Professional Documents
Culture Documents
For those of you who are interested in the characteristics of the VPN protocol architecture, you can see that in the figure below. Notice that SSTP has an additional header compared to the other two VPN protocols. That because there is HTTPS encapsulation in addition to the SSTP header. L2TP and PPTP dont have application layer headers encapsulating the communication.
We will need to perform the following procedures to get the solution working:
Install IIS on the VPN server Request a machine certificate for the VPN server using the IIS Certificate Request Wizard Install the RRAS server role on the VPN server Enable the RRAS Server and configure it to be a VPN and NAT server Configure the NAT server to publish the CRL Configure the User Account to allow dial-up connections Configure IIS on the Certificate Server to allow HTTP connections for the CRL directory Configure the HOSTS file on the VPN client Use PPTP to connect to the VPN server Obtain a CA Certificate from the Enterprise CA Configure the Client to use SSTP and Connect to the VPN Server using SSTP
about this is that you can still try to get a computer certificate using the Web enrollment site, and it will look like it was installed, but in fact, the certificate is not installed. To solve this problem, we will take advantage of the fact that we are using an enterprise CA. When using an Enterprise CA, you can make a request to an online certificate server. The online request for a computer certificate is allowed when you use the IIS Certificate Request Wizard and request what they now call a Domain Certificate. This only works when the machine requesting the certificate belongs to the same domain as the Enterprise CA. Perform the following steps on the VPN server to install the IIS Web server role: 1. Open the Windows 2008 Server Manager. 2. In the left pane of the console, click the Roles node.
Figure 1 3. Click the Add Roles link on the right side of the right pane. 4. Click Next on the Before You Begin page. 5. Put a checkmark in the Web Server (IIS) checkbox on the Select Server Roles page. Click Next.
Figure 2 6. Read the information on the Web Server (IIS) page if you like. This is good general information about using IIS 7 as a Web server, but since we are not going to use the IIS Web server on the VPN server, this information does not really apply to our scenario. Click Next. 7. On the Select Role Services page, a number of options are already selected. However, if you use the default options, it does not seem that you will get the option of using the Certificate Request Wizard. This was the case when I tested it. There is no Role Service for the Certificate Request Wizard, so I tried putting a checkmark in each of the Security options and that seemed to work. Do the same on yours and click Next.
Figure 3 8. Review the information on the Confirm Installation Selections page and click Install. 9. Click Close on the Installation Results page.
Figure 4
Request a Machine Certificate for the VPN Server using the IIS Certificate Request Wizard
The next step is to request a machine certificate for the VPN server. The VPN server needs a machine certificate to create the SSL VPN connection with the SSL VPN client computer. The common name on the certificate must match the name that the VPN client will use to connect to the SSL VPN gateway computer. This means that you will need to create a public DNS entry for the name on the certificate so that resolves to the external IP address on the VPN server, or the IP address of a NAT device in front of the VPN server that will forward the connection to the SSL VPN server. Perform the following steps to request and install the computer certificate on the SSL VPN server: 1. In the Server Manager, expand the Roles node in the left pane and then expand the Web Server (IIS) node. Click on Internet Information Services (IIS) Manager.
Figure 5 2. In the Internet Information Services (IIS) Manager console that appears in the panes to the right of the left pane, click on the name of the server. In this example, the name of the server is W2008RC0-VPNGW. Click on the Server Certificates icon in the right pane of the IIS console.
Figure 6 3. In the right pane of the console, click the Create Domain Certificate link.
Figure 7 4. Fill out the information on the Distinguished Name Properties page. The most important entry on this page is the Common Name entry. This name is the name that VPN clients will use to connect to the VPN server. You will need a public DNS entry for this name so that it resolves either to the external interface of the VPN server, or the public address of a NAT device in front of the VPN server. In this example we will use the common name sstp.msfirewall.org. Later, we will create HOSTS file entries on the VPN client computer so that it can resolve this name. Click Next.
Figure 8 5. On the Online Certification Authority page, click the Select button. In the Select Certification Authority dialog box, click the name of the Enterprise CA and click OK. Enter a friendly name for the certificate in the Friendly name text box. In this example well use the name SSTP Cert so that we know it is being used for the SSTP VPN gateway.
