SSTP FAQ - Part 2: Client Specific

In this FAQ, I will cover client specific queries of SSTP

1) How to enable SSTP based VPN connection on the client side?

SSTP based -connection can be enabled on native RAS client UI (i.e. inside “network and sharing center”). For further details, refer to https://blogs.technet.com/rrasblog/archive/2007/01/16/using-secure-socket-tunneling-protocol-sstp-for-vpn.aspx

Connection manager administration kit (CMAK) is enhanced to support SSTP and hence CM profile can be used to establish SSTP based VPN connection.

2) How does Automatic VPN Tunnel type WORKS with SSTP?

On the client side, if the VPN tunnel type is selected as “Automatic”, then the order is PPTP->L2TP->SSTP. i.e. try PPTP first, if that fails try L2TP, if that fails try SSTP.

Note: The tunnel type which the client is able to successfully connect will be used for next reconnection and the automatic -tunnel selection logic is not retried till it fails. For example, first connection will be tried with PPTP->L2TP->SSTP and say SSTP is successful. On next re-connection, the client will retry SSTP first and if that fails then tries PPTP followed by L2TP.

3) What kind of NAT, Web proxy and firewall traversal is supported by SSTP client?

Outgoing SSTP connection can pass through any kind of NAT and firewalls – as long as TCP port 443 is allowed (which is normally the case).

If the VPN client is behind a web proxy, then outgoing SSTP connection can go through in normal web proxy. SSTP does not support “authenticated” web proxies (i.e. proxies which require some form of authentication during HTTP CONNECT request).

4) How to block SSTP based VPN connections to traverse out of corporate network?

For any reason, if the network administrator wants to block all outgoing SSTP based VPN connection, then it can be done at the web proxy level. If there is a web proxy (i.e. forward proxy) deployed inside the corporate network which can do filtering of different attributes inside HTTP CONNECT header, then SSTP based connections can be blocked as it adds a fixed field (SSTP_VERSION: *) inside the HTTP CONNECT header.

5) How to set proxy address in SSTP client?

SSTP client picks up the web proxy settings of current user’s context from Internet explorer.

6) Is WinLogon using SSTP based VPN connection is supported? If yes, how is it enabled?

Yes – Winlogon over SSTP based VPN connection is supported. The VPN connection should be created for “all users”.

Additionally if the VPN connection goes through a web proxy, then the web proxy settings need to be picked up from the system store. This is because in case of Winlogon – the user establishes the VPN connection first and then logs on. The web proxy settings can be configured inside the system store using “netsh winhttp set proxy” command

7) What is the authentication protocol used by SSTP? Is it done at HTTPS layer or PPP layer?

Client is not authenticated to server at the HTTPS layer. SSTP client is authenticated to server at the PPP layer. So various PPP authentication algorithm (like MSCHAPv2, EAP-MSCHAPv2, EAP-Smart-card, PEAP) can be used with SSTP. For further details, refer to https://blogs.technet.com/rrasblog/archive/2007/01/10/how-sstp-based-vpn-connection-works.aspx

8) Is the encryption done at MPPE layer or at HTTPS layer?

MPPE encryption at PPP layer is turned off when tunnel is SSTP (this is similar to L2TP/IPSec scenario). The encryption (or data confidentiality) is achieved at the SSL layer.

9) Which OS release will support SSTP?

SSTP client will be supported on Vista SP1 and Longhorn server (i.e. Windows server 2008). SSTP server will be supported on Longhorn server via RRAS and Vista SP1 via VPN "incoming connections".

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]