Manage Learn to apply best practices and optimize your operations.

How to set up an SSTP VPN to secure your enterprise network

Learn how to set up an SSTP VPN (Secure Socket Tunneling Protocol Virtual Private Network) connection in order to secure the remote users on your enterprise wide area network (WAN). These instructions explain step-by-step what is required to create and configure an SSTP VPN.

Learn how to set up an SSTP VPN connection in order to secure the remote users on your enterprise wide area network...

(WAN). The instructions below explain step by step what is required to create and configure an SSTP VPN.

For many years now, Layer Two Tunneling Protocol (L2TP) has been the tunneling protocol of choice for most Windows-Server-based virtual private networks (VPNs). However, in Windows Server 2008, Microsoft began providing another tunneling protocol option called Secure Socket Tunneling Protocol, or SSTP as it has come to be known.

The basic idea behind the SSTP protocol is that it is based on Secure Sockets Layer (SSL) encryption. Since nearly every firewall allows SSL traffic through Port 443, SSTP isn't as prone to some of the firewall issues experienced with other types of VPNs. (For more background, read this brief history of VPNs.) Furthermore, because the protocol uses SSL, traffic is encrypted and checked for integrity. Other reasons why SSL VPNs are favored over traditional VPNs are described in this article on Web SSL VPN advantages.

Believe it or not, the procedure for setting up an SSTP VPN is pretty simple. The key to making it work is to have all of the necessary elements in place before you begin the configuration process.

Prerequisites before you set up an SSTP VPN

What you first need is a server that can act as the VPN server. This server can run on physical or virtual hardware. Second, the server must be running Windows Server 2008 or Windows Server 2008 R2. Additionally, the server requires at least two network interface cards (NICs). It is technically possible to complete the configuration using a single NIC, but doing so decreases security considerably.

Next, you'll need an SSL certificate for your VPN server. This certificate needs to be properly configured with your VPN server's fully qualified domain name. If your external domain is different than your internal domain, be sure your certificate is based on the external domain name.

Another key to making the certificate work is that it must be trusted by the client computers that will connect to your VPN. Although it is possible to use the Windows Certificate Services to generate a certificate in-house, those certificates are not automatically trusted by the client computers. Therefore, I would advise you to use a certificate from a well-known commercial certificate authority. Otherwise, you'll have to configure each client computer to trust the certificate that you have created in-house. This may not be a problem for company-owned laptops, but if users connect to the VPN from home machines or from public kiosks, then the certificate trust issue will present a problem.

Once you have acquired the necessary certificate, you will have to install it on your server. The method for doing so may differ slightly depending on where you got the certificate. I recommend following the provider's instructions for installing the certificate onto your server.

Configuring the SSTP VPN

As I said earlier, configuring the VPN is pretty simple once you have all of the necessary components in place.

  1. Begin by opening Server Manager on your VPN server, and click the Add Roles link found in the Roles Summary section.
  2. Next, click on the Network Policy and Access Services option.
  3. Click Next twice and you will be prompted to select the role services that you want to use with the Network Policy Server.
  4. Select the Routing and Remote Access Services option and click Next.
  5. You should now see a screen displaying a summary of the options that you have chosen. Assuming that everything looks good, click the Install button.
  6. When the installation process completes, click the Close button.
  7. Now, close the Server Manager and open the Routing and Remote Access console, which you can find on the Administrative Tools menu.
  8. When the console opens, right-click on the listing for your server, and then select the Configure and Enable Routing and Remote Access option from the shortcut menu.
  9. At this point, Windows will launch the Routing and Remote Access Setup wizard. Click Next to bypass the wizard's Welcome screen, and you will see a screen asking what type of configuration you would like to perform.
  10. Choose the Remote Access (dial up or VPN) option, and click Next.
  11. Then choose the VPN option, and click Next.
  12. You will now be prompted to select the network adapter that connects the server to the Internet. After making your selection, click Next.
  13. Depending on how many network adapters are installed in the server, you may now see a screen asking you to select the network adapter that should be used by VPN clients. After making your selection, click Next.
  14. At this point, you should see a screen asking how you want to make IP address assignments to remote clients. Assuming that you have a DHCP server on your network, choose the Automatically option.

    If you do not have a DHCP server, then you can configure the Network Policy Server to act as a DHCP server by selecting the From a Specified Address Range option. After making your selection, click Next.
  15. You should now see a prompt asking if you want to use a RADIUS server for authentication. Make your selection, and click Next, followed by Finish.
  16. Now that you have completed the wizard, you must tell the server how to handle IP address leases for the VPN clients. To do so, navigate through the console tree to [your server] | IPv4 | DHCP Relay Agent. Now, right-click on the DHCP Relay Agent option and select the Properties command from the shortcut menu. Use the resulting properties sheet to enter the address for your DHCP server.

    If you do not have a DHCP server, it is possible to configure the Routing and Remote Access Service to allocate IP addresses as an alternative to using DHCP (if you have not already done so). To do that, right-click on your server name, and select the Properties command from the resulting shortcut menu. When the server's properties sheet appears, go to the IPv4 tab and use the Static Address Pool option to allocate a pool of IP addresses to the VPN.
  17. After you have configured the DHCP server options, you will have to configure the VPN to use the SSTP protocol. To do so, go back to the console tree and right-click on the listing for your server, and choose the Properties command from the shortcut menu.
  18. When Windows displays the server's properties sheet, go to the Security tab, and select the Use HTTP check box. You must also select the appropriate certificate from the Certificate drop-down list.

Final tips on how to set up an SSTP VPN connection

In this article, I have shown you how to create a simple SSTP VPN. Keep in mind, though, that the key to making this SSTP VPN setup work is to configure your certificate correctly. Because certificates can be expensive, you might consider initially setting up an enterprise certificate authority and generating certificates in-house. This gives you a way of verifying the required certificate configuration before you spend money on a commercial certificate.

About the author:
Brien M. PoseyBrien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, TechTarget, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

This was last published in July 2010

Dig Deeper on Network Security