Always On VPN SSTP and 47-Day TLS Certificates

The Secure Socket Tunneling Protocol (SSTP) VPN protocol uses Transport Layer Security (TLS) encryption and HTTP transport over TCP port 443. SSTP is easy to configure and firewall-friendly, making it an excellent choice for the Always On VPN user tunnel. Security best practices dictate using a TLS certificate issued by a public Certification Authority (CA). Today, the maximum lifetime of a public TLS certificate is 398 days (approximately 1 year). Always On VPN administrators using SSTP are familiar with the process of renewing their SSTP certificate annually. However, that’s about to change.

47 Days

In April of this year, the CA/Browser Forum, a voluntary consortium of public CAs, browser vendors, and other industry stakeholders that develop and promote security standards and best practices for digital certificates and Public Key Infrastructure (PKI), adopted a measure reducing the current maximum lifetime of public TLS certificates to 47 days. This means Always On VPN administrators using public TLS certificates must eventually update their TLS certificates monthly.

Automation

Of course, no administrator in their right mind would want to renew SSTP certificates every month. Automating this process will be crucial to ensuring reliability and reducing management overhead. I’ll provide more details later in this post.

Why Is This Happening?

The industry has been trending toward shorter certificate lifetimes for a while now. In the old days, you could purchase a certificate valid for 5 years or more. Today, a one-year certificate is all you can get. Let’s Encrypt, a public CA that issues certificates for free, issues only 90-day lifetime certificates.

Advantages

The advantage of using short-lived certificates for public TLS certificates is that they improve security and provide agility for future changes. Public TLS certificates become less secure and trustworthy over time. The longer a certificate is valid, the less trustworthy it becomes and the longer the opportunity for an attacker to leverage a certificate for which the private key has been compromised.

Why 47 Days?

A 47-day maximum certificate lifetime allows administrators to rotate their certificates monthly (a maximum of 31 days plus some margin to resolve issues).

Not So Fast

The good news for Always On VPN administrators using SSTP with public TLS certificates is that they won’t have to worry about this immediately. The reduction in maximum certificate lifetime to 47 days takes place gradually over a few years.

  • Today, the maximum public TLS certificate lifetime is 398 days
  • On March 15, 2026, the maximum public TLS certificate lifetime will be reduced to 200 days
  • On March 15, 2027, the maximum public TLS certificate lifetime will be reduced to 100 days
  • On March 15, 2029, the maximum public TLS certificate lifetime will be reduced to 47 days

Let’s Encrypt

Over the years, I’ve deployed Always On VPN with SSTP for several customers using Let’s Encrypt TLS certificates. Let’s Encrypt is a pubic CA that issues certificates with a maximum lifetime of 90 days, so automating this task is essential. Let’s Encrypt supports ACME, a standard protocol for automating the issuance and renewal of TLS certificates, which makes automating TLS certificate installation and renewal a breeze.

Sample Script

I’ve published a sample PowerShell script demonstrating how to automate the enrollment process for Let’s Encrypt TLS certificates. It leverages the Posh-ACME PowerShell module and my AOVPNTools module to enroll and automatically install a TLS certificate for SSTP. This script will also work for DirectAccess. You can find the sample script here.

Note: My sample script demonstrates using the Cloudflare DNS plugin for Posh-ACME. Posh-ACME has plugins for many public DNS providers, which can be found here. Feel free to customize my script to meet your specific needs.

Act Now

Always On VPN administrators are advised to consider solutions to automate TLS certificate enrollment and renewal as soon as possible. If your public CA of choice doesn’t support some form of certificate automation like ACME, it’s time to find another provider.

Summary

Starting in March 2026, the maximum lifetime for public TLS certificates will be reduced gradually, reaching just 47 days by March 2029. Automation will no longer be optional for Always On VPN administrators using SSTP—it will be essential. Tools like the Posh-ACME PowerShell module provide a reliable solution to streamline certificate management and ensure uninterrupted connectivity. Now is the time to prepare for this industry shift by implementing automated certificate renewal solutions. If you’d like professional assistance with this task or simply want to learn more about your options, drop me a note via the contact page, and I’ll respond with more information.

Additional Information

TLS Certificate Lifetimes Will Officially Reduce to 47 Days – DigiCert

Posh-ACME PowerShell Module

Posh-ACME Documentation

Always On VPN Tools (AOVPNTools) PowerShell Module

Always On VPN Load Balancing with Loadbalancer.org

Recently, I had the opportunity to deploy the Loadbalancer.org load balancer as part of an enterprise Always On VPN deployment. In the past, I’ve published guidance for using F5 BIG-IP, Citrix ADC (formerly NetScaler), and Kemp LoadMaster, so in this post, I’ll provide guidance for configuring Loadbalancer.org for Always On VPN.

IKEv2

Open the Loadbalancer.org management console and follow the steps below to configure Always On VPN load balancing on the appliance.

Create Virtual Service

Create a layer 4 virtual service for IKEv2.

  1. Click Cluster Configuration.
  2. Click Layer 4 – Virtual Services.
  3. Click Add a new Virtual Service.
  4. Enter a descriptive name for the virtual service in the Label field.
  5. Enter the virtual IP address (VIP) for the service in the IP Address field.
  6. Enter 500,4500 in the Ports field.
  7. Select UDP from the Protocol drop-down list.
  8. Select NAT from the Forwarding Method drop-down list.
  9. Click Update.

Add Real Servers

Add real servers to the virtual service.

  1. Click Layer 4 – Real Servers.
  2. Click Add a new Real Server next to the IKEv2 virtual service.
  3. Enter a descriptive name for the real server in the Label field.
  4. Enter the IP address of the real server in the Real Server IP Address field.
  5. Click Update.
  6. Repeat these steps for each additional VPN server in the cluster.

