Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to configure a Secure Socket Tunneling Protocol (SSTP)-based VPN server behind a NAT device in Windows Server 2008


View products that this article applies to.

Introduction

This article describes how to configure a Secure Socket Tunneling Protocol (SSTP)-based VPN server behind a network address translation (NAT) device in Windows Server 2008.

SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and Remote Access Server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol (PPP) packets to be encapsulated over HTTP. This allows for a VPN connection to be more easily established through a firewall or through a Network Address Translation (NAT) device. Also, this allows for a VPN connection to be established through an HTTP proxy device.

The information is this article is more likely to apply to a small-sized or medium-sized organization. For these kinds of organizations, it is common to have one public IP address that is assigned to the external interface of a NAT router or of a gateway device. This article describes the following scenario:
  • You have a Windows Server 2008-based Secure Socket Tunneling Protocol (SSTP)-based VPN server.
  • The server is assigned a private IP address.
  • The server is located on an internal network behind a NAT device.

↑ Back to the top


More information

Overview

The information in this article relates to the following networking configuration example:
  • A NAT device has the following IP address assignments:
    • The following public routable IP address is assigned to the external interface: 1.2.3.4
    • The following private non-routable IP address is assigned to the internal interface: 192.168.0.1
  • On a DNS server that can be accessed externally, the public IP address 1.2.3.4 is mapped to the following fully qualified domain name (FQDN): vpn-1.contoso.com.
  • A Windows Server 2008-based Routing and Remote Access server has the following IP address assignments:
    • IP address: 192.168.0.2
    • Subnet mask: 255.255.255.0
    • Default gateway: 192.168.0.1

Configuration information

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To configure a SSTP-based VPN server in the scenario that is described in the "Overview" section, follow these steps:
  1. Configure the NAT device to redirect SSTP traffic from the external network to the Windows Server 2008-based computer that will act as the SSTP-based VPN server. Specifically, redirect incoming traffic as follows:
    • Source IP address: 1.2.3.4 (the external interface)
    • Source port: TCP 443
    • Destination IP address: 192.168.0.2 (the IP address of the Routing and Remote Access server)
    • Destination port: TCP 443
    Note By default, the SSTP-based VPN server listens on TCP port 443. However, you can change this to another port, as appropriate for your requirements. For more information about how to do this, see step 5.
  2. Install a computer certificate on the Windows Server 2008-based computer. This certificate must have a subject name (CN) that is the same as the host name to which the VPN clients connect. This is required for SSL negotiation to succeed.

    For example:
    • If a VPN client is configured to connect to the public IP address of the NAT device (1.2.3.4), the subject name of the certificate must be 1.2.3.4.
    • If a VPN client is configured to connect to the FQDN (vpn-1.contoso.com) that can be accessed publicly, the subject name of the certificate must be vpn-1.contoso.com.
  3. Use the Server Manager tool to install the Network Policy and Access Services role together with the Routing and Remote Access Services role service on the Windows Server 2008-based computer.
  4. After the Routing and Remote Access Services role service is installed, configure the Routing and Remote Access service by using the Routing and Remote Access Services Wizard.
  5. If you want to configure the SSTP-based VPN server to listen on a port other than TCP port 443, follow these steps:
    1. Start Registry Editor, and then locate the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters\
    2. In the details pane, right-click ListenerPort, and then click Modify.
    3. Click Decimal, type an alternative port number such as 5000, and then click OK.
    4. Exit Registry Editor, and then restart the Routing and Remote Access service.
    Note If you change the ListenerPort value, you must configure the NAT device to forward TCP port 443 traffic to the new port number that you configured. For example, you must configure the NAT device to forward incoming traffic on TCP port 443 to TCP port 5000 on the SSTP-based VPN server.

↑ Back to the top


References

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
947031 How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection failures in Windows Server 2008

↑ Back to the top


Keywords: KB947032, kbinfo, kbhowto, kbexpertisebeginner

↑ Back to the top

Article Info
Article ID : 947032
Revision : 5
Created on : 1/19/2008
Published on : 1/19/2008
Exists online : False
Views : 552