Figure 10 7. The wizard will run and then disappear. After this point you will see the certificate appear in the IIS console. Double click on the certificate and you can see the common name in the Issued to section and that we have a private key that corresponds to the certificate. Click OK to close the Certificate dialog box.
Figure 11 Now that we have a certificate, we can install the RRAS Server Role. Note that it is critical that you install the certificate first, before you install the RRAS Server Role. If you do not, you will end up being in a world of hurt, because you will have to use a fairly complex command line routine to bind the certificate to the SSL VPN listener.
To install the RRAS Server Role, perform the following steps: 1. 2. 3. 4. In the Server Manager, click the Roles node in the left pane of the console. In the Roles Summary section, click the Add Roles link. Click Next on the Before You Begin page. On the Select Server Roles page, put a checkmark in the Network Policy and Access Services checkbox. Click Next.
Figure 12 5. Read the information on the Network Policy and Access Services page. Most of it is about the new Network Policy Server (which used to be called the Internet Authentication Server [IAS] which was a RADIUS server) and NAP, neither of which apply to our current scenario. Click Next. 6. On the Select Role Services page, put a checkmark in the Routing and Remote Access Services checkbox. This will put checkmarks in the Remote Access Service and Routing checkboxes. Click Next.
Figure 13 7. Click Install on the Confirm Installation Selections page. 8. Click Close on the Installation Results page.
Enable the RRAS Server and Configure it to be a VPN and NAT Server
Now that the RRAS server role is installed, we need to enable the RRAS service, just like how we did it in previous versions of Windows. We need to enable the VPN server feature and the NAT service. While it is clear why we need to enable the VPN server component, you might wonder why we need to enable the NAT server. The reason for enabling the NAT server is so that external clients can gain access to the Certificate Server to connect to the CRL. If the SSTP VPN client cannot download the CRL, the SSTP VPN connection will fail. In order to allow access to the CRL, we will configure the VPN server as a NAT server and publish the CRL using reverse NAT. In a production environment you will be more likely to have a firewall, such as an ISA Firewall, in front of the Certificate Server, so that you would publish the CRL using the firewall. However, in this example the only firewall we will be using is the Windows Firewall on the VPN server, so we will need to configure the VPN server as a NAT server in this example.
Perform the following steps to enable the RRAS service: 1. In the Server Manager, expand the Roles node in the left pane of the console. Expand the Network Policy and Access Services node and click on the Routing and Remote Access node. Right click on the Routing and Remote Access node and click Configure and Enable Routing and Remote Access.
Figure 14 2. Click Next on the Welcome to the Routing and Remote Access Server Setup Wizard page. 3. On the Configuration page, select the Virtual private network (VPN) access and NAT option and click Next.
Figure 15 4. On the VPN Connection page, select the NIC in the Network interfaces section that represents the external interface of the VPN server. Then click Next.
Figure 16 5. On the IP Address Assignment page, select the Automatically option. We can select this option because we have a DHCP server installed on the domain controller behind the VPN server. If you did not have a DHCP server, then you would have to select the From a specified range of addresses option and then provide a list of addresses that VPN clients could use when connecting to the network through the VPN gateway. Click Next.
Figure 17 6. On the Managing Multiple Remote Access Servers page, select the No, use Routing and Remote Access to authenticate connection requests. This is the option we use when there is no NPS or RADIUS server available. Since the VPN server is a member of the domain, you can authenticate users using domain accounts. If the VPN server were not a member of the domain, then only local accounts on the VPN server could be used, unless you decide to use the NPS server. Ill do an article on how to use an NPS server in the future. Click Next.
Figure 18 7. Read the summary information on the Completing the Routing and Remote Access Server Setup Wizard page and click Finish. 8. Click OK in the Routing and Remote Access dialog box informing you that relaying of DHCP messages requires a DHCP relay agent. 9. In the left pane of the console, expand the Routing and Remote Access node and then click on the Ports node. In the middle pane you will see that WAN Miniport connections for SSTP are now available.
Figure 19
Figure 20 Because of this, you need to create a public DNS entry for this name so that external VPN clients can resolve this name to an IP address on a device that will perform reverse NAT or reverse proxy to allow access to the Certificate Servers Web site. In this example, we need to have win2008rc0-dc.msfirewall.org resolve to the IP address on the external interface of the VPN server. When the connection reaches the external interface of the VPN server, the VPN server will reverse NAT the connection to the Certificate Server. If you are using an advanced firewall, such as an ISA Firewall, you could make publishing the CRL site more secure, by allowing access only to the CRL, and not the entire site. However, in this article we will limit ourselves to the capabilities of a simple NAT device, such as what the RRAS NAT provides. I should note here that using the default CRL site name might not be the more secure option, since it exposes a private computer name to the Internet. You can create a custom CDP (CRL Distribution Point) to prevent this if you consider exposing the private name of your CA in your public DNS a security issue. You can find some information on how to change these values at How to Change the Policy Settings for a Certification Authority (CA) in Windows 2000.
Perform the following steps to configure RRAS NAT to forward HTTP requests to Certificate Server: 1. In the left pane of the Server Manager, expand the Routing and Remote Access node and then expand the IPv4 node. Click on the NAT node. 2. In the NAT node, right click on the external interface in the middle pane of the console. In this example, the name of the external interface is Local Area Connection. Click Properties.
Figure 21 3. In the Local Area Connection Properties dialog box, click on the Web Server (HTTP) checkbox. That brings up the Edit Service dialog box. In the Private Address text box, enter the IP address of the Certificate Server on the internal network. Click OK.
Figure 23 Now that the NAT server is installed and configured, we can move our attention to configuring the CA server and the SSTP VPN client.
Figure 1
Configure IIS on the Certificate Server to Allow HTTP Connections for the CRL Directory
For some reason, when the installation wizard installs the Certificate Services Web site, it configures the CRL directory to require an SSL connection. While this seems like a good idea from a security point of view, the problem is that the URI on the certificate is not configured to use SSL. I suppose you could create a custom CDP entry for the certificate so that it uses SSL, but you can bet dollars to donuts that Microsoft has not documented this problem anywhere. Since we are using the default settings for the CDP in this article, we need to turn off the SSL requirement on the CAs Web site for the CRL directory path. Perform the following steps to disable the SSL requirement for the CRL directory:
1. From the Administrative Tools menu, open the Internet Information Services (IIS) Manager. 2. In the left pane of the IIS console, expand the server name and then expand the Sites node. Expand the Default Web Site node and click on the CertEnroll node, as seen in the figure below.
Figure 2 3. If you look in the middle pane of the console, you will see that the CRL is located in this virtual directory, as seen in the figure below. In order to see the content of this virtual directory, you will need to click on the Content View button at the bottom of the middle pane.
Figure 3 4. Click on the Features View button on the bottom of the middle pane. At the bottom of the middle pane, double click the SSL Settings icon.
Figure 4 5. The SSL Settings page appears in the middle pane. Remove the checkmark from the Require SSL checkbox. Click the Apply link in the right pane of the console.
Figure 5 6. Close the IIS console after you see the The changes have been successfully saved Alert.
Figure 6
1. Click the Start button and enter c:\windows\system32\drivers\etc\hosts in the search box and press ENTER. 2. In the Open With dialog box, double click on Notepad. 3. Enter the HOSTS file entries using the format as seen in the figure below. Make sure that you press enter after the last line so that the cursor appears under the last line.
Figure 7 4. Close the file and choose the save option when asked.
1. On the VPN client, right click the network icon in the tray and click the Network and Sharing Center. 2. In the Network Sharing Center window, click the Set up a connection or network link on the left side of the window. 3. On the Choose a connection option page, click on the Connect to a workplace entry and click Next.
Figure 8 4. On the How do you want to connect page, select the Use my Internet connection (VPN) entry.
Figure 9 5. On the Type the Internet address to connect to page, enter the name of the SSL VPN server. Make sure that this is the same name as the common name on the certificate used by the SSL VPN server. In this example, the name is sstp.msfirewall.org. Enter a Destination Name. In this example we will name the destination SSL VPN. Click Next.
Figure 10
6. On the Type your user name and password page, enter the User name, Password and Domain. Click Connect.
Figure 12
8. On the Select a location for the SSL VPN network page, select the Work option.
Figure 13 9. Click Continue on the UAC prompt. 10. Click Close on the Successfully set network settings page.
Figure 14 11. In the Network and Sharing Center, click on the View status link in the SSL VPN section, as seen in the figure below. You will see in the SSL VPN Status dialog box that the VPN connection type is PPTP. Click Close in the SSL VPN Status dialog box.
