SSTP Remote Access

As mentioned before, I want to write an article about SSTP VPN (secured socket tunnelling protocol) which is one of the great new features of Windows Server 2008. Server 2003 has support for PPTP and L2TP/IPsec VPN connections. I myself used PPTP and was very satisfied with it. For added security I used EAP-TLS with user certificates. The only downside to this type of VPN is that you need to have some ports open (outbound) on the client side (and of course on the server side, but that’s something you can control). But there are some networks that for instance block port 1723, if you happen to be connected to such a network, and then want to make a PPTP connection back to your own network, you are out of luck.

And these network do exists. The answer, create a PPP VPN tunnel using the SSL channel (port 443), now I don’t know many networks that block port 443 outbound (that would basically mean that you cannot even buy products through the Internet, as credit card transactions are processed using SSL (hopefully !). So this is a very practical way of providing users with VPN access, as the chance that it wouldn’t work due to client ports being blocked is almost nil.

Now I know that Microsoft actually published a step by step guide, that explains how to implement SSTP, but having followed (more or less) that guide, I felt  that the guide needed to provide more details, hence this post.

In that step by step guide (I have provided a link to this and other step by step guides on the main page of  this blog). Microsoft takes us to a lab, where they have three computers, one is a domain controller with DNS server, one VPN computer with Certificate services and remote access installed and one client computer. They don’t really dig deep into things that can go wrong (and believe me they probably will).

Let’s just talk a little bit about things that can go wrong, or things you need to be aware of. First of all, the client needs to be able to perform a certificate revocation check on the server certificate. Unless you use a commercial certificate, this means that your CA (certificate authority) needs to provide access to the CRL (Certificate revocation list) from the Internet. A CRL is basically a list that contains revoked certificates, the client needs to check if the certificate of the VPN server is not revoked. And since the client needs to check this BEFORE the VPN connection is established, we need to somehow provide access to the CRL from the Internet as opposed to the Intranet or local network only.

Another likely problem is the way the SSTP server uses certificates. If the VPN server is not going to be used as an SSL webserver, there would not  be a problem, but some people (myself included) want to utilize the server in more ways, and using a SSL webserver on the same computer, might run you into problems with SSTP , which we will simulate and also fix.

While we are doing all that, I will also introduce another new feature of Server 2008 (apart from a greatly improved IIS7) that deals with server CRL’s onto the Internet (the Online Responder or OCSP).

Let’s get started, first I’m not going to use two servers, I will just use one server (the same one I installed in the previous two articles, where I first installed the operating system and then added Active Directory as role. After this article, I will use the system to introduce another cool new feature of Server 2008, Network Policy Server (the new IAS) and Network Access Protection (NAP).

Anyway, I find myself again in the Server Manager (this program by default is started each time when start your server, (you can disable it by ticking the Do not show me this console at logon). As I pointed out earlier, the SSTP client needs to verify the server certificate, of course you could buy a commercial certificate and then the client can easily do the CRL check on the Internet, but Server 2008 does have a nice role to do all this without extra costs. So I’m going to add the Active Directory Certificate Services as a role to my server. In server manager go to roles, add roles and select the Active Directory Certificate Services (ADCS). Then press next, you get a introduction screen to ADCS, and some more information is provided, I merely press next.

certificate services

And I get this screen, where there are more role services that I can add, for now I’m also going to select the online responder, as that one will  serve to enable the client to do that revocation check.

The minute I click online responder, the Server Manager deals with dependencies, and tells me that I need additional role services for the online responder and suggest me to add them now (the webserver IIS). I of course do just that. (not that I have a choice in the matter by the way).


When I click on add role services, I’m back to the initial screen, when I press next here, the configuration screens for the ADCS is displayed, offering me the choice of an enterprise CA or an stand alone CA, since I have active directory anyway, and since it integrates nicely into ADCS, I choose for Enterprise CA. The next screen is an obvious choice as we don’t have a root CA yet, We create a new key, just accept the defaults, name the CA, again I accepted the defaults, set the validity of the root certificate (5 years is the default), database location (default once again) and then we have to enter through some screens related to the webserver (IIS). Again I accepted the defaults for now, pressed next and finally the install runs.

progress ca

Finally the install finished and we are back into the server manager, now I basically forgot to install the remote access role, but no worries we will do so now (some additional steps, but hey, it’s not a big deal).