SSTP

Follow the steps below to configure SSTP load balancing on the appliance.

Create Virtual Service

Create a layer 4 virtual service for SSTP.

  1. Click Cluster Configuration.
  2. Click Layer 4 – Virtual Services.
  3. Click Add a new Virtual Service.
  4. Enter a descriptive name for the virtual service in the Label field.
  5. Enter the virtual IP address (VIP) for the service in the IP Address field.
  6. Enter 443 in the Ports field.
  7. Select TCP from the Protocol drop-down list.
  8. Select NAT from the Forwarding Method drop-down list.
  9. Click Update.

Configure Virtual Service Health Check

Update the health check method for the SSTP virtual service.

  1. Click Layer 4 – Virtual Services.
  2. Click Modify on the SSTP virtual service.
  3. Select Negotiate from the Check Type drop-down list in the Health Checks section.
  4. Enter 443 in the Check Port field.
  5. Select HTTPS from the Protocol drop-down list.
  6. Enter /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ in the Request to send field.
  7. Enter 401 in the Response expected field.
  8. Click Update.

Note: Using the Negotiate health check type for the SSTP monitor on Loadbalancer.org appliances requires version 8.13.0 or later. Administrators can use the External script option when using earlier releases of Loadbalancer.org appliances. An SSTP health check script for Loadbalancer.org can be found here.

Add Real Servers

Add real servers to the virtual service.

  1. Click Layer 4 – Real Servers.
  2. Click Add a new Real Server next to the SSTP virtual service.
  3. Enter a descriptive name for the real server in the Label field.
  4. Enter the IP address of the real server in the Real Server IP Address field.
  5. Click Update.
  6. Repeat these steps for each additional VPN server in the cluster.

Review

Once complete, click System Overview to view the overall health of your VPN servers.

Summary

The Loadbalancer.org appliance is an efficient, cost-effective, and easy-to-configure load-balancing solution that works well with Always On VPN implementations. It’s available as a physical or virtual appliance. There’s also a cloud-based version. It also includes advanced features such as TLS offload, web application firewall (WAF), global server load balancing (GSLB), and more. If you are looking for a layer 4-7 load balancer for Always On VPN and other workloads, be sure to check them out.

Additional Information

Loadbalancer.org Virtual Appliance

SSTP Health Check Script for Loadbalancer.org

Always On VPN Discord Channel

I’m excited to announce the launch of a brand-new Discord channel dedicated to administrators working with Always On VPN! Whether you’re a seasoned pro or just getting started, this community is designed to be your go-to hub for collaboration, troubleshooting, and staying up to date on all things Always On VPN. The channel was established by my good friend Leo D’Arcy, the creator of the popular Always On VPN Dynamic Profile Generator (DPC) software.

Why Discord?

Always On VPN is a powerful solution for secure, seamless remote connectivity, but managing it comes with its own set of challenges. From configuration quirks to deployment strategies, administrators often need a space to share insights, ask questions, and learn from one another in real time. That’s where our new Discord channel comes in.

Community Forum

Discord offers a dynamic, user-friendly platform for instant communication and community building. Unlike forums or email threads, it’s a place where you can start a conversation, jump into live discussions, share resources, ask questions, share important insights or experiences, and much more.

Channels

Today, the Always On VPN Discord channel is part of the Microsoft Remote Access User Group Discord Server. It consists of multiple channels divided into the following topics.

General – This is a great place to introduce yourself and say hello to everyone!

DPC-Development – Here, you can ask questions about DPC, provide feedback, and suggest new features and functionality.

DPC-Chat – This channel is for administrators to discuss all things DPC, including deployment strategies, operation, support, and more.

Aovpn-Chat – If you’ve deployed Always On VPN but aren’t using DPC, this is your channel! Although DPC is fantastic, not everyone is using it. In this channel, you can submit questions and share general information about Always On VPN.

Gsa-Chat – We’ve also included a Microsoft Entra Global Secure Access channel for the new Microsoft Security Service Edge (SSE) solution, which includes Entra Private Access. This channel is pretty quiet right now. Hopefully, it will grow in the future!

DirectAccess-Chat – Yes, we realize some of you are still running DirectAccess, so there’s also a channel for you! Feel free to drop in and ask questions here, hopefully about migrating soon. 😉

Who Is This For?

This channel is open to anyone managing Microsoft secure remote access products. Whether you’re an IT administrator in a small business, an enterprise network engineer, or a consultant helping clients stay connected. If you’re working with Microsoft remote access technologies, this is the place to be!

Why Not Reddit?

Funny story: I tried to create an Always On VPN subreddit a few years ago. It lasted one day before it was banned! No reason was given, and I couldn’t get anyone from Reddit to respond. I answer questions ad hoc on Reddit all the time, but there’s no dedicated space for Always On VPN or Microsoft remote access in general.

How To Join

Joining our Discord channel is easy.

  1. Click this link.
  2. Set up your Discord account if you don’t already have one. It’s free and only takes a minute!
  3. Optionally, you can download the Discord app here.
  4. Say hello and introduce yourself in the #general channel.
  5. Explore the other channels, ask questions, give feedback, and share your expertise!

See You There!

Leo and I, along with many other experienced Always On VPN administrators, are on the forums daily. We encourage you to share your expertise, ask questions, and help others along the way. The more we contribute, the stronger this resource becomes for everyone. Join us today!

Additional Information

Always On VPN Discord Channel

Always On VPN Dynamic Profile Configurator (DPC)

DPC on GitHub