All posts tagged transport layer security

Always On VPN SSTP Certificate Renewal

Windows Server Routing and Remote Access Service (RRAS) is popular for Always On VPN deployments because it supports the Secure Socket Tunneling Protocol (SSTP). The SSTP VPN protocol is recommended for use with the Always On VPN user tunnel because it is firewall friendly. Installing a TLS certificate on the VPN server is necessary to support SSTP VPN connections. Administrators should use a TLS certificate signed by a public certification authority (CA) for optimal reliability and performance.

Click here to view a video demonstration of the procedures outlined in this article.

Certificate Expiration

Of course, all certificates expire, and the TLS certificate used for SSTP is no exception. When using a public TLS certificate, the certificate lifetime is typically no more than one year, which means Always On VPN administrators will be renewing this certificate regularly.

Certificate Renewal

The process of “renewing” an SSTP TLS certificate is essentially the same as installing a new one, as it is best to create a new public/private key pair when renewing a certificate. The following outlines the steps required to generate a Certificate Signing Request (CSR), import the certificate, then assign the certificate to the SSTP listener on the VPN server.

Note: The guidance provided here assumes using an ECC certificate, which is best for optimal security and performance. More details here.

Certificate Request

Open the local computer certificate store (certlm.msc) on the VPN server and perform the following steps to generate a new CSR.

  1. Expand Certificates – Local Computer > Personal.
  2. Right-click the Certificates folder and choose All Tasks > Advanced Operations > Create Custom Request.
  3. Click Next.
  4. Highlight Proceed without enrollment policy.
  5. Click Next.
    1. Select (No template) CNG key from the Template drop-down list.
    2. Select PKCS #10 in the Request format section.
    3. Click Next.
  6. Click on the down arrow next to Details.
    Always On VPN ECDSA SSL Certificate Request for SSTP
  7. Click on the Properties button.
  8. Select the General tab.
    1. Enter the public hostname for the certificate in the Friendly name field.
  9. Select the Subject tab.
    1. Select Common name from the Type drop-down list in the Subject name section.
    2. Enter the public hostname for the certificate in the Value field.
    3. Click Add.
    4. In the Alternative name section, select DNS from the Type drop-down list.
    5. Enter the public hostname for the certificate in the Value field.
    6. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  10. Select the Extensions tab.
    1. Expand the Extended Key Usage section.
    2. Select Server Authentication from the Available options section.
    3. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  11. Select the Private Key tab.
    1. Expand the Cryptographic Service Provider section.
      1. Uncheck the box next to RSA,Microsoft Software Key Storage Provider.
      2. Check the box next to ECDSA_P256,Microsoft Software Key Storage Provider.
    2. Expand the Key options section.
      1. Check the box next to Make private key exportable.
        Always On VPN ECDSA SSL Certificate Request for SSTP
  12. Click Ok.
  13. Click Next.
  14. Enter a name for the file in the File Name field.
  15. Select Base 64 in the File format section.
  16. Click Finish.

Import Certificate

Once complete, submit the file created to a public CA for signing. When the CA returns the signed certificate, perform the following steps to import it to the local compute certificate store.

  1. Right-click the Certificates folder and choose All Tasks > Import.
  2. Click Next.
  3. Enter the name of the certificate file returned by the public CA in the File name field.
  4. Click Next.
  5. Select Place all certificates in the following store and ensure that Personal is listed in the Certificate store field.
  6. Click Next.
  7. Click Finish.
  8. Click Ok.

Assign Certificate

After importing the new TLS certificate in the local computer’s certificate store, open the Routing and Remote Access management console (rrasmgmt.msc) and perform the following steps to assign the TLS certificate to the SSTP listener.

  1. Right-click the VPN server and choose Properties.
  2. Select the Security tab.
    1. Select the new TLS certificate from the Certificate drop-down list in the SSL Certificate Binding section. When replacing an existing certificate, you may see a certificate with the same name more than once. Click the View button and ensure the new certificate is selected.
    2. Click Ok.
    3. Click Yes to restart the RemoteAccess service.

Demonstration Video

A recorded video demonstration of this process can be found here. The video recording also includes guidance for making these changes on Windows Server Core servers.

Additional Information

Installing or Renewing an SSL/TLS Certificate on Windows Server for Always On VPN and SSTP.

