SSTP FAQ – Part 2: Client Specific


In this FAQ, I will cover client specific queries of SSTP 

1)  How to enable SSTP based VPN connection on the client side? 

SSTP based -connection can be enabled on native RAS client UI (i.e. inside “network and sharing center”). For further details, refer to

Connection manager administration kit (CMAK) is enhanced to support SSTP and hence CM profile can be used to establish SSTP based VPN connection. 

2)   How does Automatic VPN Tunnel type WORKS with SSTP?

On the client side, if the VPN tunnel type is selected as “Automatic”, then the order is PPTP->L2TP->SSTP. i.e. try PPTP first, if that fails try L2TP, if that fails try SSTP.

Note: The tunnel type which the client is able to successfully connect will be used for next reconnection and the automatic -tunnel selection logic is not retried till it fails. For example, first connection will be tried with PPTP->L2TP->SSTP and say SSTP is successful. On next re-connection, the client will retry SSTP first and if that fails then tries PPTP followed by L2TP.

3)    What kind of NAT, Web proxy and firewall traversal is supported by SSTP client?

Outgoing SSTP connection can pass through any kind of NAT and firewalls – as long as TCP port 443 is allowed (which is normally the case).

If the VPN client is behind a web proxy, then outgoing SSTP connection can go through in normal web proxy. SSTP does not support “authenticated” web proxies (i.e. proxies which require some form of authentication during HTTP CONNECT request).

4)     How to block SSTP based VPN connections to traverse out of corporate network?

For any reason, if the network administrator wants to block all outgoing SSTP based VPN connection, then it can be done at the web proxy level. If there is a web proxy (i.e. forward proxy) deployed inside the corporate network which can do filtering of different attributes inside HTTP CONNECT header, then SSTP based connections can be blocked as it adds a fixed field (SSTP_VERSION: *) inside the HTTP CONNECT header.

5)     How to set proxy address in SSTP client?

SSTP client picks up the web proxy settings of current user’s context from Internet explorer. 

6)   Is WinLogon using SSTP based VPN connection is supported? If yes, how is it enabled?

Yes – Winlogon over SSTP based VPN connection is supported. The VPN connection should be created for “all users”. 

Additionally if the VPN connection goes through a web proxy, then the web proxy settings need to be picked up from the system store. This is because in case of Winlogon – the user establishes the VPN connection first and then logs on. The web proxy settings can be configured inside the system store using   “netsh winhttp set proxy” command 

7) What is the authentication protocol used by SSTP? Is it done at HTTPS layer or PPP layer?

Client is not authenticated to server at the HTTPS layer. SSTP client is authenticated to server at the PPP layer. So various  PPP authentication algorithm (like MSCHAPv2, EAP-MSCHAPv2, EAP-Smart-card, PEAP) can be used with SSTP. For further details, refer to

8) Is the encryption done at MPPE layer or at HTTPS layer?

MPPE encryption at PPP layer is turned off when tunnel is SSTP (this is similar to L2TP/IPSec scenario). The encryption (or data confidentiality) is achieved at the SSL layer.

 9) Which OS release will support SSTP?

SSTP client will be supported on Vista SP1 and Longhorn server (i.e. Windows server 2008). SSTP server will be supported on Longhorn server via RRAS and Vista SP1 via VPN "incoming connections".

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments (11)
  1. Anonymous says:

    Microsoft is working on a remote access tunneling protocol for Vista and Longhorn Server that lets client

  2. rrasblog says:

    Yes SSTP will provide full network access. Application  specific access can be enabled by enforcing tight filtering on the server side

  3. Anonymous says:

    Microsoft se encuentra trabajando en una nueva tecnología destinada al acceso remoto mediante VPN seguras.

  4. Anonymous says:

    free myspace music video codes for

  5. Anonymous says:

    Now that TMG Beta 3 is released you can enjoy the best of both words for VPN access. In the past I was

  6. rrasblog says:

    Q: Once the SSTP connection is up, is there a new network interface with an IP assigned by the remote server ?

    A: Yes – same like PPTP or L2TP

  7. rrasblog says:

    Yes SSTP will provide full network access.

  8. rrasblog says:

    Q: Will Microsoft put this feature(SSTP client) on Windows XP also ?

    A: Currently SSTP client is only suppor on Vista SP1 and the client plans on XP are being investigated. Stay tuned for more updates

  9. zher says:

    Does SSTP provide full access to the network? In other words, does it work for only limited applications?


  10. Mike Tseng says:

    Once the SSTP connection is up, is there a new network interface with an IP assigned by the remote server ?

  11. tp says:

    Will Microsoft put this feature(SSTP client) on Windows XP also ?

Comments are closed.

Skip to main content