection. Click Ok button on the property page to save the change.

This is a one-time operation and subsequently, when the connection is used to connect, the SSTP protocol will be used.

Since SSTP is based out of SSL, the VPN server (configured with SSTP) will provide a certificate for the client to trust. You might want to configure the trusted root certificate so that the server's certificate is trusted by the client. SSTP will require the trusted root ceritificate to be there as a part of Machine Certificate Store. For domain joined machines, where in the server certificate is from the same domain as the client itself, this certificate is most-likely to be there by default.  

As mentioned in this space earlier, this new VPN tunnel type is being added for Vista SP1 and Longhorn Server. If you are interested in the Longhorn Server beta program, do let us know at rrasblog@microsoft.com. We would love to have you try out this new VPN technology and give us feedback.

Keep a watch on this blog space for more information towards this new VPN protocol.

Kadirvel C. Vanniarajan

Software Design Engineer

RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]