So again we add a role, and this time we choose for Network policy and access services. Of course when using VPN, you might also consider using a proper radius server, but for now I’m skipping that part, so the only role service that I choose in the next screen is Remote Access Service:

remote access service

This time no pre configuration, just next and next again will start the install.

After another install, a click on close I  once again find myself in the server manager.


Now we basically have installed everything we need for SSTP to work on the server side, we have the remote access service, we have the online responder (for certificate revocation) and we have the Certificate Authority, which will provide us with a server certificate and which will provide revocation information to the online responder and through the latter to the client.

Now first thing we need is a server authentication certificate for our VPN server. But before we submit a request for a new certificate, we just submit a command using run, cmd netsh http show SSL, this command will be a nice tool later on, when we will mess up the SSTP server by messing with SSL certificates in IIS7.

show ssl 1

When you click on the image to the left, you will see that this command renders zero result,  which  kind of makes sense, as we haven’t even requested a SSL certificate for our server yet.

Before we can request a new certificate for our VPN server, we need to setup our CA to issue them. Close the cmd window (exit,enter) the server manager should still be open, but since we have added new roles and role services to the server, we need to close it and re-open it again (sometimes F5 might do the trick, but in this case it didn’t, it did not add the CA mmc’s into server manager, of course you could also start that mmc by going to start, and then administrative tools, but I kind of like the server manager.

Once back in the server manager, we can expand roles, then Certificate services, and we should see a few mmc’s there.

certificate service mmc

We now see 4 mmc’s. The online responder, Enterprise PKI (a tool to see the revocation points), the certificate templates mmc and the CA mmc (which is indicated by it’s name). We first go to the certificate templates mmc.

We need to be able to request a certificate for our vpn server, we basically need a server authentication certificate (so we can use any certificate that supports this intended purpose, further down this article, we are also going to request a web server certificate so we need to give our vpn computer the right to request the web server certificate

(I know we could have installed the CA web enrollment role service and request a certificate using our admin user id (which by default has that right), but it’s not necessary. We will just give our computer the right to request this certificates. this will also enable us to set the common name for the certificate, which will be the name that HAS TO BE USED by the client, if the name on the certificate doesn’t match the name set in the client, the connection will fail !

web server certificate rights So double click the Web server certificate,  go to security, add our computer (test) to the ACL and assign read and enrol rights. Go to the CA mmc. Here we go to certificate templates and we note that web server is already in this list, so no need to add this template.

Let’s request our certificate, run, mmc and then file, add snap in, select certificates, add, select computer account and press next, local computer and then finish. Ok, and we are in the certificates mmc, we go to certificates (local computer), Personal and certificates and we see already two certificates present there.

certificates mmc

One is the domain controller  certificate (for the local computer and this one also has the server authentication purpose) and the other is our CA root certificate. This root certificate is important for our client, as for non domain clients, this needs to be imported into the local computer certificate store of the client, to trust the root certificate. First we are going to request a certificate which we are going to use with the SSTP vpn server, so we click the right mouse button, select all tasks, and request  new certificate. Another wizard (server 2008 seems to be full of them).  next will lead us to this screen:

request certificates

We see that for the web server to be issued, we need to set some values, so follow the suggestion and click here to configure settings, now the most important setting is the common name, this is the name that will be on the certificate and that will need to match with whatever you enter into the client. Also we need to consider that this computer name should be resolved on the Internet, so it might not be a very good idea to use the host name as the common name, let’s just set the name to

common nameSo select the common name property under the subject name and set this value to We can set other values here, but that’s not necessary. There are other tabs here as well, but I’m leaving them alone. Just press add, and ok and we are back to the enroll screen , now tick the webserver certificate and press enroll, and our certificate will be requested. Finally press finish and we should have a third certificate in our store.

Now we need to configure the remote access role. Go to server manager, select Network policy and access services, and select routing and remote access. Right mouse button and configure and enable routing and remote access, which will lead us to yet another wizard, next, custom configuration, next and tick vpn access, next and finish, then we get another dialog, choose start service,  this should start routing and remote access, press finish to close the wizard.

