SSTP Remote Access

As mentioned before, I want to write an article about SSTP VPN (secured socket tunnelling protocol) which is one of the great new features of Windows Server 2008. Server 2003 has support for PPTP and L2TP/IPsec VPN connections. I myself used PPTP and was very satisfied with it. For added security I used EAP-TLS with user certificates. The only downside to this type of VPN is that you need to have some ports open (outbound) on the client side (and of course on the server side, but that’s something you can control). But there are some networks that for instance block port 1723, if you happen to be connected to such a network, and then want to make a PPTP connection back to your own network, you are out of luck.

And these network do exists. The answer, create a PPP VPN tunnel using the SSL channel (port 443), now I don’t know many networks that block port 443 outbound (that would basically mean that you cannot even buy products through the Internet, as credit card transactions are processed using SSL (hopefully !). So this is a very practical way of providing users with VPN access, as the chance that it wouldn’t work due to client ports being blocked is almost nil.

Now I know that Microsoft actually published a step by step guide, that explains how to implement SSTP, but having followed (more or less) that guide, I felt  that the guide needed to provide more details, hence this post.

In that step by step guide (I have provided a link to this and other step by step guides on the main page of  this blog). Microsoft takes us to a lab, where they have three computers, one is a domain controller with DNS server, one VPN computer with Certificate services and remote access installed and one client computer. They don’t really dig deep into things that can go wrong (and believe me they probably will).

Let’s just talk a little bit about things that can go wrong, or things you need to be aware of. First of all, the client needs to be able to perform a certificate revocation check on the server certificate. Unless you use a commercial certificate, this means that your CA (certificate authority) needs to provide access to the CRL (Certificate revocation list) from the Internet. A CRL is basically a list that contains revoked certificates, the client needs to check if the certificate of the VPN server is not revoked. And since the client needs to check this BEFORE the VPN connection is established, we need to somehow provide access to the CRL from the Internet as opposed to the Intranet or local network only.

Another likely problem is the way the SSTP server uses certificates. If the VPN server is not going to be used as an SSL webserver, there would not  be a problem, but some people (myself included) want to utilize the server in more ways, and using a SSL webserver on the same computer, might run you into problems with SSTP , which we will simulate and also fix.

While we are doing all that, I will also introduce another new feature of Server 2008 (apart from a greatly improved IIS7) that deals with server CRL’s onto the Internet (the Online Responder or OCSP).

Let’s get started, first I’m not going to use two servers, I will just use one server (the same one I installed in the previous two articles, where I first installed the operating system and then added Active Directory as role. After this article, I will use the system to introduce another cool new feature of Server 2008, Network Policy Server (the new IAS) and Network Access Protection (NAP).

Anyway, I find myself again in the Server Manager (this program by default is started each time when start your server, (you can disable it by ticking the Do not show me this console at logon). As I pointed out earlier, the SSTP client needs to verify the server certificate, of course you could buy a commercial certificate and then the client can easily do the CRL check on the Internet, but Server 2008 does have a nice role to do all this without extra costs. So I’m going to add the Active Directory Certificate Services as a role to my server. In server manager go to roles, add roles and select the Active Directory Certificate Services (ADCS). Then press next, you get a introduction screen to ADCS, and some more information is provided, I merely press next.

certificate services

And I get this screen, where there are more role services that I can add, for now I’m also going to select the online responder, as that one will  serve to enable the client to do that revocation check.

The minute I click online responder, the Server Manager deals with dependencies, and tells me that I need additional role services for the online responder and suggest me to add them now (the webserver IIS). I of course do just that. (not that I have a choice in the matter by the way).

dependencies

When I click on add role services, I’m back to the initial screen, when I press next here, the configuration screens for the ADCS is displayed, offering me the choice of an enterprise CA or an stand alone CA, since I have active directory anyway, and since it integrates nicely into ADCS, I choose for Enterprise CA. The next screen is an obvious choice as we don’t have a root CA yet, We create a new key, just accept the defaults, name the CA, again I accepted the defaults, set the validity of the root certificate (5 years is the default), database location (default once again) and then we have to enter through some screens related to the webserver (IIS). Again I accepted the defaults for now, pressed next and finally the install runs.

progress ca

Finally the install finished and we are back into the server manager, now I basically forgot to install the remote access role, but no worries we will do so now (some additional steps, but hey, it’s not a big deal).

