How to deploy SSTP based VPN server behind a NAT router

Hi All,

As you know, SSTP is a new VPN tunnel added in Routing and remote access server role in Windows 2008 server and Vista SP1. This allows PPP packets to be encapsulated over HTTP, hence allowing VPN connection to be established through firewalls/NAT/web proxies.

For small to medium size organizations, it is common to have only one public IP address which is configured on their NAT router. In this scenario theVPN server (i.e. RRAS) will be having a private IP address and sitting behind NAT router. This post talks about how to deploy SSTP based VPN server that sits behind NAT router.

Sample Deployment topology:
1) NAT router has two interfaces - one with IP address (public) and other with (private). The public IP address is registered to Internet DNS server as

2) RRAS server has IP address with default gateway as

1) Configure NAT router to do port redirection i.e. all request coming to NAT routers (i.e. public IP address) with port number = 443 (i.e. HTTPS) should be redirected to (i.e. RRAS server) with port number=443 (or some other port number say 5000 as given in step 5 below).

2) Install a machine certificate on RRAS server. This certificate should have subject name (i.e.CN) same as the hostname with which VPN client connects - so that SSL negotiation can succeed. If the client will be connecting to the public IP address of NAT router, then suject name = (i.e. public IP address of NAT router). If the client will be connecting using the hostname, then subject (i.e. the name with which NAT router's public IP address is registered to ISP DNS server).

3) Install RRAS server role via Server manager

4) Configure RRAS server by running through RRAS configuration wizard.

5) If you want RRAS server to be listening on some other port number (i.e. NAT router does port redirection from 443 to some other port number - say 5000), follow these steps:
5.1) Open regedit. Go under HKLMSystemCurrentControlSetServicesSstpsvcParametersListenerPort, double click and change the value to that port number (say 5000). Press OK.
5.2) Restart RRAS

With Regards,

Samir Jain
Lead Program Manager ( **)
RRAS, Windows Enterprise Networking

** Remove the "online" to actually email me 

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments (0)

Skip to main content