Microsoft Windows Always On VPN SSTP Security Configuration

Microsoft Windows Always On VPN SSL Certificate Requirements for SSTP

Microsoft Windows Always On VPN ECDSA TLS Certificate Request for SSTP

Microsoft Windows Always On VPN SSTP with Let’s Encrypt Certificates

6 Comments
by Richard M. Hicks on February 10, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, Elliptic Curve Cryptography, Encryption, Enterprise, enterprise mobility, Mobility, Operational Support, PKI, PowerShell, public key infrastructure, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSL, SSL and TLS, SSTP, TLS, Transport Layer Security, user tunnel, video, VPN, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 10, 2022

https://directaccess.richardhicks.com/2022/02/10/always-on-vpn-sstp-certificate-renewal/

Always On VPN IKEv2 Features and Limitations

Always On VPN IKEv2 Features and LimitationsThe Internet Key Exchange version 2 (IKEv2) VPN protocol is a popular choice for Windows 10 Always On VPN deployments. IKEv2 is a standards-based IPsec VPN protocol with customizable security parameters that allows administrators to provide the highest level of protection for remote clients. In addition, it provides important interoperability with a variety of VPN devices, including Microsoft Windows Server Routing and Remote Access Service (RRAS) and non-Microsoft platforms such as Cisco, Checkpoint, Palo Alto, and others.

IKEv2 Limitations

IKEv2 is clearly the protocol of choice in terms of security. It supports modern cryptography and is highly resistant to interception. It’s not without some operational challenges, however. Consider the following.

Firewalls

IKEv2 uses UDP ports 500 and 4500 for communication. Unfortunately, these ports are not always open. Often, they are blocked by network administrators to prevent users from bypassing security controls or attackers from exfiltrating data.

Fragmentation

IKEv2 packets can become quite large at times, especially when using client certificate authentication with the Protected Extensible Authentication Protocol (PEAP). This can result in fragmentation occurring at the network layer. Unfortunately, many firewalls and network devices are configured to block IP fragments by default. This can result in failed connection attempts from some locations but not others.

Load Balancing

Load balancing IKEv2 connections is not entirely straightforward. Without special configuration, load balancers can cause intermittent connectivity issues for Always On VPN connections. Guidance for configuring IKEv2 load balancing on the Kemp LoadMaster and the F5 BIG-IP can be found here:

IKEv2 Fragmentation

IKEv2 fragmentation can be enabled to avoid IP fragmentation and restore reliable connectivity. IKEv2 fragmentation is supported in Windows 10 and Windows Server beginning with v1803. Guidance for enabling IKEv2 fragmentation on Windows Server RRAS can be found here. Support for IKEv2 fragmentation on non-Microsoft firewall/VPN devices is vendor-specific. Consult with your device manufacturer for more information.

IKEv2 Security and RRAS

Be advised that the default security settings for IKEv2 on Windows Server RRAS are very poor. The minimum recommended security settings and guidelines for implementing them can be found here.

IKEv2 or TLS?

IKEv2 is recommend for deployments where the highest level of security and protection is required for remote connections. In these scenarios, the sacrifice of ubiquitous availability in favor of ultimate security might be desired.

SSTP or another TLS-based VPN protocol is recommended if reliable operation and connectivity are desired. SSTP and TLS VPNs can be configured to provide very good security by following the security and implementation guidelines found here.

IKEv2 with TLS Fallback

In theory, preferring IKEv2 and falling back to the Secure Socket Tunneling Protocol (SSTP) or another TLS-based VPN protocol when IKEv2 is unavailable would seem like a logical choice. This would ensure the highest level of protection, while still providing reliable connectivity. Unfortunately, the Windows VPN client doesn’t work this way in practice. Details here.

Additional Information

Windows 10 Always On VPN IKEv2 Load Balancing with F5 BIG-IP

Windows 10 Always On VPN IKEv2 Load Balancing with Kemp LoadMaster

Windows 10 Always On VPN IKEv2 Fragmentation

Windows 10 Always On VPN IKEv2 and SSTP Fallback

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN Certificate Requirements for IKEv2

Windows 10 Always On VPN Protocol Recommendations for Windows Server RRAS

35 Comments
by Richard M. Hicks on April 15, 2019  •  Permalink
Posted in Always On VPN, AOVPN, application delivery controller, BIG-IP, certificates, Enterprise, enterprise mobility, F5, IKEv2, Kemp, Load Balancing, LoadMaster, local traffic manager, LTM, Mobility, Remote Access, routing and remote access service, RRAS, Security, SSL, SSL and TLS, SSTP, TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 15, 2019

https://directaccess.richardhicks.com/2019/04/15/always-on-vpn-ikev2-features-and-limitations/