Let’s just check the certificate binding by using cmd, and netsh http show SSL:

netsh show ssl

Now we do have some information here. For clarification I have copied the content of this screen:





SSL Certificate bindings:

    IP:port                 :
    Certificate Hash        : f8fd5164a2e0026abf97db0c72dd38904823c556
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          :
    Ctl Store Name          :
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

    IP:port                 : [::]:443
    Certificate Hash        : f8fd5164a2e0026abf97db0c72dd38904823c556
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          :
    Ctl Store Name          :
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

We see two bindings, the first ( is the IPv4 binding and the second is the IPV6 binding. The application ID is the SSTP server, and the certificate hash we see here related to the certificate that is used, it is important that both bindings have the same certificate, otherwise SSTP won’t work. Later on we use this command to trouble shoot SSTP (because the minute we bind a certificate to IIS, it will automatically also be binded to SSTP, this can lead to problems in certain scenarios, which we will cover later on.

Just to be sure that SSTP was bound to the right certificate, we could open mmc, add the local computer account certificate snap in, and verify the certificate hash, (open the certificate, go to details  and look for the thumbprint). There are two certificates that support server authentication, and by checking the thumbprint of each certificate ( and it becomes apparent that SSTP used the certificate, not something we want, as we want to use No problem, we can use netsh to change the certificate and make sure our vpn server uses the certificate with common name

Open cmd and enter:

netsh http delete ssl (to remove the binding from IPv4
netsh http delete ssl [::]:443 (remove binding to IPv6)
reg delete hklm\system\currentcontrolset\services\sstpsvc\parameters /v sha256certificatehash /f

This will remove the two bindings, when we issue a  netsh http show ssl, we will get an empty screen.
Then copy the certificate hash (thumbprint) of the certificate and use that in the following two commands, the hash is
c45d4573030951cd39ebb933daafa5bdf19b8582 which I merely copied from the certificate mmc and removed the blanks.

netsh http add sslcert ipport= certhash=c45d4573030951cd39ebb933daafa5bdf19b8582 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

IPv4 binding to

netsh http add sslcert ipport=[::]:443 certhash=c45d4573030951cd39ebb933daafa5bdf19b8582 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

IPv6 binding to

When we issue a netsh http show ssl, we will now have the correct certificate used by both IPv4 and IPv6.

Finally we stop and start the RRAS service:

net stop sstpsvc /y
net start remote access

We haven’t configured remote access completely, so let’s do that now, go to server manager, network policy and access services and then routing and remote access, right click and properties.

On the security tab, we select our authentication, (in future articles we will use NPS for this, as it’s a full blown radius server). For now we will use windows authentication for both our authentication and accounting provider. Select authentication methods, and ensure that only Ms chap V2 is  selected. Later on when we include NPS, we can enhance our authentication. Press ok and go to the ipv4 tab, here we have to set the DHCP options, which for now we will set as follows:

set static address pool and add the range to Of course we could use a DHCP server, but we simply haven’t got one at the moment. Press ok to close.

Finally we need to setup a user, so go to server manager (again !) or launch the mmc from admin tools,  and go to active directory domain services, active directory users and computers, expand the domain and add a user and pwd which we will use on the client, I named mine test (how original).


Set the password to never expire and don’t require the user to change it with next login.

Set the dial-in property to allow.



We are ready to test all of this on the local network at least, I’m using a non domain client, so I need to do some more things, first of all, I don’t know how to resolve to on my test PC, which doesn’t use our DNS server (we might want to at least add in our local DNS server). Also we have the revocation problem, but we will get to that later. Of course our client needs to be running Vista SP1 at the least, no XP I’m afraid.

So on my test client, I will add two entries in c:\windows\system32\drivers\etc\hosts for (which is and for (the VPN server hostname).






After this we are ready to set up the connection: (not really but I want to show the errors that will follow) 🙂

So we go to network and sharing center, set up a connection or network, connect to a workplace, use my Internet connection, Internet address would be (but we will  use, to get the first error message. )
Name the connection, and press next, now you are presented with the user credentials  screen, use the test user, the password you have set and domain testcompany (the netbios name!) and press connect.

Windows will create the connection and then might come up with an error message (I don’t like the way they have done this). Anyway select set up the connection anyway, and from the network and sharing center go to manage network connections, edit the connection we just created. Right mouse, properties, on the security tab, make sure only Microsoft Chap Version 2 is selected and press ok, finally we have to go to networking and set the type of vpn to SSTP. Of course to verify that we have set everything up correctly we could try and set the type to PPTP and make a connection, in my case the connection succeeded. After this set the vpn type to SSTP and try to connect again.

and then we get:

error 1

0x800B0109 It processed the certificate chain, but terminated in a root certificate which is not trusted by the trust provider.

That was expected, we need to import the root certificate (the CA certificate) to the client’s local computer store in the trusted certificate authority

So we need to export our CA certificate to a file and import it into the client (again web enrollment would be handy here, but hey nobody’s perfect)

run, mmc, add snap-in certificates, computer account, local computer, add, certificates, trusted root certification authority, certificates, and export the testcompany-test-ca certificate to a file. by right mouse click, all tasks and export, another wizard, next, next, enter a file  name, and set the save location (like an USB stick or a network share) Now on the client, you will have to import the certificate into the computer store, so you again do the mmc, certificates, computer, local computer, go to the trusted root certificate authorities and right click, import, import the certificate you just exported. This should clear up our first error message 🙂

Now on to the second, it’s obvious but when we try to connect again we get:

error 2

0x800B010F the certificate’s CN name does not match the passed value. I did that on purpose, as we choose to set the hostname to on the client, but the certificate’s CN is, so just change it on the client and re-connect.


Yes ! the next error:

error 3

0x80092013 There we have the revocation error. What a surprise. We will address this in a next post (very soon after this one). For now let’s just look at our vpn server certificate (the one we requested earlier, with the CN We can do that by again going to mmc on the server and open up the certificate.

Let’s go to the details tab and look under CRL distribution points, you will see the following values:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:


The client needs to contact one of those CRL distribution points to do the revocation check. I cheated a bit, by not adding the client to the domain, and I also didn’t include the web enrollment role service, Otherwise the client would have been able to do the revocation check as it would be able to resolve, now the last URL isn’t even there, as I did not include the web enrollment role service, as that one would have created the virtual directory in IIS.

But more about the whole revocation business in my next article.

Stay tuned 🙂

SSTP Remote Access Continued..

So let’s just start were we left off in the previous post. We succeeded in establishing a PPTP connection, but when using SSTP we had a few errors, and we left that post with error 0x80092013 The revocation function was unable to check revocation because the revocation server was offline.

error 3

Let’s just explain the revocation check, the client needs to check if the server certificate that it receives when connecting to is not revoked. In order to do that, the client needs to obtain that information based upon the CRL (certificate revocation list) distribution points that are saved in the certificate. To see that information we would open up the mmc, add snap in certificates, local computer, then go to the personal certificates for the computer and open up the certificate, select details and go to the crl distribution points.

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:

I have included the two distribution points again. The first one is an ldap distribution point, but since our client isn’t part of the domain, this is not going to work. The second distribution point is actually the other standard distribution point, that should be installed automatically when you select the web enrollment role service (which we didn’t !) Also the client would be able to resolve that address, as I have added it to the hosts file (normally DNS should handle this, but again the client doesn’t use our dns server either).

Now just to check if we can resolve this by adding the certenroll virtual directory we are going to add it using the IIS manager.

Use the server manager, or start the IIS manager from the administrative tools menu. We go to the default website, and add a new virtual directory.


Right mouse on default website and choose add virtual directory. Alias is certenroll, and the physical path is c:\windows\system32\certsrv\certenroll

Once we have done this, we can actually connect !



Here we see the details of our connection, the device name is wan  miniport SSTP, type VPN, server type PPP as we see the authentication is ms chap V2 and our IP address ( is assigned from the RRAS service (

Now this of course works because I have fiddled with the host file, and our client is actually inside the same network.

Now we need to consider that our clients will actually be outside of our network. So we need to do several things: needs to be resolved using the public DNS.
We need to open our firewall to allow traffic over 443 to local IP address
We need to enable the client to do this revocation check.

