How to restrict SSTP connections to a specific IP address in Windows Server 2008

Secure Socket Tunneling Protocol (SSTP) is a new kind of virtual private network (VPN) tunnel that is available in the Routing and Remote Access Services role in Windows Server 2008. SSTP is also available for use in Windows Vista Service Pack 1 (SP1). SSTP uses the HTTPS protocol over Transmission Control Protocol (TCP) port 443 to pass traffic through firewalls and Web proxies that might block Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP)/IPsec traffic. SSTP allows for Point-to-Point Protocol (PPP) packets to be encapsulated over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. This allows for a VPN connection to be more easily established through a firewall or through a Network Address Translation (NAT) device. Also, this allows for a VPN connection to be established through an HTTP proxy device. SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol.

By default, SSTP is configured to listen on all interfaces. For example, SSTP is configured to listen on 0.0.0.0 for IPv4 or ::/0 for IPv6. By default, Routing and Remote Access Services allows for VPN connections to travel over all IPv4 and IPv6 addresses that are available on the computer. Also, Routing and Remote Access Services always sets the computer certificate, also known as the machine certificate, to Http.sys. Http.sys is the HTTPS listener component on a Windows Server 2008-based computer that is running Routing and Remote Access Services together with 0.0.0.0:PortNum and [::]:PortNum.

This article describes how an administrator can block SSTP connections from specific IPv4 or IPv6 IP addresses or from specific interfaces.

To block SSTP connections from specific IPv4 or IPv6 IP addresses or from specific interfaces, use one of the following methods.

Method 1: Configure the appropriate packet filter

1. Start the Routing and Remote Access MMC snap-in. To do this, click Start, point to Administrative Tools, and then click Routing and Remote Access.
2. Expand IPV4, and then click General. The list of available interfaces appears.
3. Double-click the interface to which VPN clients connect.
4. Click Inbound Filters.
5. Click New, and then click to select the Destination network check box.
6. In the IP address box, type the destination IP address.
7. In the Subnet mask box, type the destination subnet mask.
8. In the Protocol list, click TCP.
9. In the Source port box, type 443. Or, type the SSTP port number if it differs from 443.
10. In the Destination port box, type 443. Or, type the SSTP port number if it differs from 443.

Method 2: Configure the certificate for a specific IP address:port for the HTTP listener

Note To run the following commands, you must open the command prompt by using elevated permissions. To do this, click Start, right-click Command Prompt, and then click Run as administrator.

1. Delete the certificate from Http.sys. To do this, type the following commands at the command prompt, where 443 is the SSTP port number:
   netsh http delete sslcert ipport=0.0.0.0:443
   netsh http delete sslcert ipport=[::]:443
2. Add the new certificate to Http.sys. To do this, type the following commands at the command prompt:
   netsh http add sslcert ipport=IPv4 address for the HTTP listener:443 certhash= xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
   netsh http add sslcert ipport=IPv6 address for the HTTP listener:443 certhash= xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
   
   Note In these commands, xxx is a placeholder for the SHA1 certificate hash of the new certificate.
3. At the command prompt, type the following command, and then press ENTER to configure the Sha256CertificateHash registry subkey value for the SSTP service:
   reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA256CertificateHash /t REG_BINARY /d Sha256 hash value for the IIS Web server certificate /f
   
   Note If you cannot locate the SHA256 certificate hash of the computer certificate, complete steps a through e to configure a value for the Sha256CertificateHash registry subkey.
   1. Restart the Routing and Remote Access service.
   2. Configure any 32-byte binary value as a temporary value for the Sha256CertificateHash registry key at the registry location that is mentioned in step 3. This registry key has to be of type REG_BINARY.
   3. On a different computer, create a VPN connection that is SSTP-based where the VPN destination is the host name of the Routing and Remote Access Server.
   4. Connect to the VPN connection. The connection will fail. Open Event Viewer on the client computer, and then locate the following event:

      Cryptographic binding failed for the client connection. The reason is client and the server have mismatched certificate hashes configured. SHA1 Certificate Hash: HashValue SHA256 Certificate Hash: HashValue

      `
   5. Note the value of SHA256 certificate hash in the event on the client computer, and then use this value for the Sha256CertificateHash registry key on the Routing and Remote Access server.
4. Restart the Routing and Remote Access server. Http.sys is now set to listen on a particular IP address:port. HTTPS connections are dropped from other IP address:ports.