How to deploy SSTP based VPN server behind a SSL terminator

By now, from all the other posts you might be aware of steps required to configure SSTP server to accept HTTPS connections. SSTP also supports being configured behind a SSL terminator (HTTP Reverse Proxy scenario). With this setup, a SSL terminator can be configured to terminate the SSL session and direct the plain HTTP request to a server behind (in this scenario the SSTP server or the RRAS server accepting SSTP based VPN connections).

So the setup will look like this:

                                                

 [Clients] ==========[Internet]===========[SSL Terminator]----[SSTP Server]---[Intranet]

Before you begin, you will need the following information:

  1. The certificate that has been configured on the SSL terminator (which will be sent to the client during SSL hand-shake phase).
  2. The IP address of the SSTP Server (to which redirect the SSTP sessions)

For this configuration, some changes will have to be made on the SSL terminator as well as the SSTP server.

On the SSL terminator:

1) Configure the SSL terminator to redirect requests coming for URI /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ to the SSTP server. This is the URI for which SSTP will be listening on the SSTP server.

2) The HTTP method to look for will be SSTP_DUPLEX_POST. This is the verb that SSTP uses (which is similar to GET/PUT/POST).

These two conditions will ensure only SSTP traffic is being redirected to SSTP server and rest all traffic can be redirected to something else - say to a farm of web servers (i.e. single SSL load balancer for web hosting as well as VPN connections). This should be the rule that will be used to redirect the traffic to the SSTP server. The traffic should be redirected as HTTP behind the SSL terminator.

On the SSTP server: 

Once the SSL terminator is configured, you need to configure the SSTP server to accept HTTP connections instead of the default HTTPS connections. For this, go to the registry HKLMSystemCurrentControlSetServicesSstpSvcParameters. Change the value of ‘UseHttps’ from 1 to 0.

This change will cause the SSTP to listen on port 80 instead of the default port 443 for accepting HTTP connections instead of the HTTP connections.

As an added security measure, in order to ensure that the SSTP connections coming to server are from the configured SSL terminator, SSTP will validate through the protocol that the hash of the certificate received by the client during SSL phase (and passed as a part of SSTP protocol) is the same as the hash of the certificate configured on the SSL terminator. For this, the SSTP should be manually configured with the hash of the certificate that is configured on the SSL terminator. The hashes supported can be either SHA1 hash or the SHA256 hash.

The steps to get the certificate hash will be handled as a part of separate blog. The corresponding registry keys to be used are as follows. All the values are under the HKLMSystemCurrentControlSetServicesSstpSvcParameters.

The values supported are:

· SHA1Enabled REG_DWORD 1 – SHA1 based certificate hash validation is supported

                                                             0 – SHA1 based certificate hash validation is NOT supported. SHA1CertificateHash registry value will not be required

· SHA1CertificateHash REG_BINARY This is 20-bytes in length and will indicate the SHA1 hash of the certificate configured on the SSL terminator.

· SHA256Enabled REG_DWORD Same as SHA1Enabled – this will indicate whether SHA256 based certificate validation is allowed or not.

· SHA256CertificateHash REG_BINARY This is 32-bytes in length and it indicates the SHA256 hash of the certificate configured on the SSL terminator.

SHA256 is the preferred hash algorithm. By default, if SHA256Enabled value is not explicitly specified in the registry, SSTP will assume it to be 1. SHA1Enabled value on the contrary will be assumed to be 0 if it is not explicitly defined in the registry.

Note that if SHA1 or SHA256 is implicitly assumed to be 1, their corresponding hash values must be specified for SSTP to function. The client side also honors SHA1Enabled and SHA256Enabled (including the implicit assumption as stated above) and based on these values, will send the appropriate certificate hash to the server for validation. On the client side, the SHA1CertificateHash and SHA256CertificateHash will be ignored since the hashes will be computed directly from the certificate received from the server.

Once the certificate hash and UseHttps flag is also configured correctly for the SSTP, restart RemoteAccess service. The server should now be capable of accepting SSTP connections behind a SSL terminator.

Kadirvel C. Vanniarajan

Software Design Engineer

RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm]