Always On VPN SSTP and HSTS

HTTP Strict Transport Security (HSTS) is a feature commonly used by websites to protect against protocol downgrade attacks, where an attacker forces the use of insecure HTTP instead of HTTPS. If successful, the attacker can intercept unencrypted communication between the client and the web server. This is undesirable for obvious reasons. As such, web server administrators implement an HTTP response header named Strict-Transport-Security with some additional settings that instruct the user agent, in this case, a web browser, to only use secure HTTPS when communicating with the web server. Attempts to use HTTP will not work.

VPN and SSTP

As security is always a top concern when building an Always On VPN infrastructure, careful attention must be paid to VPN protocol configuration to ensure optimal security. Secure Socket Tunneling Protocol (SSTP) is a popular VPN protocol for Always On VPN user tunnel connections. SSTP uses Transport Layer Security (TLS) for encryption, so administrators are encouraged to implement recommended security configurations, such as disabling insecure protocols like TLS 1.0 and TLS 1.1 and optimizing TLS cipher suites as described here.

SSTP with HSTS

It would seem that enabling HSTS on a Windows RRAS VPN server would be ideal for improving SSTP security. However, that’s not the case. HSTS prevents protocol downgrade attacks from HTTPS to HTTP, but SSTP already uses HTTPS exclusively, making the use of HSTS irrelevant. If an attacker attempted a protocol downgrade attack on an SSTP VPN connection, it would fail because the service does not support HTTP between the client and the VPN gateway. Additionally, even if it were possible to configure RRAS to send an HSTS response header, it would be ignored by the client because the user agent is not a web browser.

Additional Information

Always On VPN SSTP Security Configuration

Always On VPN SSTP and TLS 1.3

Always On VPN SSTP Certificate Renewal

Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN SSTP Certificate Binding Error

SSL and TLS Training for Always On VPN Administrators

Always On VPN RRAS Internal Interface Non-Operational

Windows 10 Always On VPN Routing Configuration

Always On VPN administrators troubleshooting connectivity issues may find the Internal network interface in the Routing and Remote Access management console (rrasmgmt.msc) administrative status indicates ‘Unknown’. They will also notice the Operational Status shows Non-operational.

Internal Interface

For clarification, the ‘Internal’ network interface in the Routing and Remote Access management console, as shown above, is not a physical network adapter on the server. Instead, it is a virtual network interface used only for incoming VPN connections.

Non-Operational

The Internal virtual network interface will not be created until the VPN server accepts its first VPN connection. Because of this, the Internal interface will have an operational status of non-operational until the first client attempts to connect. When this occurs, RRAS creates the interface, then assigns it the first IP address from the static IPv4 address pool. Alternatively, if DHCP is configured, it will assign the first IP address returned by the DHCP server.

Interface Names

While discussing network interfaces, I typically recommend renaming them in Windows to identify their function, especially when using two NIC configurations. However, be careful not to name the server’s internal network adapter ‘Internal’, as this can be confusing in the future. In my example above, I use the name ‘LAN’ to identify the internal adapter to distinguish it from the server’s ‘Internal’ virtual interface.

Additional Information

Windows Server RRAS Service Does Not Start

Windows Server RRAS Monitoring and Reporting

Microsoft Always On VPN and RRAS in Azure

Microsoft Always On VPN and RRAS with Signle NIC

SSL and TLS Training for Always On VPN Administrators

Understanding Transport Layer Security (TLS) is essential for Always On VPN administrators. TLS (formerly Security Sockets Layer, or SSL) is used not only for Secure Socket Tunneling Protocol (SSTP), the protocol of choice for the Always On VPN user tunnel in most deployments, but many other technologies such as secure websites and email, Remote Desktop Protocol (RDP), secure LDAP (LDAPS), and many more. High-quality, affordable TLS training is challenging to find, however.

UPDATE! This course has been further discounted for a limited time. Details below!

Practical TLS

Thankfully, Ed Harmoush from Practical Networking has a fantastic training course called Practical TLS that meets these requirements. It is the most comprehensive TLS training course I’ve seen and is surprisingly affordable too!

Course Content

The Practical TLS training course includes the following modules.

  • Module 1 – SSL/TLS Overview (free preview!)
  • Module 2 – Cryptography
  • Module 3 – x509 Certificates and Keys
  • Module 4 – Security through Certificates
  • Module 5 – Cipher Suites
  • Module 6 – SSL/TLS Handshake
  • Module 7 – TLS Defenses

TLS 1.3

The Practical TLS training course does not yet include a module on the newest TLS protocol, TLS 1.3. However, it is due out imminently! Ed is working on the content as we speak, and a preview module is included in the course today. Look for the final TLS 1.3 module soon.

Bonus Content

In addition to excellent TLS training, the course includes free OpenSSL training! Administrators working with certificates in non-Microsoft environments are sure to find this helpful. Understanding OpenSSL will benefit administrators working with network and security appliances such as firewalls and load balancers.

Enroll Now

The cost of the Practical TLS training course is regularly $297.00. It is a perpetual license, so you can view the content whenever you like and as often as you wish. You will also have access to future updates, such as the upcoming TLS 1.3 module. In addition, you can save $100.00 on the course by using promotional code RICHARDHICKS when you sign up. Don’t hesitate. Register for Practical TLS training now!

Special Discount

For a limited time, you can use the code PracticalTLS13 to get this entire course for just $49.00! This won’t last long, so register soon!

Additional Information

Practical Networking Blog

Practical TLS Training Course – $100 Off!

OpenSSL Training Course

Microsoft Always On VPN and TLS 1.3

Microsoft Always On VPN SSTP Security Configuration

Microsoft Always On VPN SSTP Certificate Renewal

Microsoft Always On VPN SSTP with Let’s Encrypt Certificates

%d bloggers like this: