The Windows Server 2016 Routing and Remote Access Service (RRAS) is commonly deployed as a VPN server for Windows 10 Always On VPN deployments. Using RRAS, Always On VPN administrators can take advantage of Microsoft’s proprietary Secure Socket Tunneling Protocol (SSTP) VPN protocol. SSTP is a Transport Layer Security (TLS) based VPN protocol that uses HTTPS over the standard TCP port 443 to encapsulate and encrypt communication between the Always On VPN client and the RRAS VPN server. SSTP is a firewall-friendly protocol that ensures ubiquitous remote network connectivity. Although IKEv2 is the protocol of choice when the highest level of security is required for VPN connections, SSTP can still provide very good security when implementation best practices are followed.
SSTP Certificate
Since SSTP uses HTTPS for transport, a common SSL certificate must be installed in the Local Computer/Personal/Certificates store on the RRAS VPN server. The certificate must include the Server Authentication Enhanced Key Usage (EKU) at a minimum. Often SSL certificates include both the Server Authentication and Client Authentication EKUs, but the Client Authentication EKU is not strictly required. The subject name on the certificate, or at least one of the Subject Alternative Name entries, must match the public hostname used by VPN clients to connect to the VPN server. Multi-SAN (sometimes referred to as UC certificates) and wildcard certificates are supported.
Certification Authority
It is recommended that the SSL certificate used for SSTP be issued by a public Certification Authority (CA). Public CAs typically have their Certificate Revocation Lists (CRLs) hosted on robust, highly available infrastructure. This reduces the chance of failed VPN connection attempts caused by the CRL being offline or unreachable.
Using an SSL certificate issued by an internal, private CA is supported if the CRL for the internal PKI is publicly available.
Key Type
RSA is the most common key type used for SSL certificates. However, Elliptic Curve Cryptography (ECC) keys offer better security and performance, so it is recommended that the SSTP SSL certificate be created using an ECC key instead.
To use an ECC key, be sure to specify the use of a Cryptographic Next Generation (CNG) key and select the ECDSA_P256 Microsoft Software Key Storage Provider (CSP) (or greater) when creating the Certificate Signing Request (CSR) for the SSTP SSL certificate.
Most public CAs will support certificate signing using ECC and Elliptic Curve Digital Signature Algorithm (ECDSA). If yours does not, find a better CA. 😉
Forward Secrecy
Forward secrecy (sometimes referred to as perfect forward secrecy, or PFS) ensures that session keys can’t be compromised even if the server’s private key is compromised. Using forward secrecy for SSTP is crucial to ensuring the highest levels of security for VPN connections.
To enforce the use of forward secrecy, the TLS configuration on the VPN server should be prioritized to prefer cipher suites with Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.
Authenticated Encryption
Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) is a form of encryption that provides better data protection and integrity compared to older block or stream ciphers such as CBC or RC4.
To enforce the use of authenticated encryption, the TLS configuration on the VPN server should be prioritized to prefer cipher suites that support Galois/Counter Mode (GCM) block ciphers.
Important Note: In Windows Server 2016, GCM ciphers can be used with both RSA and ECC certificates. However, in Windows Server 2012 R2 GCM ciphers can only be used when an ECC certificate is used.
SSL Offload
Offloading SSL to a load balancer or application delivery controller (ADC) can be enabled to improve scalability and performance for SSTP VPN connections. I will cover SSL offload for SSTP in detail in a future post.
Summary
SSTP can provide good security for VPN connections when implementation and security best practices are followed. For optimum security, use an SSL certificate with an EC key and optimize the TLS configuration to use forward secrecy and authenticated cipher suites.
Additional Information
Always On VPN ECDSA SSL Certificate Request for SSTP
Always On VPN and Windows Server Routing and Remote Access Service (RRAS)
Always On VPN Protocol Recommendations for Windows Server RRAS
Always On VPN Certificate Requirements for IKEv2
Max Gianesini
/ August 8, 2018Hello Richard
We have deployed SSTP with internal PKI but when the client connects it fails to validate the cert. OCSP is publicly available and I can validate the cert using certutil -URL certname.
Any ideas why VPN will not use OCSP?
Richard M. Hicks
/ August 14, 2018Not sure. Typically if you can validate with certutil it should work. However, it is possible that perhaps client client performs its validation differently. I’d suggest taking a network trace to see specifically what’s going on with the validation process. Hopefully that will yield some clues.
Al
/ October 16, 2018hi, i setup a sstp server in windows 2012 r2 with a cert from a windows ca on a domain , i issued the certificate with subject name and san matching the public address if i use peap still getting error “not have server name specified”, if i use mschap2 then it works. any ideas?
Richard M. Hicks
/ October 20, 2018PEAP will require that the certificate match the internal hostname of the server, not the public name. Typically I’ll use two different certificates, one for PEAP and one for SSL. You might be able to add the server name to the SAN list and make it work, but it’s not something I’ve tried.