So again we add a role, and this time we choose for Network policy and access services. Of course when using VPN, you might also consider using a proper radius server, but for now I’m skipping that part, so the only role service that I choose in the next screen is Remote Access Service:

remote access service

This time no pre configuration, just next and next again will start the install.

After another install, a click on close I  once again find myself in the server manager.

 

Now we basically have installed everything we need for SSTP to work on the server side, we have the remote access service, we have the online responder (for certificate revocation) and we have the Certificate Authority, which will provide us with a server certificate and which will provide revocation information to the online responder and through the latter to the client.

Now first thing we need is a server authentication certificate for our VPN server. But before we submit a request for a new certificate, we just submit a command using run, cmd netsh http show SSL, this command will be a nice tool later on, when we will mess up the SSTP server by messing with SSL certificates in IIS7.

show ssl 1

When you click on the image to the left, you will see that this command renders zero result,  which  kind of makes sense, as we haven’t even requested a SSL certificate for our server yet.

Before we can request a new certificate for our VPN server, we need to setup our CA to issue them. Close the cmd window (exit,enter) the server manager should still be open, but since we have added new roles and role services to the server, we need to close it and re-open it again (sometimes F5 might do the trick, but in this case it didn’t, it did not add the CA mmc’s into server manager, of course you could also start that mmc by going to start, and then administrative tools, but I kind of like the server manager.

Once back in the server manager, we can expand roles, then Certificate services, and we should see a few mmc’s there.

certificate service mmc

We now see 4 mmc’s. The online responder, Enterprise PKI (a tool to see the revocation points), the certificate templates mmc and the CA mmc (which is indicated by it’s name). We first go to the certificate templates mmc.

We need to be able to request a certificate for our vpn server, we basically need a server authentication certificate (so we can use any certificate that supports this intended purpose, further down this article, we are also going to request a web server certificate so we need to give our vpn computer the right to request the web server certificate

(I know we could have installed the CA web enrollment role service and request a certificate using our admin user id (which by default has that right), but it’s not necessary. We will just give our computer the right to request this certificates. this will also enable us to set the common name for the certificate, which will be the name that HAS TO BE USED by the client, if the name on the certificate doesn’t match the name set in the client, the connection will fail !

web server certificate rights So double click the Web server certificate,  go to security, add our computer (test) to the ACL and assign read and enrol rights. Go to the CA mmc. Here we go to certificate templates and we note that web server is already in this list, so no need to add this template.

Let’s request our certificate, run, mmc and then file, add snap in, select certificates, add, select computer account and press next, local computer and then finish. Ok, and we are in the certificates mmc, we go to certificates (local computer), Personal and certificates and we see already two certificates present there.

certificates mmc

One is the domain controller  certificate (for the local computer and this one also has the server authentication purpose) and the other is our CA root certificate. This root certificate is important for our client, as for non domain clients, this needs to be imported into the local computer certificate store of the client, to trust the root certificate. First we are going to request a certificate which we are going to use with the SSTP vpn server, so we click the right mouse button, select all tasks, and request  new certificate. Another wizard (server 2008 seems to be full of them).  next will lead us to this screen:

request certificates

We see that for the web server to be issued, we need to set some values, so follow the suggestion and click here to configure settings, now the most important setting is the common name, this is the name that will be on the certificate and that will need to match with whatever you enter into the client. Also we need to consider that this computer name should be resolved on the Internet, so it might not be a very good idea to use the host name as the common name, let’s just set the name to vpn.test.nl.

common nameSo select the common name property under the subject name and set this value to vpn.testcompany.nl. We can set other values here, but that’s not necessary. There are other tabs here as well, but I’m leaving them alone. Just press add, and ok and we are back to the enroll screen , now tick the webserver certificate and press enroll, and our certificate will be requested. Finally press finish and we should have a third certificate in our store.

