How to prevent SSTP based VPN connections to be dialed out from my network

So we are back with a post on SSTP - the tunnelling protocol that can help you traverse through NATs and firewalls.

SSTP is sure a great way to establish VPN connections in cases where PPTP and L2TP will not work due to the presence of NATs and firewalls. However, some network administrators may not want any form of outgoing L3 VPN connections going out of their network due to security reasons.

As the admin of your managed network, if you want to ensure that there are no SSTP VPN connections going out of your network, then this post will help you. Though all other SSL VPNs doesn't provide a mechanism to accomplish this, SSTP does allow a way to do this.

The assumption made here about your network is that you have a web-proxy  deployed in your network through which all HTTP connections go out.  In such cases, the SSTP VPN connection will also go through the proxy as it is over HTTPS. The SSTP VPN client will send a HTTP "CONNECT" request to the proxy which is configured in the settings of the 'Internet Explorer' for the user initiating the connection.

This CONNECT request sent by the SSTP client has a custom HTTP header named "SSTPVERSION" with value "1.0". On the web-proxy, you can add a rule which inspects the CONNECT requests for this particular header. If this header is present, then it signifies that it is an SSTP connection request which is coming from within the managed network. You can choose to drop/block this request if you do not want users to establish SSTP connections from within your network.

 Hope this helps you to manage your networks more effectively!

Janani Vasudevan
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]