Lukas Beran
Lukas Beran

Welcome to my blog! If you are looking for IT tutorials, tips or tricks, you are right here. You'll mainly find articles about Microsoft products and technologies - operating systems, servers, virtualization, networks, management, and cloud. Sometimes I add some other interesting things.

December 2016
MTWTFSS
« Oct Mar »
 1234
567891011
12131415161718
19202122232425
262728293031 

Categories


How to configure SSTP VPN on Windows Server

Lukas BeranLukas Beran

SSTP VPN is modern and secure VPN which allows you to connect even through some firewalls because it uses TCP port 443 which is also for secure http (https). And moreover this VPN is very secure, much more than very popular PPTP which is currently not secure at all.

Configure SSTP VPN on Windows Server is very simple and fast. You need only static public IP address or at least forwarded TCP port 443, and a certificate from public CA (or self-signed certificate with the root certificate installed to trusted root authorities on all client computers).

This guide is for Windows Server 2016, but the steps are the same or very similar on other Windows Server versions.

Remote Access installation

First step is installation of the Remote Access role. Open Server Manager and start feature and role installation wizard and choose Remote Access role.

Confirm installation of required roles and features and on the page Role Services choose DirectAccess and VPN (RAS).

Hit Next few times and start the installation. Internet Information Service (IIS) role is required for Remote Access role, but you don’t need to use IIS – you can even disable IIS and VPN will still work.

Configuring Remote Access and SSTP VPN

When the installation finished, start configuration wizard by clicking Open the Getting Started Wizard.

In the first step select Deploy VPN only, because we don’t want to deploy DirectAccess.

Now we can start configuring the VPN server. Right click the server o the left pane and select Configure and Enable Routing and Remote Access.

Because we want to install only VPN server without any other services, select Custom configuration.

On the next page select only VPN access.

Hit next and confirm installation and restart of the service.

Now we can select certificate for the service. You can either import the certificate from IIS or install the certificate directly to personal certificates to local machine store (certlm.msc).

Now we can set the certificate also for the VPN server. Let’s switch back to the Routing and Remote Access console, right click your server name and select Properties. Go to the tab Security and at the bottom part SSL Certificate Binding select just installed certificate.

If you have DHCP server enabled on the same network, you don’t need to do anything else. You just need to enable dial-in access for selected VPN users by opening the user profile and selecting Allow access on the tab Dial-in.

Users should be now able to login in and get IP address from your local DHCP server. If you don’t have DHCP server in your network or the DHCP server is not assigning IP addresses to the clients, you can set static address pool for VPN clients. Right click your VPN server, select Properties and go to the tab IPv4 and switch to Static address pool and choose at least 10 addresses outside of your DHCP server pool.

The last thing I would recommend is disabling PPTP VPN server which is not secure. Right click Ports and select Properties. Select PPTP and click Configure and uncheck both options.

If you your server gets IP address from your DHCP server with DHCP reservation, you have to switch to static IP address configuration and turn off the reservation. Otherwise your VPN clients will not be able to get an IP address from your DHCP server.

Enthusiast of new technologies with a focus primarily on Microsoft technologies and services. Occasional blogger and traveler.

Comments 0
There are currently no comments.