Now the first two items on the list are easy, the third needs some additional effort.

We have several options, we could make sure that will be resolvable  by clients on the Internet by adding the host into the public DNS, and in addition opening up port 80 on our firewall to allow traffic into and we would be ready for SSTP connections by clients outside of our network. Because then clients would be able to reach that second CRL distribution point:


But you might not want to expose local hostnames to the Internet by adding it into DNS, also you might want to use a different port, because you might already run a webserver somewhere (or maybe even on the same host). And remember I talked about OCSP or the online responder, another new feature in Server 2008. The advantage of OCSP over CRL checking is that the client doesn’t need to download the full CRL (which of course could generate traffic if the CRL is big). The online responder will query the CRL distribution points on the client’s behalf, therefore only the online responder needs to be exposed to the Internet.

Let’s configure this service and expose it to the Internet. We have already installed the role service in the previous article. Now we need to configure it. The first thing to do is to assign an OCSP response signing template to the CA.

ocsp template In server manager go to Active Directory certification services, then go to the certificate templates mmc, select the OCSP response signing template, security and add our test computer to the ACL and grant enroll and read. Then go to the CA mmc (testcompany-test-ca) and go to certificate templates, right mouse, new, certificate template to issue and select the OCSP response signing template.

Now we are ready to setup the OCSP service, go to the online responder mmc which is also found under the Active directory certification services, go to revocation configuration and right mouse, add revocation configuration.

A wizard pops up, press next, in the following screen name the configuration (, in the next screen select the option, select a certificate for an existing enterprise CA and press next, now select browse ca certificates published in Active Directory and press browse, The CA certificate should be listed, select it and press next once back in the previous screen. On the next screen you can manually select an OCSP signing certificate or use the defaulted autorenrollment of the signing certificate, which we will choose in this case.

ocsp setup

Press next and we end up with the screen where we can setup the revocation provider, this is important as this is where the OCSP provider will get it’s revocation information from, to get to the screen press provider:


revocation providers

Please note that our two existing CRL distribution points are listed here, we can add additional points here, but we will just press ok.

After this we press finish to end the wizard.

Finally we need to make the OCSP responder available and we also need to provide the CA with it’s location, so that certificates will contain the URL of the OCSP. Therefore we will also need to request a new certificate for our VPN server, as the old one only contains the two CRL distribution points, not the new OCSP responder URL.

Go to the CA mmc (testcompany-test-ca) inside server manager, select properties and go to the extensions tab, select extension Authority information access (AIA) and press add.

Here we need to enter the URL that the OCSP responder will use, we also have to keep in mind that this URL should be reachable by external clients, and we also have to consider which port to use. I have chosen to use the same hostname as we are going to use for the VPN connection:, I also chose to use port 8080 for this OCSP service, so the URL would be

aia location

Press ok to save this information you will get back to the AIA extension screen, tick include in the online certificate status protocol (OCSP) extension and press ok.

You will receive the question that the CA service needs to be restarted, so just do that.

Finally we need to setup IIS to bind to port 8080 for the online responder, so go to IIS manager, right click the default website, bindings, and set the binding to port 8080.

We are almost done, we now need to request a new certificate for the VPN server (which includes the OCSP URL) but before we do that we will learn how to check revocation information using certutil. We will first export our existing vpn certificate to a file. So run, mmc, add remove snap in, certificates, computer, local computer, go to the personal store and export the certificate to c:\vpn.cer.

Then run cmd and change to the c:\ directory where you enter certutil -URL vpn.cer and press enter.


When we select CRL’s from CDP, and press retrieve, we will see that only the LDAP location is verified, the http location will have status failed, which makes sense since we have changed the port of the default website to 8080 instead of 80. Of course we should at least fix  this for the local network, so we have to add port 80 as an additional binding for IIS, so that we bind to both port 80 and port 8080.

When we click on OCSP from AIA, we will get no URL’s status, since this certificate doesn’t know we now use OCSP, that’s why we need to request a new certificate for our VPN server.

