SSTP Remote Access Continued..

So let’s just start were we left off in the previous post. We succeeded in establishing a PPTP connection, but when using SSTP we had a few errors, and we left that post with error 0x80092013 The revocation function was unable to check revocation because the revocation server was offline.

error 3

Let’s just explain the revocation check, the client needs to check if the server certificate that it receives when connecting to vpn.testcompany.nl is not revoked. In order to do that, the client needs to obtain that information based upon the CRL (certificate revocation list) distribution points that are saved in the certificate. To see that information we would open up the mmc, add snap in certificates, local computer, then go to the personal certificates for the computer and open up the vpn.testcompany.nl certificate, select details and go to the crl distribution points.

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=ldap:///CN=testcompany-TEST-CA,CN=Test,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testcompany,DC=nl?certificateRevocationList?base?objectClass=cRLDistributionPoint
               URL=http://test.testcompany.nl/CertEnroll/testcompany-TEST-CA.crl

I have included the two distribution points again. The first one is an ldap distribution point, but since our client isn’t part of the testcompany.nl domain, this is not going to work. The second distribution point is actually the other standard distribution point, that should be installed automatically when you select the web enrollment role service (which we didn’t !) Also the client would be able to resolve that address, as I have added it to the hosts file (normally DNS should handle this, but again the client doesn’t use our dns server either).

Now just to check if we can resolve this by adding the certenroll virtual directory we are going to add it using the IIS manager.

Use the server manager, or start the IIS manager from the administrative tools menu. We go to the default website, and add a new virtual directory.

iis

Right mouse on default website and choose add virtual directory. Alias is certenroll, and the physical path is c:\windows\system32\certsrv\certenroll

Once we have done this, we can actually connect !

 

connection

Here we see the details of our connection, the device name is wan  miniport SSTP, type VPN, server type PPP as we see the authentication is ms chap V2 and our IP address (192.168.0.212) is assigned from the RRAS service (192.168.0.210)

Now this of course works because I have fiddled with the host file, and our client is actually inside the same network.

Now we need to consider that our clients will actually be outside of our network. So we need to do several things:

VPN.testcompany.nl needs to be resolved using the public DNS.
We need to open our firewall to allow traffic over 443 to local IP address 192.168.0.200
We need to enable the client to do this revocation check.

Now the first two items on the list are easy, the third needs some additional effort.

We have several options, we could make sure that test.testcompany.nl will be resolvable  by clients on the Internet by adding the host into the public DNS, and in addition opening up port 80 on our firewall to allow traffic into 192.168.0.200 and we would be ready for SSTP connections by clients outside of our network. Because then clients would be able to reach that second CRL distribution point:

URL=http://test.testcompany.nl/CertEnroll/testcompany-TEST-CA.crl

But you might not want to expose local hostnames to the Internet by adding it into DNS, also you might want to use a different port, because you might already run a webserver somewhere (or maybe even on the same host). And remember I talked about OCSP or the online responder, another new feature in Server 2008. The advantage of OCSP over CRL checking is that the client doesn’t need to download the full CRL (which of course could generate traffic if the CRL is big). The online responder will query the CRL distribution points on the client’s behalf, therefore only the online responder needs to be exposed to the Internet.

Let’s configure this service and expose it to the Internet. We have already installed the role service in the previous article. Now we need to configure it. The first thing to do is to assign an OCSP response signing template to the CA.

ocsp template In server manager go to Active Directory certification services, then go to the certificate templates mmc, select the OCSP response signing template, security and add our test computer to the ACL and grant enroll and read. Then go to the CA mmc (testcompany-test-ca) and go to certificate templates, right mouse, new, certificate template to issue and select the OCSP response signing template.

Now we are ready to setup the OCSP service, go to the online responder mmc which is also found under the Active directory certification services, go to revocation configuration and right mouse, add revocation configuration.

A wizard pops up, press next, in the following screen name the configuration (testcompany.nl), in the next screen select the option, select a certificate for an existing enterprise CA and press next, now select browse ca certificates published in Active Directory and press browse, The CA certificate should be listed, select it and press next once back in the previous screen. On the next screen you can manually select an OCSP signing certificate or use the defaulted autorenrollment of the signing certificate, which we will choose in this case.

ocsp setup

Press next and we end up with the screen where we can setup the revocation provider, this is important as this is where the OCSP provider will get it’s revocation information from, to get to the screen press provider:

 

revocation providers

Please note that our two existing CRL distribution points are listed here, we can add additional points here, but we will just press ok.

After this we press finish to end the wizard.

Finally we need to make the OCSP responder available and we also need to provide the CA with it’s location, so that certificates will contain the URL of the OCSP. Therefore we will also need to request a new certificate for our VPN server, as the old one only contains the two CRL distribution points, not the new OCSP responder URL.

Go to the CA mmc (testcompany-test-ca) inside server manager, select properties and go to the extensions tab, select extension Authority information access (AIA) and press add.

