Lukas Beran
Lukas Beran

Welcome to my blog! If you're looking for tutorials, hints or tips for IT, you're right here. You will find mostly articles on Microsoft products and technologies - operating systems, servers, virtualization, networks, management, but also the cloud. Sometimes I add some other interesting things.

December 2016
MTWTFSS
 1234
567891011
12131415161718
19202122232425
262728293031 

Categories


How to configure SSTP VPN on Windows Server

Lukas BeranLukas Beran

SSTP VPN is modern and secure VPN which allows you to connect even through some firewalls because it uses TCP port 443 which is also for secure http (https). And moreover this VPN is very secure, much more than very popular PPTP which is currently not secure at all.

Configure SSTP VPN on Windows Server is very simple and fast. You need only static public IP address or at least forwarded TCP port 443, and a certificate from public CA (or self-signed certificate with the root certificate installed to trusted root authorities on all client computers).

This guide is for Windows Server 2016, but the steps are the same or very similar on other Windows Server versions.

Remote Access installation

First step is installation of the Remote Access role. Open Server Manager and start feature and role installation wizard and choose Remote Access role.

Confirm installation of required roles and features and on the page Role Services choose DirectAccess and VPN (RAS).

Hit Next few times and start the installation. Internet Information Service (IIS) role is required for Remote Access role, but you don’t need to use IIS – you can even disable IIS and VPN will still work.

Configuring Remote Access and SSTP VPN

When the installation finished, start configuration wizard by clicking Open the Getting Started Wizard.

In the first step select Deploy VPN only, because we don’t want to deploy DirectAccess.

Now we can start configuring the VPN server. Right click the server o the left pane and select Configure and Enable Routing and Remote Access.

Because we want to install only VPN server without any other services, select Custom configuration.

On the next page select only VPN access.

Hit next and confirm installation and restart of the service.

Now we can select certificate for the service. You can either import the certificate from IIS or install the certificate directly to personal certificates to local machine store (certlm.msc).

Now we can set the certificate also for the VPN server. Let’s switch back to the Routing and Remote Access console, right click your server name and select Properties. Go to the tab Security and at the bottom part SSL Certificate Binding select just installed certificate.

If you have DHCP server enabled on the same network, you don’t need to do anything else. You just need to enable dial-in access for selected VPN users by opening the user profile and selecting Allow access on the tab Dial-in.

Users should be now able to login in and get IP address from your local DHCP server. If you don’t have DHCP server in your network or the DHCP server is not assigning IP addresses to the clients, you can set static address pool for VPN clients. Right click your VPN server, select Properties and go to the tab IPv4 and switch to Static address pool and choose at least 10 addresses outside of your DHCP server pool.

The last thing I would recommend is disabling PPTP VPN server which is not secure. Right click Ports and select Properties. Select PPTP and click Configure and uncheck both options.

If you your server gets IP address from your DHCP server with DHCP reservation, you have to switch to static IP address configuration and turn off the reservation. Otherwise your VPN clients will not be able to get an IP address from your DHCP server.

RRAS on Windows Server 2019 does not assign IP addresses from DHCP

As of November 2019, Windows Server 2019 contains a confirmed bug, see the discussion on Technet, which causes clients to not receive an IP address automatically from a DHCP server and therefore it is necessary to set up a static address pool. But there is a way to fix the bug manually before official patch is released. You need to add an entry to the registry to solve the problem and restart the server.

My primary focus is the security of identities, devices and data in the cloud using Microsoft services, technologies and tools.

Comments 10
  • Kishan
    Posted on

    Kishan Kishan

    Reply Author

    Hi LuKas,
    I am configuring SSTP Vpn over windows server 2019 and i’m able to get connected using static address pool but when i opt for DHCP protocol i’m not able to get connected over VPN Server.
    I had configured my ADDS with static IP address and installed ADCS with a CA Authority.

    Please help me out where i’m lacking to configure VPN.


    • Lukas Beran
      Posted on

      Lukas Beran Lukas Beran

      Reply Author

      Hi Kishan. It’s not your fault, it’s a known issue with WS 2019 – VPN integration with external DHCP does not work. I’ve already reported this issue to Microsoft but with no feedback so far. So the only way is to use static pool for VPN clients.


  • Kishan
    Posted on

    Kishan Kishan

    Reply Author

    Thanks for giving e update on it.
    May i know is this issue is also found in Windows server 2016 or 2012 ?


  • Kishan
    Posted on

    Kishan Kishan

    Reply Author

    Thank you…


  • Kishan Chaurasia
    Posted on

    Kishan Chaurasia Kishan Chaurasia

    Reply Author

    Hi Lukas,
    I had configured same setting to connect via SSTP VPN but still the same issue is on Windows Server 2016.
    Could you please help me out?..


    • Lukas Beran
      Posted on

      Lukas Beran Lukas Beran

      Reply Author

      Hi Kishan. What’s the problem exactly?


  • Kishan Chaurasia
    Posted on

    Kishan Chaurasia Kishan Chaurasia

    Reply Author

    Problem:
    I have to configure SSTP vpn on Windows server 2016 or 2019.
    These are the steps which i had followed to configure VPN:-
    1. Changed server name and timing zone according to my country.
    2. Installed ADDS and DNS on server annd configured it.
    a. After installing ADDS, a dialog appears to configure ADDS.
    b. I had selected a “A new domain forest” and created a domain for that ADDS.
    c. After promoting server to domain controller, i had configured DNS where i created a
    new reverse zone according to private IP of that server and provided it a pointer(PTR)
    from properties option of forward zone of that IP.
    3. After 2nd step, i had installed ADDCS, NPS, RRAS on server to configure accordingly.
    4. ADDCS configuration:-
    a. I had created a CA certificate and FQDN certificate from IIS manager option of the
    server called Domain certificate.
    b. After all this i configured RRAS using Static IP address assignment and here i am
    able to connect with client machine but when i opt DHCP options to that IP
    assignment then in connecting VPN through client machine it says that yo need to
    change network settings for this.

    I don’t know where i’m lacking to configure dynamic access of VPN so that client can connect on server through any network using that VPN Credentials with SSL certificate provided by VPN Admin.

    Requirement:
    I have to configure SSTP vpn on windows server in such a way that client can access on server from any IP address and a private and secure network can be establish between client and server.


    • Lukas Beran
      Posted on

      Lukas Beran Lukas Beran

      Reply Author

      Looks like an issue with DHCP. So please check your DHCP server configuration or consult it with your network admin. Or just use the static IP pool directly on the VPN server.


  • Braaah
    Posted on

    Braaah Braaah

    Reply Author

    Thank you! That registry fix was it. I’ve been banging my head all afternoon. It’s my first 2019 VPN server.