Figure 15 12. Open a command prompt and ping the domain controller. In this example, the IP address of the domain controller is 10.0.0.2. If your VPN connection is successful, you will receive a ping reply from the domain controller.
Figure 16
Figure 17 4. Click Allow in the dialog box warning you that A website wants to open web content using this program on your computer. Then click Close on the Did you notice the Information bar dialog box if it appears.
Figure 18 5. Note that the Information bar informs you that the Web site might not work correctly, since the ActiveX control is blocked. This should not be a problem, as we will be downloading the CA certificate and using the Certificates MMC to install the certificate. Click the Download CA certificate link.
Figure 19 6. In the File Download Security Warning dialog box, click the Save button. Save the certificate to the Desktop.
Figure 20 7. Click Close in the Download complete dialog box. 8. Close Internet Explorer. Now we need to install the CA certificate into the VPN client machines Trusted Root Certification Authorities Certificate Store. Perform the following steps to install the certificate: 1. 2. 3. 4. 5. 6. 7. 8. Click Start and then enter mmc in the Search box. Press ENTER. Click Continue in the UAC dialog box. In the Console1 window, click the File menu and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click the Certificates entry in the Available snap-ins list and then click Add. On the Certificates snap-in page, select the Computer account option and click Finish. On the Select Computer page, select the Local computer option and click Finish. Click OK in the Add or Remove Snap-ins dialog box. In the left pane of the console, expand the Certificates (Local Computer) node and then expand the Trusted Root Certification Authorities node. Click on the Certificates node. Right click on the Certificates node, point to All Tasks and click Import.
Figure 21 9. Click Next on the Welcome to the Certificate Import Wizard page. 10. On the File to Import page, use the Browse button to find the certificate, then click Next.
Figure 22 11. On the Certificate Store page, confirm that the Place all certificates in the following store option is selected and that the Trusted Root Certification Authorities store is the one listed. Click Next.
Figure 23 12. Click Finish on the Completing the Certificate Import page. 13. Click OK in the dialog box informing you that the import was successful. 14. The certificate now appears in the console, as seen in the figure below.
Figure 24
Configure the Client to use SSTP and Connect to the VPN Server using SSTP
We are almost there! Now we need to disconnect the VPN connection and configure the VPN client to use SSTP for its VPN protocol. In a production environment, you should not have the users do this step, as you would be using the Connection Manager Administration Kit to create the VPN connectoid for the user, which will set the client to use SSTP, or you would configure only SSTP ports on the VPN server. It depends on your environment, as you want to time things so that users can use PPTP for a while as you are deploying certificates. Of course, you can always deploy the CA certificates out of band, such as via a Web site download or e-mail, in which case you would not need to allow PPTP. But then, if you had some downlevel clients that do not support SSTP, you would need to allow PPTP or L2TP/IPSec, so you would not be able to disable all non-SSTP ports. In that case, you will have to depend on manual configuration or an updated CMAK package. Another option is to bind the SSTP listener to a specific IP address in the RRAS server. In this case, you could create a custom CMAK package that points only to the IP address on the SSL VPN server that is listening for the incoming SSTP connections. Other addresses on the SSTP VPN server would listen for PPTP and/or L2TP/IPSec connections. Perform the following steps to disconnect the PPTP session and configure the VPN client connectoid to use SSTP: 1. At the VPN client computer, open the Network and Sharing Center as you did earlier. 2. In the Network and Sharing Center window, click the Disconnect link, which lies just under the View Status link we used earlier. The SSL VPN section will disappear from the Network and Sharing Center. 3. In the Network and Sharing Center, click the Manage network connections link. 4. Right click the SSL VPN link and click the Properties command.
Figure 25 5. In the SSL VPN Properties dialog box, click the Networking tab. In the Type of VPN drop down box, click the down arrow and select the Secure Socket Tunneling Protocol (SSTP) option and click OK.
Figure 26 6. Double click the SSL VPN connectoid in the Network Connections window. 7. In the Connect SSL VPN dialog box, click the Connect button. 8. When the connection is complete, right click the SSL VPN connectoid in the Network Connections window and click Status.
Figure 27 9. In the SSL VPN Status dialog box, you can see that an SSTP WAN Miniport connection was established.
Figure 28 10. If you go to the VPN server and open the Routing and Remote Access Console, you will confirm that an SSTP connection was established.
Figure 29