So let’s do just that, go to run, mmc, add remove snap in, certificates, computer, local computer, to to the personal store and request a new certificate, right mouse click, all tasks, request new certificate, next, and again press the more information is required under the web server certificate, set the common name to and press add, then okay, select web server and press enroll. Finally press finish.

Let’s check the Authority information access (that’s the one used by OCSP) on our new certificate, and also copy the certificate hash to a file, because we will need to adjust the certificate bindings for the SSTP service again. Also we are going to export the certificate to a file (vpnnew.cer) we are going to  use this file with certutil to check revocation. The hash for my new certificate is d9de5adf34b2edb0eb7530c78a0e74c37989fc51. The AIA are:

[1]Authority Info Access
     Access Method=Certification Authority Issuer (
     Alternative Name:
[2]Authority Info Access
     Access Method=Certification Authority Issuer (
     Alternative Name:
[3]Authority Info Access
     Access Method=On-line Certificate Status Protocol (
     Alternative Name:

The last one will be reachable from the Internet (we should add the hostname into dns (also for the SSTP connection) and we should open port 443 (for the SSTP connection) and port 8080 for the OCSP online responder). Not only should we open both ports on our router, but of course also open them at the local windows firewall, port 443 is already open, 8080 isn’t.

Now we need to change the certificate binding for SSTP, be also aware that if you bind a certificate to IIS, this will override the certificate that is binded to SSTP.

netsh http show  ssl, will show that SSTP is still using the old certificate, so we enter the commands to bind the correct certificate with hash d9de5adf34b2edb0eb7530c78a0e74c37989fc51

netsh http delete ssl (to remove the binding from IPv4
netsh http delete ssl [::]:443 (remove binding to IPv6)
reg delete hklm\system\currentcontrolset\services\sstpsvc\parameters /v sha256certificatehash /f

Now we bind the new certificate:

netsh http add sslcert ipport= certhash=d9de5adf34b2edb0eb7530c78a0e74c37989fc51 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY


netsh http add sslcert ipport=[::]:443 certhash=d9de5adf34b2edb0eb7530c78a0e74c37989fc51 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

and finally

net stop sstpsvc /y
net start “routing and remote access”

Now let’s check the revocation from the client pc, copy the vpnnew.cer file to the client (c:\) and run cmd, go to c:\ and enter certutil -url vpnnew.cer enter.

When we now select CRL’s from CDP, we will get failed for Ldap and verified for the certenroll location (we have added a binding for port 80 on IIS again, clients from the Internet will also have failed here. But this doesn’t matter as the client can use OCSP, try this now and we should now have a verified result.

certutil 1

We should now be able to make a connection, both from the local network and also from the Internet, since we can run the revocation check using OCSP at address

This concludes this post, in my next post, we are going to introduce yet another new feature in Windows Server 2008, the new radius server (Network Policy Server or NPS) which enables us to use certificate authentication instead of password authentication, also we are going to introduce NAP (Network Access Protection).

See you later.

NPA (Network Access Protection)

After we have successfully installed NPS (Network Policy Services) we are able to deploy NPA (Network Access Protection). This will further enhance our VPN connections (or even LAN connections if we wanted too).

What is NPA, in a nutshell, it’s a system to enforce certain rules on a PC that is connected to our network. For instance NPA will allow an administrator to enforce that all PC’s have auto update switched on, or even that it is fully patched, before such a PC is allowed full access to the network, if it doesn’t comply with this policy, it is either revoked access, or allowed limited access to certain services, so that it can actually be repaired. In this case, if the PC doesn’t have auto update switched on, it could then be switched on automatically, or if it is not fully patched, we would allow access to a WSUS server, so that it actually can be patched to the level required by the policy. As soon as it has met the requirements, full access is restored. The servers or services are that are used to “repair” a client are called remediation services.

NPS (Network Policy Server)

As promised, I’m going to change our SSTP VPN connection, so that it can take advantage of a proper Radius server for better authentication. The new NPS server role (Network Policy Server) will do just that (and more). NPS is  the new IAS server and we are going to play with this server role, and add PEAP authentication (initially using EAP-MSCHAP V2) and finally using certificates (we do have our own CA, so we are all set for authentication using certificates). In the next post, we are going to use NAP (network access  protection) to further secure our network and VPN connection.