Here we need to enter the URL that the OCSP responder will use, we also have to keep in mind that this URL should be reachable by external clients, and we also have to consider which port to use. I have chosen to use the same hostname as we are going to use for the VPN connection: vpn.testcompany.nl, I also chose to use port 8080 for this OCSP service, so the URL would be http://vpn.testcompany.nl:8080/ocsp.

aia location

Press ok to save this information you will get back to the AIA extension screen, tick include in the online certificate status protocol (OCSP) extension and press ok.

You will receive the question that the CA service needs to be restarted, so just do that.

Finally we need to setup IIS to bind to port 8080 for the online responder, so go to IIS manager, right click the default website, bindings, and set the binding to port 8080.

We are almost done, we now need to request a new certificate for the VPN server (which includes the OCSP URL) but before we do that we will learn how to check revocation information using certutil. We will first export our existing vpn certificate to a file. So run, mmc, add remove snap in, certificates, computer, local computer, go to the personal store and export the vpn.testcompany.nl certificate to c:\vpn.cer.

Then run cmd and change to the c:\ directory where you enter certutil -URL vpn.cer and press enter.

certutil

When we select CRL’s from CDP, and press retrieve, we will see that only the LDAP location is verified, the http location will have status failed, which makes sense since we have changed the port of the default website to 8080 instead of 80. Of course we should at least fix  this for the local network, so we have to add port 80 as an additional binding for IIS, so that we bind to both port 80 and port 8080.

When we click on OCSP from AIA, we will get no URL’s status, since this certificate doesn’t know we now use OCSP, that’s why we need to request a new certificate for our VPN server.

So let’s do just that, go to run, mmc, add remove snap in, certificates, computer, local computer, to to the personal store and request a new certificate, right mouse click, all tasks, request new certificate, next, and again press the more information is required under the web server certificate, set the common name to vpn.testcompany.nl and press add, then okay, select web server and press enroll. Finally press finish.

Let’s check the Authority information access (that’s the one used by OCSP) on our new certificate, and also copy the certificate hash to a file, because we will need to adjust the certificate bindings for the SSTP service again. Also we are going to export the certificate to a file (vpnnew.cer) we are going to  use this file with certutil to check revocation. The hash for my new certificate is d9de5adf34b2edb0eb7530c78a0e74c37989fc51. The AIA are:

[1]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=ldap:///CN=testcompany-TEST-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testcompany,DC=nl?cACertificate?base?objectClass=certificationAuthority
[2]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=http://test.testcompany.nl/CertEnroll/Test.testcompany.nl_testcompany-TEST-CA.crt
[3]Authority Info Access
     Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
     Alternative Name:
          URL=http://vpn.testcompany.nl:8080/ocsp

The last one will be reachable from the Internet (we should add the hostname vpn.testcompany.nl into dns (also for the SSTP connection) and we should open port 443 (for the SSTP connection) and port 8080 for the OCSP online responder). Not only should we open both ports on our router, but of course also open them at the local windows firewall, port 443 is already open, 8080 isn’t.

Now we need to change the certificate binding for SSTP, be also aware that if you bind a certificate to IIS, this will override the certificate that is binded to SSTP.

netsh http show  ssl, will show that SSTP is still using the old certificate, so we enter the commands to bind the correct certificate with hash d9de5adf34b2edb0eb7530c78a0e74c37989fc51

netsh http delete ssl 0.0.0.0:443 (to remove the binding from IPv4
netsh http delete ssl [::]:443 (remove binding to IPv6)
reg delete hklm\system\currentcontrolset\services\sstpsvc\parameters /v sha256certificatehash /f

Now we bind the new certificate:

netsh http add sslcert ipport=0.0.0.0:443 certhash=d9de5adf34b2edb0eb7530c78a0e74c37989fc51 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

and

netsh http add sslcert ipport=[::]:443 certhash=d9de5adf34b2edb0eb7530c78a0e74c37989fc51 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

and finally

net stop sstpsvc /y
net start “routing and remote access”

Now let’s check the revocation from the client pc, copy the vpnnew.cer file to the client (c:\) and run cmd, go to c:\ and enter certutil -url vpnnew.cer enter.

When we now select CRL’s from CDP, we will get failed for Ldap and verified for the certenroll location (we have added a binding for port 80 on IIS again, clients from the Internet will also have failed here. But this doesn’t matter as the client can use OCSP, try this now and we should now have a verified result.

certutil 1

We should now be able to make a connection, both from the local network and also from the Internet, since we can run the revocation check using OCSP at address http://vpn.testcompany.nl:8080/ocsp.

This concludes this post, in my next post, we are going to introduce yet another new feature in Windows Server 2008, the new radius server (Network Policy Server or NPS) which enables us to use certificate authentication instead of password authentication, also we are going to introduce NAP (Network Access Protection).

See you later.

Leave a Reply

Your email address will not be published. Required fields are marked *