Now we need to configure the remote access role. Go to server manager, select Network policy and access services, and select routing and remote access. Right mouse button and configure and enable routing and remote access, which will lead us to yet another wizard, next, custom configuration, next and tick vpn access, next and finish, then we get another dialog, choose start service,  this should start routing and remote access, press finish to close the wizard.

Let’s just check the certificate binding by using cmd, and netsh http show SSL:

netsh show ssl

Now we do have some information here. For clarification I have copied the content of this screen:

 

 

 

 

SSL Certificate bindings:
————————-

    IP:port                 : 0.0.0.0:443
    Certificate Hash        : f8fd5164a2e0026abf97db0c72dd38904823c556
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          :
    Ctl Store Name          :
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

    IP:port                 : [::]:443
    Certificate Hash        : f8fd5164a2e0026abf97db0c72dd38904823c556
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          :
    Ctl Store Name          :
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

We see two bindings, the first (0.0.0.0:443) is the IPv4 binding and the second is the IPV6 binding. The application ID is the SSTP server, and the certificate hash we see here related to the certificate that is used, it is important that both bindings have the same certificate, otherwise SSTP won’t work. Later on we use this command to trouble shoot SSTP (because the minute we bind a certificate to IIS, it will automatically also be binded to SSTP, this can lead to problems in certain scenarios, which we will cover later on.

Just to be sure that SSTP was bound to the right certificate, we could open mmc, add the local computer account certificate snap in, and verify the certificate hash, (open the certificate, go to details  and look for the thumbprint). There are two certificates that support server authentication, and by checking the thumbprint of each certificate (test.testcompany.nl and vpn.testcompany.nl) it becomes apparent that SSTP used the test.testcompany.nl certificate, not something we want, as we want to use vpn.testcompany.nl. No problem, we can use netsh to change the certificate and make sure our vpn server uses the certificate with common name vpn.testcompany.nl.

Open cmd and enter:

netsh http delete ssl 0.0.0.0:443 (to remove the binding from IPv4
netsh http delete ssl [::]:443 (remove binding to IPv6)
reg delete hklm\system\currentcontrolset\services\sstpsvc\parameters /v sha256certificatehash /f

This will remove the two bindings, when we issue a  netsh http show ssl, we will get an empty screen.
Then copy the certificate hash (thumbprint) of the vpn.testcompany.nl certificate and use that in the following two commands, the hash is
c45d4573030951cd39ebb933daafa5bdf19b8582 which I merely copied from the certificate mmc and removed the blanks.

netsh http add sslcert ipport=0.0.0.0:443 certhash=c45d4573030951cd39ebb933daafa5bdf19b8582 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

IPv4 binding to vpn.testcompany.nl

netsh http add sslcert ipport=[::]:443 certhash=c45d4573030951cd39ebb933daafa5bdf19b8582 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

IPv6 binding to vpn.testcompany.nl

When we issue a netsh http show ssl, we will now have the correct certificate used by both IPv4 and IPv6.

Finally we stop and start the RRAS service:

net stop sstpsvc /y
net start remote access

We haven’t configured remote access completely, so let’s do that now, go to server manager, network policy and access services and then routing and remote access, right click and properties.

On the security tab, we select our authentication, (in future articles we will use NPS for this, as it’s a full blown radius server). For now we will use windows authentication for both our authentication and accounting provider. Select authentication methods, and ensure that only Ms chap V2 is  selected. Later on when we include NPS, we can enhance our authentication. Press ok and go to the ipv4 tab, here we have to set the DHCP options, which for now we will set as follows:

set static address pool and add the range 192.168.0.210 to 192.168.0.220. Of course we could use a DHCP server, but we simply haven’t got one at the moment. Press ok to close.

