Registry entries for Secure Socket Tunneling Protocol
Note Secure Socket Tunneling Protocol (SSTP) is a new VPN tunneling protocol that is introduced in Windows Server 2008.
ListenerPort
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: ListenerPort
Data type: REG_DWORD
Default value: 0
You can use the ListenerPort registry entry to change the server-side TCP port on which the SSTP server listens. You can set this value to any valid 16-bit port number. If the value is set to 0, the SSTP server listens on the default port number, depending on the value of the UseHTTPS registry entry. For example, if the UseHTTPS registry entry is set to 1, the default listener port number is 443. If the UseHTTPS registry entry is set to 0, the default listener port number is 80. The ListenerPort registry entry is typically useful in configurations where the VPN server is behind a Network Address Translation (NAT) router or behind a reverse proxy. Notice that SSTP clients always connect to the TCP 443 port. This behavior cannot be configured from the clients.
UseHTTPS
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: UseHTTPS
Data type: REG_DWORD
Default value: 1
You can use the UseHTTPS registry entry to specify whether the SSTP server should listen on the HTTPS port or on the HTTP port. The SSTP server listens on the HTTP port if the value is set to 0. If the value is set to 1, the SSTP server listens on the HTTPS port. This registry entry is typically helpful in load-balancing scenarios. For example, a reverse Web proxy or an SSL load balancer may be configured to receive an HTTPS connection and open an HTTP connection to a remote access server.
NoCertRevocationCheck
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: NoCertRevocationCheck
Data type: REG_DWORD
You can use this registry entry to enable or to disable the SSL certificate revocation check that the VPN client performs during the SSL negotiation phase. Certificate revocation check will be performed if the value is set to 0. If the value is set to 1, certificate revocation check will be skipped. Notice that you should set this value to 1 only for debugging. Do not set this value to 1 in your production environment. By default, certificate revocation check is performed.
Sha256Enabled
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: Sha256Enabled
Data type: REG_DWORD
You can use the Sha256Enabled registry entry to enable SHA256 support for SSTP crypto binding. If this value is set to 1, SHA256 is enabled. In this case, the Sha256CertificateHash registry entry should contain an appropriate certificate hash. By default, Windows Vista clients support only SHA256. You may want to enable SHA1 on the server side if SSTP is supported on clients that do not support SHA256. If both SHA1 and SHA256 are enabled, SSTP will use the stronger crypto algorithm. By default, this registry setting is enabled.
Sha256CertificateHash
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: Sha256CertificateHash
Data type: REG_BINARY
The Sha256CertificateHash registry entry contains a certificate hash that is computed by SHA256. If the UseHTTPS registry entry is set to 1, Routing and Remote Access automatically populates the certificate hash the first time that Routing and Remote Access starts. To do this, Routing and Remote Access finds a computer certificate from the certificate store, and then Routing and Remote Access writes the hash to the Sha256CertificateHash registry entry.
Sha1Enabled
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: Sha1Enabled
Data type: REG_DWORD
You can use the Sha1Enabled registry entry to enable SHA1 support for SSTP crypto binding. If this value is set to 1, SHA1 is enabled. In this case, the Sha1CertificateHash registry entry will contain an appropriate certificate hash. By default, Windows Vista clients support only SHA256. You may have to enable SHA1 on the server side if SSTP is supported on clients that do not support SHA256. If both SHA1 and SHA256 are enabled, SSTP will use the stronger crypto algorithm. By default, this registry setting is disabled.
Sha1CertificateHash
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: Sha1CertificateHash
Data type: REG_BINARY
The Sha1CertificateHash registry entry contains a certificate hash that SHA1 computes. If the UseHTTPS registry entry is set to 1, Routing and Remote Access automatically populates the certificate hash the first time that Routing and Remote Access starts. To do this, Routing and Remote Access finds a computer certificate from the certificate store, and then Routing and Remote Access writes the hash to the Sha1CertificateHash registry entry. However, if the UseHTTPS registry entry is set to 0, you must manually deploy the certificate hashes to make sure that the VPN server and the SSL load balancer trust one another.
ServerUri
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: ServerUri
Data type: REG_SZ
The ServerUri registry entry is set to a value that contains the following value:
sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
You must not change this registry entry because it is read-only. This registry entry is typically useful in load-balancing scenarios. The load balancer receives an HTTPS connection that is specific to this URI, and then the load balancer redirects the connection to a remote access server. For example, if the server name is
server.
contoso.com, the exact HTTPS URI is as follows:
https://server.contoso.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
Registry entries for IPv6 support
Note IPv6 refers to Internet Protocol version 6.
EnableIn
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6
Registry entry: EnableIn
Data type: REG_DWORD
Default value: 1
IPv6-based remote access and demand-dial routing are enabled if the EnableIn registry value is set to 1. If this value is set to 0, IPv6-based remote access and demand-dial routing are disabled.
AllowNetworkAccess
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6
Registry entry: AllowNetworkAccess
Data type: REG_DWORD
IPv6 forwarding is enabled if the AllowNetworkAccess registry entry value is set to 1. If this value is set to 0, IPv6 forwarding is disabled.
From
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6\StaticPrefixPool\0
Registry entry: From
Data type: REG_DWORD
The From registry entry specifies the starting prefix of the static IPv6 prefix pool.
To
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6\StaticPrefixPool\0
Registry entry: To
Data type: REG_DWORD
The To registry entry specifies the ending prefix of the static IPv6 prefix pool.
Registry entries for VPN tunnel encryption levels
AllowPPTPWeakCrypto
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
Registry entry: AllowPPTPWeakCrypto
Data type: REG_DWORD
Default value: 0
You can use the AllowPPTPWeakCrypto registry entry to enable the 40-bit encryption level and the 56-bit encryption level for PPTP tunnels. By default, these weak encryption levels are disabled.
AllowL2TPWeakCrypto
Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
Registry entry: AllowL2TPWeakCrypto
Data type: REG_DWORD
Default value: 0
You can use the AllowL2TPWeakCrypto registry entry to enable the Message Digest 5 (MD5) encryption level and the Data Encryption Standard (DES) encryption level for Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) tunnels. By default, these weak encryption levels are disabled.