How to restrict SSTP connection to specific IP address (instead of all IP address) on RRAS server

SSTP by default is configured to listen on all the interfaces (i.e. 0.0.0.0 for IPv4 or ::/0 for IPv6). This means RRAS server by default will allow VPN connections to come in from “all” the IPv4 as well as IPv6 addresses that are available on the server machine. The RRAS server sets the machine certificate to HTTPS listener with 0.0.0.0:PortNum and [::]:PortNum.

Background of the problem:
If you want to block SSTP connections to come from specific IP address (v4 or v6) or specific interface, this post helps might be useful for you.

Steps to follow:
This can be done in one of the two ways:
1) By setting the appropriate packet filters inside RRAS or in firewall in-front of RRAS server.

Open RRAS MMC console, go under IPv4 node, click General, select the specific interface (say “Local Area Connection 2”) where you want to block the incoming VPN connections. Double click on the interface and add Inbound filters to drop the TCP connection with destination port 443 and the interface’s own IPv4 address. Do the similar blocking under the IPv6 node. Alternatively this can be configured on some firewall sitting in-front of RRAS.
In this scenario, the HTTPS listener may be listening on all IP addresses:443, but the packet filters will restrict the HTTPS traffic to a specific IP address:443.

OR
2) Configure the HTTPS listener to listen on specific IP address and port

 

2.1) Find out which machine certificate is configured for the SSTP based VPN connection. This can be done using netsh http show sslcert command. Please look at the certificate with IP:Port pair as 0.0.0.0::/443 and [::]:443 and note down the Certificate hash value. Please look at references for further info

2.2) Remove the all IP address certificate binding from HTTPS Listener
netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete sslcert ipport=[::]:443

2.3) Plumb the new certificate to the HTTPS Listener for specific IP address(assume, the new certificate has SHA1 certificate hash as xxx and IP address is 1.2.3.4 and 3001::1)
netsh http add sslcert ipport=1.2.3.4:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
netsh http add sslcert ipport=[3001::1]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

2.4) Configure the appropriate certificate hash inside RRAS (so that RRAS doesn’t try to reset the HTTPS listener on all the IP address and port number). Open regedit and add the following regkey:

Location: HKLMSystemCurrentControlSetServicesSstpsvcParameters

Regkey Name: Sha256CertificateHash

Regkey Type: REG_BINARY

Regkey Value: SHA256 Certificate hash as noted down in step 2.1)

2.5) Restart RRAS from RRAS MMC console. As HTTPS listener is set to listen on particular IP address:port, it will drop the HTTPS connection coming in from the rest of the IP address:port

 

References:

How to change the machine certificate of SSTP based RRAS server

Setting up HTTP listener

Verifying VPN server is accepting SSTP connections

SSTP Server FAQ

Debugging SSTP connection failure

Cheers,

Samir Jain
Lead Program Manager (samirj@online.microsoft.com **)
RRAS, Windows Enterprise Networking

** Remove the "online" to actually email me

[This posting is provided "AS IS" with no warranties, and confers no rights.]