SSTP FAQ - Part 3: Server Specific
I heard a lot of queries related to server side and in this FAQ, I will try to cover most of them. In this article, I will be using "SSTP server" which is RRAS server enabled to accept SSTP based VPN connection.
1) Does SSTP server works on top of IIS or requires IIS to be installed?
No – SSTP based RRAS server listen directly on top of HTTP.SYS (which is the core HTTP server engine). This means you don't need to install IIS separately which means one less role to manage. RRAS server will only respond to specific URI on HTTP.SYS and will ignore rest of them - which means if no other web listener (like IIS) is installed, it will be dropped. This means you don't have any extra security risk.
2) Can SSTP server co-exists with IIS Web Server?
Yes – they both can co-exist. SSTP listen on top of HTTP.SYS for all connections coming into specific URI (i.e. /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/). Rest of the web connections can be terminated at IIS.
Note: Only thing which need administrator need to ensure is the server machine certificate which will remain same for both IIS and SSTP based VPN server.
3) How to deploy SSTP server behind a NAT router?
Yes – the NAT router can be configured in NAT port redirection mode to redirect all TCP port 443 requests coming on its public IP address to the private IP address of RRAS server. The port number after redirection can remain same as 443 or changed to different port number (if SSTP server is running on a different port number).
4) How to change the port number on which SSTP server binds?
By default SSTP based VPN connection listens TCP port 443. If for any reason (like server behind a NAT port redirection router) the network administrator wants SSTP VPN server to listen on different port number, then following registry key should be changed and remote access server should be restarted.
HKLMSystemCurrentControlSetServicesSstpsvcParametersListenerPort
Type: DWORD
Default Value: 443
Note: The VPN client always connect to TCP port 443. Some device sitting in-front of VPN server (like NAT router, SSL load balancer) can change the port number of the TCP connections while doing redirection.
5) How to change the IP address on which SSTP server binds? How to change the SSL certificate?
By default SSTP based VPN connection listens on all IP addresses of VPN server. If for any reason (like server behind a NAT port redirection router), the network administrator wants SSTP VPN server to listen on specific IP address, then it can be changed directly inside HTTP.SYS directly using “netsh http add iplisten” command. You may also need to change the SSL certificate using “netsh http add sslcert” command.
6) Can SSTP server be deployed behind a SSL load balancer or Reverse Web Proxy?
Yes – SSTP based VPN server can be sitting behind a SSL load balancer which can terminate the SSL connections (or HTTPS connection) and then only redirect HTTP connection to RRAS server.
In this scenario, RRAS server need to be configured to listen (or expect) HTTP connection to come in. To accomplish this, following registry key should be changed to zero and remote access server should be restarted.
HKLMSystemCurrentControlSetServicesSstpsvcParametersUseHTTPS
Type: DWORD
Default Value: 1 (i.e. use HTTPS)
This new HTTP connection can be redirected to TCP port 443 or a different port number on RRAS server – following the steps given above.
7) How to do load-balancing of SSTP server?
SSTP server can be load-balanced in one of the following ways:
· NLB: Multiple RRAS servers can be deployed using NLB based load balancing. Please ensure all the servers are having same machine certificate.
· SSL Load balancer: A SSL load balancer can be deployed in-front of RRAS server which can terminate the SSL connection and then re-originate plain HTTP connection back to the client. Please ensure the same certificate is deployed on SSL load balancer and RRAS server.
· DNS Round-robin: RR DNS server can be deployed in-front of pool of RRAS server which then redirects each client request to a different RRAS server. Please ensure all the servers are having same machine certificate.
8) What port number to open on Windows firewall or RRAS static filter when configuring SSTP?
In default configuration mode of RRAS using RRAS MMC configuration wizard, RRAS opens TCP port 443 inside RRAS inbound/outbound static filters as well as Windows firewall. But if the network administrator has changed SSTP to bind on a different port number, then it is expected for administrator to “manually” open that port inside Windows firewall as well as RRAS static filters – depending upon which filter is enabled.
Let me know if you have any queries you want to get added to my FAQ.
Bye for now and take care
Samir Jain
Lead Program Manager (samirj@online.microsoft.com **)
RRAS, Windows Enterprise Networking
** Remove the "online" to actually email me
[This posting is provided "AS IS" with no warranties, and confers no rights.]