Colin
/ November 20, 2018To use the certificate on multiple VPN servers is it required to make the private key exportable in the request? I did not upon my initial request so I am trying to do a new request from a second VPN server using your suggestions for SSTP but every time I submit the request it fails saying invalid parameter. I added CN, DNS, ECDSA_P256, Client and Server EKU, and marked the private key as exportable. I attempted this from both the server with the existing certificate and the new VPN server that has no certificate yet. Both fail with an invalid parameter error.
Richard M. Hicks
/ November 20, 2018It is possible to use the same certificate on more than one VPN server. If you’ve already successfully made a request on one server, no harm in exporting the certificate and importing on the other server.
Colin
/ November 20, 2018But it seems that the private key needs to be marked as exportable in the request prior to getting the initial cert. I cannot import to the other server through IIS because there is no private key and I can’t export the private key on the original server.
I thought to myself, OK, I will just re-request it and mark it as exportable with new CSR but I for some reason cannot make a new request. It always says invalid parameter. I have tried on 3 servers and a client. Same error.
Colin
/ November 20, 2018I figured it out. I was selecting the wrong CSP type. Smart Card vs software. DOH!
Colin
/ November 20, 2018BTW: You must mark the private key as exportable in your CSR or you cannot import it to another server in IIS.
I’m good to go now.
Richard M. Hicks
/ November 21, 2018😀
Chris
/ January 4, 2019Hi Richard
Thanks for another great article!
If we use a public certificate with ECC keys and EECDSA_P256 Microsoft Software Key Storage Provider, is it mandatory to have Forward Secrecy and Authenticated Encryption in place or can we use the certificate now and implement Forward Secrecy and Authenticated Encryption at a later date? I do plan on doing at the same time, just so I know either way 😊
Thanks
Chris
Richard M. Hicks
/ January 5, 2019If you use an ECDSA certificate you’ll get both of those by default. 🙂
Daniel
/ February 20, 2019Hi,
We have also setup an SSTP tunnel. It connects and works fine, but only when server validation is removed from the SSTP profile (which is deployed via SCCM). We have tried selecting the correct root certificate to validate with, which I assume will be the public SSL provider as we are connecting to an SSTP session? We have tried our internal CA certificate too but that does not work either; turning off server side validation is the only way we can connect.
Any thoughts would be very much appreciated.
Thanks
Danny
Richard M. Hicks
/ February 23, 2019I’d have to suspect there’s still some issue with the CRL then if disabling the revocation check makes it work. FYI, this is one of the reasons we recommend using public SSL certificates. 🙂
Patrick Pinto
/ December 12, 2019We are currently using IKE for aovpn. Can we use sstp as a backup method on the same aovpn server but for manual connections? Meaning we would have a second vpn connector on the client and if aovpn didnt kick in for whatever reason they can still manually connect using sstp?
Richard M. Hicks
/ December 15, 2019Absolutely. 🙂
Simon Cote
/ April 30, 2020HI Richard, I have a wildcard certificate from Comodo install in the lm store but the RRAS interface does not list it in the drop down. what could be missing?
Richard M. Hicks
/ April 30, 2020Most likely the private key. Make sure you import the certificate and private key (usually a PFX file) and you should see it in the drop-down list.
krisen123
/ September 11, 2020Hello Rich, I am considering getting a godaddy SSL certificate to setup SSTP on my windows 2016 server. If my vpn conneciton address is SSTP.Mydomain.com, then am I covered if i go for the cheapest option, which only covers 1 domain or subdomain without wildcards? many thanks, Krisen
Richard M. Hicks
/ September 15, 2020Yes, that should work just fine. 🙂
ZW
/ April 1, 2021So am I reading this (and other blog posts) correctly that you can make AOVPN work with SSLP and devices that aren’t domain-joined? We are looking into this with our fleet of Intune laptops.
Richard M. Hicks
/ April 2, 2021Absolutely. Always On VPN has no requirements to be domain-joined at all. As long as you are using Active Directory user accounts that are synced to Azure AD, you’ll have seamless SSO to on-premises resources. It really is the way to go!
Chris
/ July 13, 2021For my understanding. The IPsec configuration settings are not in context with the SSTP certificate. That means even if I have RSA certificates for user and device tunnel in the IPsec configuration* I can still have a ECDSA public cert for SSTP?
*
AuthenticationTransformConstants : GCMAES128
CipherTransformConstants : GCMAES128
CustomPolicy : True
DHGroup : Group14
EncryptionMethod : AES256
IntegrityCheckMethod : SHA256
PFSgroup : ECP256
I just need on the VPN server an internal published cert for IKEv2 with IP security IKE intermediate and Server Authentication and a public one for SSTP with Server Authentication if I use both protocols.
Richard M. Hicks
/ July 15, 2021That’s correct. The custom cryptography settings you referenced are for IPsec/IKEv2 only. SSTP uses TLS and that is negotiated separately from IKEv2. So yes, you can use RSA for IKEv2/IPsec, and ECDSA for SSTP (with an ECDSA TLS certificate installed on the VPN server).
Zack
/ September 16, 2021Do you happen to know the full HTTPS URL that SSTP clients connect to? (e.g. https://vpn.domain.com/sttpvpn…?)
Richard M. Hicks
/ September 16, 2021https://vpn.example.net/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/