Always On VPN SSL Certificate Requirements for SSTP

Always On VPN Certificate Requirements for SSTPThe Windows Server 2016 Routing and Remote Access Service (RRAS) is commonly deployed as a VPN server for Windows 10 Always On VPN deployments. Using RRAS, Always On VPN administrators can take advantage of Microsoft’s proprietary Secure Socket Tunneling Protocol (SSTP) VPN protocol. SSTP is a Transport Layer Security (TLS) based VPN protocol that uses HTTPS over the standard TCP port 443 to encapsulate and encrypt communication between the Always On VPN client and the RRAS VPN server. SSTP is a firewall-friendly protocol that ensures ubiquitous remote network connectivity. Although IKEv2 is the protocol of choice when the highest level of security is required for VPN connections, SSTP can still provide very good security when implementation best practices are followed.

SSTP Certificate

Since SSTP uses HTTPS for transport, a common SSL certificate must be installed in the Local Computer/Personal/Certificates store on the RRAS VPN server. The certificate must include the Server Authentication Enhanced Key Usage (EKU) at a minimum. Often SSL certificates include both the Server Authentication and Client Authentication EKUs, but the Client Authentication EKU is not strictly required. The subject name on the certificate, or at least one of the Subject Alternative Name entries, must match the public hostname used by VPN clients to connect to the VPN server. Multi-SAN (sometimes referred to as UC certificates) and wildcard certificates are supported.

Always On VPN Certificate Requirements for SSTP

Certification Authority

It is recommended that the SSL certificate used for SSTP be issued by a public Certification Authority (CA). Public CAs typically have their Certificate Revocation Lists (CRLs) hosted on robust, highly available infrastructure. This reduces the chance of failed VPN connection attempts caused by the CRL being offline or unreachable.

Using an SSL certificate issued by an internal, private CA is supported if the CRL for the internal PKI is publicly available.

Key Type

RSA is the most common key type used for SSL certificates. However, Elliptic Curve Cryptography (ECC) keys offer better security and performance, so it is recommended that the SSTP SSL certificate be created using an ECC key instead.

Always On VPN Certificate Requirements for SSTP

To use an ECC key, be sure to specify the use of a Cryptographic Next Generation (CNG) key and select the ECDSA_P256 Microsoft Software Key Storage Provider (CSP) (or greater) when creating the Certificate Signing Request (CSR) for the SSTP SSL certificate.

Always On VPN Certificate Requirements for SSTP

Most public CAs will support certificate signing using ECC and Elliptic Curve Digital Signature Algorithm (ECDSA). If yours does not, find a better CA. 😉

Forward Secrecy

Forward secrecy (sometimes referred to as perfect forward secrecy, or PFS) ensures that session keys can’t be compromised even if the server’s private key is compromised. Using forward secrecy for SSTP is crucial to ensuring the highest levels of security for VPN connections.

To enforce the use of forward secrecy, the TLS configuration on the VPN server should be prioritized to prefer cipher suites with Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.

Authenticated Encryption

Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) is a form of encryption that provides better data protection and integrity compared to older block or stream ciphers such as CBC or RC4.

To enforce the use of authenticated encryption, the TLS configuration on the VPN server should be prioritized to prefer cipher suites that support Galois/Counter Mode (GCM) block ciphers.

Important Note: In Windows Server 2016, GCM ciphers can be used with both RSA and ECC certificates. However, in Windows Server 2012 R2 GCM ciphers can only be used when an ECC certificate is used.

SSL Offload

Offloading SSL to a load balancer or application delivery controller (ADC) can be enabled to improve scalability and performance for SSTP VPN connections. I will cover SSL offload for SSTP in detail in a future post.

Summary

SSTP can provide good security for VPN connections when implementation and security best practices are followed. For optimum security, use an SSL certificate with an EC key and optimize the TLS configuration to use forward secrecy and authenticated cipher suites.

Additional Information

Always On VPN ECDSA SSL Certificate Request for SSTP

Always On VPN and Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN Certificate Requirements for IKEv2

3 Important Advantages of Always On VPN over DirectAccess

Microsoft SSTP Specification on MSDN

36 Comments
by Richard M. Hicks on July 16, 2018  •  Permalink
Posted in Always On VPN, AOVPN, application delivery controller, certificates, ECC, Elliptic Curve Cryptography, encapsulation, Encryption, Enterprise, enterprise mobility, Load Balancing, Mobility, public key infrastructure, Remote Access, Security, SSL, SSL and TLS, TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 16, 2018

https://directaccess.richardhicks.com/2018/07/16/always-on-vpn-ssl-certificate-requirements-for-sstp/

« Older Posts
Newer Posts »