This article is primarily targeted at Czech state institutions and is based on recommendations of the Czech authority. However,...
How to configure SSTP VPN on Windows ServerLukas Beran
SSTP VPN is modern and secure VPN which allows you to connect even through some firewalls because it uses TCP port 443 which is also for secure http (https). And moreover this VPN is very secure, much more than very popular PPTP which is currently not secure at all.
Configure SSTP VPN on Windows Server is very simple and fast. You need only static public IP address or at least forwarded TCP port 443, and a certificate from public CA (or self-signed certificate with the root certificate installed to trusted root authorities on all client computers).
This guide is for Windows Server 2016, but the steps are the same or very similar on other Windows Server versions.
Remote Access installation
First step is installation of the Remote Access role. Open Server Manager and start feature and role installation wizard and choose Remote Access role.
Confirm installation of required roles and features and on the page Role Services choose DirectAccess and VPN (RAS).
Hit Next few times and start the installation. Internet Information Service (IIS) role is required for Remote Access role, but you don’t need to use IIS – you can even disable IIS and VPN will still work.
Configuring Remote Access and SSTP VPN
When the installation finished, start configuration wizard by clicking Open the Getting Started Wizard.
In the first step select Deploy VPN only, because we don’t want to deploy DirectAccess.
Now we can start configuring the VPN server. Right click the server o the left pane and select Configure and Enable Routing and Remote Access.
Because we want to install only VPN server without any other services, select Custom configuration.
On the next page select only VPN access.
Hit next and confirm installation and restart of the service.
Now we can select certificate for the service. You can either import the certificate from IIS or install the certificate directly to personal certificates to local machine store (certlm.msc).
Now we can set the certificate also for the VPN server. Let’s switch back to the Routing and Remote Access console, right click your server name and select Properties. Go to the tab Security and at the bottom part SSL Certificate Binding select just installed certificate.
If you have DHCP server enabled on the same network, you don’t need to do anything else. You just need to enable dial-in access for selected VPN users by opening the user profile and selecting Allow access on the tab Dial-in.
Users should be now able to login in and get IP address from your local DHCP server. If you don’t have DHCP server in your network or the DHCP server is not assigning IP addresses to the clients, you can set static address pool for VPN clients. Right click your VPN server, select Properties and go to the tab IPv4 and switch to Static address pool and choose at least 10 addresses outside of your DHCP server pool.
The last thing I would recommend is disabling PPTP VPN server which is not secure. Right click Ports and select Properties. Select PPTP and click Configure and uncheck both options.
If you your server gets IP address from your DHCP server with DHCP reservation, you have to switch to static IP address configuration and turn off the reservation. Otherwise your VPN clients will not be able to get an IP address from your DHCP server.
RRAS on Windows Server 2019 does not assign IP addresses from DHCP
As of November 2019, Windows Server 2019 contains a confirmed bug, see the discussion on Technet, which causes clients to not receive an IP address automatically from a DHCP server and therefore it is necessary to set up a static address pool. But there is a way to fix the bug manually before official patch is released. You need to add an entry to the registry to solve the problem and restart the server.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp" /v RequiredPrivileges /d "SeChangeNotifyPrivilege"\0"SeCreateGlobalPrivilege"\0"SeImpersonatePrivilege"\0 /t REG_MULTI_SZ /f