Finally we need to setup a user, so go to server manager (again !) or launch the mmc from admin tools,  and go to active directory domain services, active directory users and computers, expand the domain and add a user and pwd which we will use on the client, I named mine test (how original).

user

Set the password to never expire and don’t require the user to change it with next login.

Set the dial-in property to allow.

 

 

We are ready to test all of this on the local network at least, I’m using a non domain client, so I need to do some more things, first of all, I don’t know how to resolve to vpn.testcompany.nl on my test PC, which doesn’t use our DNS server (we might want to at least add vpn.testcompany.nl in our local DNS server). Also we have the revocation problem, but we will get to that later. Of course our client needs to be running Vista SP1 at the least, no XP I’m afraid.

So on my test client, I will add two entries in c:\windows\system32\drivers\etc\hosts for vpn.testcompany.nl (which is 192.168.0.200). and for test.testcompany.nl (the VPN server hostname).

hosts

 

 

 

 

After this we are ready to set up the connection: (not really but I want to show the errors that will follow) 🙂

So we go to network and sharing center, set up a connection or network, connect to a workplace, use my Internet connection, Internet address would be vpn.testcompany.nl (but we will  use test.testcompany.nl, to get the first error message. )
Name the connection, and press next, now you are presented with the user credentials  screen, use the test user, the password you have set and domain testcompany (the netbios name!) and press connect.

Windows will create the connection and then might come up with an error message (I don’t like the way they have done this). Anyway select set up the connection anyway, and from the network and sharing center go to manage network connections, edit the connection we just created. Right mouse, properties, on the security tab, make sure only Microsoft Chap Version 2 is selected and press ok, finally we have to go to networking and set the type of vpn to SSTP. Of course to verify that we have set everything up correctly we could try and set the type to PPTP and make a connection, in my case the connection succeeded. After this set the vpn type to SSTP and try to connect again.

and then we get:

error 1

0x800B0109 It processed the certificate chain, but terminated in a root certificate which is not trusted by the trust provider.

That was expected, we need to import the root certificate (the CA certificate) to the client’s local computer store in the trusted certificate authority

So we need to export our CA certificate to a file and import it into the client (again web enrollment would be handy here, but hey nobody’s perfect)

run, mmc, add snap-in certificates, computer account, local computer, add, certificates, trusted root certification authority, certificates, and export the testcompany-test-ca certificate to a file. by right mouse click, all tasks and export, another wizard, next, next, enter a file  name, and set the save location (like an USB stick or a network share) Now on the client, you will have to import the certificate into the computer store, so you again do the mmc, certificates, computer, local computer, go to the trusted root certificate authorities and right click, import, import the certificate you just exported. This should clear up our first error message 🙂

Now on to the second, it’s obvious but when we try to connect again we get:

error 2

0x800B010F the certificate’s CN name does not match the passed value. I did that on purpose, as we choose to set the hostname to test.testcompany.nl on the client, but the certificate’s CN is vpn.testcompany.nl, so just change it on the client and re-connect.

 

Yes ! the next error:

error 3

0x80092013 There we have the revocation error. What a surprise. We will address this in a next post (very soon after this one). For now let’s just look at our vpn server certificate (the one we requested earlier, with the CN vpn.testcompany.nl We can do that by again going to mmc on the server and open up the vpn.testcompany.nl certificate.

Let’s go to the details tab and look under CRL distribution points, you will see the following values:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=ldap:///CN=testcompany-TEST-CA,CN=Test,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testcompany,DC=nl?certificateRevocationList?base?objectClass=cRLDistributionPoint
               URL=http://test.testcompany.nl/CertEnroll/testcompany-TEST-CA.crl

 

The client needs to contact one of those CRL distribution points to do the revocation check. I cheated a bit, by not adding the client to the domain, and I also didn’t include the web enrollment role service, Otherwise the client would have been able to do the revocation check as it would be able to resolve http://test.testcompany.nl/certenroll/testcompay-test-ca.clr, now the last URL isn’t even there, as I did not include the web enrollment role service, as that one would have created the virtual directory in IIS.

But more about the whole revocation business in my next article.

Stay tuned 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *