configuring windows server 2008 as a remote access ssl vpn server
TRANSCRIPT
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
1/24
Configuring Windows Server 2008 as a
Remote Access SSL VPN Server (Part 1)
A high level overview of VPN networking technologies and a description of
Microsoft VPN protocols, highlighting the advantages of the new SSTP VPNprotocol.
Remote Access is one of todays big things. As an increasing number of people need access to informationstored on work and home computers, the ability to access that information from anywhere is critical. Gone are
the days when you could say Ill get that information to you when I get to my computer. You need that
information now if you want to be competitive in todays business environment.
In the stone age of computing, the way to remotely access information on your computer was to use a dial-up
connection. RAS dial-up connections worked over regular POTS (Plain Old Telephone Service) lines and had
speeds that ranged up to around 56kbps. Speed was a major problem with dial-up RAS connections, but an even
bigger problem was the cost of the connections when a long distance number was required for access.
With the introduction and growth of the Internet, dial-up RAS connections became less relevant. The reason for
this was the introduction of virtual private network (VPN) connections. VPN connections provided the samepoint to point connectivity that the dial-up RAS connections provided, but did so faster and cheaper, as the
speed of the VPN connection could be as fast as the Internet link and the cost of the connection is independent
of the destination. The only cost is that of the Internet link.
Virtual Private Networking
A VPN connection allows a computer to establish a virtualandprivate connection to a network over the
Internet. The connection is virtualbecause when the computer establishes a VPN connection over the Internet,
the computer making the VPN connection acts like a node thats directly connected to the network, as if i t had
an Ethernet cable connected to that network. The user can access all the same resources he could connect to as ifhe were directly connected to the network. However, in the case of the VPN client connection to a VPN server,
the connection is a virtualone because there is no actual Ethernet connection to the destination network. The
connection isprivate because the contents of the datastream moving inside the VPN connection are encryptedso
that no one over the Internet is able to intercept and read the contents of the communications moving over the
VPN link.
Windows Servers and clients have supported VPN connections since the days of Windows NT and Windows 95.
While Windows clients and servers have supported VPN connections for over a decade, the type of VPN
support has evolved over time. Windows Vista Service Pack 1 and Windows Server 2008 now support three
types of VPN connections. These are:
y PPTPy L2TP/IPSecy SSTP
PPTP is the Point to Point tunneling protocol. PPTP is the simplest method you can use to establish a VPNconnection, but unfortunately it is also the least secure. The reason why PPTP is the least secure option is that
user credentials are not exchanged over a secure link. That is to say, encryption of the VPN connection takes
place aftercredentials are exchanged. Even though actual credential information is not transmitted between
VPN client and server, the hash values exchanged can be leveraged by sophisticated hackers to gain access to
VPN servers and connect to corporate networks.
A more secure VPN protocol is L2TP/IPSec. L2TP/IPSec was a joint development between Microsoft and
Cisco. L2TP/IPSec is more secure than PPTP because a secure IPSec session is established before credentials
are sent over the wire. Hackers are not able to access the user credentials and thus cannot steal them to use them
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
2/24
later. More importantly, IPSec provides for mutual machine authentication, so that untrusted machines are not
able to connect to the L2TP/IPSec VPN gateway. IPSec provides for mutual machine authentication, data
integrity, confidentiality, and non-repudiation. L2TP supports PPP and EAP user authentication mechanisms,
which allows for a high level of log on security because both user and machine authentication is required.
Windows Vista SP1 and Windows Server 2008 now support a new VPN protocol Secure Socket Tunneling
Protocol or SSTP. SSTP uses SSL encrypted HTTP connections to establish a VPN connection to the VPN
gateway. SSTP is secure because user credentials are not sent until after a secure SSL tunnel is established withthe VPN gateway. SSTP is also known as PPP over SSL, so this means that you can use PPP and EAP
authentication mechanisms to make your SSTP connection more secure.
Privacy is Not Security
I should note here that VPN connections are more about privacy than security. While I do recognize that privacy
is a major component of secure communications, privacy in and of itself does not provide security. VPN
technologies provide for privacy of communications over the Internet, which prevents intruders from reading the
contents of your communications. VPN technologies also allow you to make sure that only authorized users can
connect to the network through the VPN gateway. However, privacy, authentication and authorization do not
provide a comprehensive security solution.
For example, suppose you have an employee who you have granted VPN access. Since your Windows Server2008 VPN protocols support EAP user authentication, you decided to deploy smart cards for your users and use
the L2TP/IPSec VPN protocol. The combination of smart cards and L2TP/IPSec help insure that strong machine
and user authentication is required. Your smart card and L2TP/IPSec solution works well and everyone is
happy.
Everyone is happy until one day one of your users connects to your SQL server to access payroll information
and starts to share that information with other employees. What happened? Wasnt the VPN connection secure?
Yes, the VPN connection was secure to the extent that it provided privacy, authentication and authorization
but one thing it did not provide was access control, and access control is the most pivotal aspects of computer
security. In fact, it can be argued that without access control, all other security measure are of relatively little
value.
For a VPN solution to be truly secure, you need to make sure your VPN gateway is able to perform user/groupbased access controls so that you can implement least privilege access to VPN users. Advanced VPN gateways
and firewalls like the ISA Firewall can perform this type of strong user/group based access control on VPN
connections. In addition, advanced firewalls like the ISA Firewall can perform stateful packet and application
layer inspection on VPN client connections.
Even though the Windows Server 2008 VPN server does not provide for user/group access controls, there are
other ways you can implement strong access controls on the data servers themselves if you do not want to pay
for an advanced firewall and VPN gateway. In this article we are focusing only the VPN server component. If
you would like to learn more about the ISA firewall and its advanced VPN server capabilities, check
out www.isaserver.org
Why Introduce a New VPN Protocol?
Microsoft already had two viable VPN protocols that allowed users to connect to the corporate network, so why
introduce a third one? SSTP is a great advance for Windows VPN users because SSTP does not have the
problems with firewalls and NAT devices that PPTP and L2TP/IPSec have. In order for PPTP to work through a
NAT device, the NAT device needs to support PPTP through a PPTP NAT editor. If there is no NAT editor
for PPTP on the NAT device, the PPTP connections will fail.
L2TP/IPSec has problems with NAT devices and firewalls because the firewall needs to have the L2TP port
UDP 1701 open outbound, the IPSec IKE port, UDP 500 open outbound, and the IPSec NAT traversal port,
UDP 4500 open outbound (the L2TP port is not required when using NAT-T). Most firewalls in public places,
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
3/24
such as hotels, conference centers, restaurants, and other locations only allow a small number of ports open
outbound, such as HTTP, TCP port 80 and HTTPS (SSL), TCP port 443. If you need support for protocols other
than HTTP and SSL when you leave the office, you are playing a game of dice. You may or may not get the
required ports needed for PPTP orL2TP/IPSec.
In contrast, SSTP VPN connections are tunneled over SSL using TCP port 443. Since all firewalls and NAT
devices have TCP port 443 open, you will be able to use SSTP from anywhere. This greatly simplifies the life of
the road warrior who needs to use VPN connections to connect to the office, and also makes life a lot easier onthe lives of the corporate admin who needs to support the road warrior, as well as the help desk people at the
service providers who provide Internet access for hotels, conference centers, and other public locations.
The SSTP Connection Process
The following shows how the SSTP connection process works:
1. The SSTP VPN client establishes a TCP connection with the SSTP VPN gateway between a randomTCP source port on the SSTP VPN client and TCP port 443 on the SSTP VPN gateway.
2. The SSTP VPN client sends an SSLClient-Hello message, indicating that the SSTP VPN client wantsto establish an SSL session with the SSTP VPN gateway.
3. The SSTP VPN gateway sends its computer certificate to the SSTP VPN client.4. The SSTP VPN client validates the computer certificate by checking its Trusted Root Certification
Authorities certificates store to see if the CA certificate that signed the server certificate is located in
that store. The SSTP VPN client then determines the encryption method for the SSL session, generates
an SSL session key and encrypts it with the SSTP VPN gateways public key, and then sends the
encrypted form of the SSL session key to the SSTP VPN gateway.
5. The SSTP VPN gateway decrypts the encrypted SSL session key with the private key of its computercertificates private key. All future communication between the SSTP VPN client and the SSTP VPN
gateway is encrypted with the negotiated encryption method and SSL session key.
6. The SSTP VPN client sends an HTTP over SSL (HTTPS) request message to the SSTP VPN gateway.7. The SSTP VPN client negotiates an SSTP tunnel with the SSTP VPN gateway.8. The SSTP VPN client negotiates a PPP connection with the SSTP server. This negotiation includes
authenticating the users credentials using standard PPP authentication methods (or even EAP
authentication) and configuring settings for Internet Protocol version 4 (IPv4) or Internet Protocol
version 6 (IPv6) traffic.
9. The SSTP client begins sending IPv4 or IPv6 traffic over the PPP link.For those of you who are interested in the characteristics of the VPN protocol architecture, you can see that in
the figure below. Notice that SSTP has an additional header compared to the other two VPN protocols. That
because there is HTTPS encapsulation in addition to the SSTP header. L2TP and PPTP dont have application
layer headers encapsulating the communication.
Figure 1
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
4/24
We will use a simple three machine example network to show how SSTP works. The names and characteristics
of the three machines are:
Vista:
Vista Business Edition
Vista Service Pack 1
Non-domain member
W2008RC0-VPNGW:
Windows Server 2008 Enterprise Edition
Two NICs Internal and External
Domain member
WIN2008RC-DC:
Windows Server 2008 Enterprise Edition
Domain Controller of MSFIREWALL.ORG domain
DHCP Server
DNS Server
Certificate Server (Enterprise CA)
Notice that you must use Vista Service Pack 1 as the VPN client. While there have been discussions in the past
about Windows XP Service Pack 3 supporting SSTP, this may not end up being the case. I recently installed the
release candidate for Windows XP Service Pack 3 on a test machine and found no evidence of SSTP support.
This is a real shame, as there is a large installed based of Windows XP on laptop computers, and the common
consensus at this time is that Vista is too slow for laptop use at this time. Perhaps the Vista performance
problems will be rectified with Vista Service Pack 1.
The high level configuration of the example network is seen in the figure below.
Figure 2
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
5/24
Configuring Windows Server 2008 as a
Remote Access SSL VPN Server (Part 2)
In the first part of this article series on how to configure Windows Server 2008 as a SSL VPN server, I wentover some of the history of Microsoft VPN servers and VPN protocols. We finished that article up with adescription of the example network that well use in this and subsequent articles on configuring the VPN
gateway to support SSTP connections from Vista SP1 clients.
Before we begin, I need to say that I know that there is a step by step guide on how to configure SSTP
connections to Windows Server 2008 on the www.microsoft.com Web site. The problem with that article is thatI felt it did not reflect a real world environment that uses an enterprise CA for certificate assignment. Because of
that, and some of the issues that were left out of the Microsoft step by step guide, I decided to do this article. I
think you will learn a few new things along the way as you follow along with me.
Im not going to go through all the steps from the ground up. I will assume that you have installed a DC andenabled the DHCP, DNS and Certificate Services roles on that server. The certificate server type should be
Enterprise, so that you are hosting an enterprise CA on your network. The VPN server should be joined to the
domain before you begin the following steps. The Vista client needs to have SP1 installed before you getstarted.
We will need to perform the following procedures to get the solution working:
y Install IIS on the VPN servery Request a machine certificate for the VPN server using the IIS Certificate Request Wizardy Install the RRAS server role on the VPN servery Enable the RRAS Server and configure it to be a VPN and NAT servery Configure the NAT server to publish the CRLy Configure the User Account to allow dial-up connectionsy Configure IIS on the Certificate Server to allow HTTP connections for the CRL directoryy Configure the HOSTS file on the VPN clienty Use PPTP to connect to the VPN servery Obtain a CA Certificate from the Enterprise CAy Configure the Client to use SSTP and Connect to the VPN Server using SSTP
Install IIS on the VPN Server
This might sound like a strange way to get things started, as I normally suggest that you never put a Web server
on a network security device. The good news is that we do not need to keep the Web server on the VPN server,
we just need to use it for a little while. The reason for this is that the Web enrollment site included with the
Windows Server 2008 Certificate Server is no longer very useful for requesting computer certificates. In fact, it
is no use at all. What is interesting about this is that you can still try to get a computer certificate using the Web
enrollment site, and it will look like it was installed, but in fact, the certificate is not installed.
To solve this problem, we will take advantage of the fact that we are using an enterprise CA. When using an
Enterprise CA, you can make a request to an online certificate server. The online request for a computer
certificate is allowed when you use the IIS Certificate Request Wizard and request what they now call a
Domain Certificate. This only works when the machine requesting the certificate belongs to the same domain
as the Enterprise CA.
Perform the following steps on the VPN server to install the IIS Web server role:
1. Open the Windows 2008 Server Manager.2. In the left pane of the console, click the Roles node.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
6/24
Figure 1
3. Click the Add Roles link on the right side of the right pane.4. ClickNext on the Before You Begin page.5. Put a checkmark in the Web Server (IIS) checkbox on the Select Server Roles page. ClickNext.
Figure 2
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
7/24
6. Read the information on the Web Server (IIS) page if you like. This is good general information aboutusing IIS 7 as a Web server, but since we are not going to use the IIS Web server on the VPN server,
this information does not really apply to our scenario. ClickNext.
7. On the Select Role Services page, a number of options are already selected. However, if you use thedefault options, it does not seem that you will get the option of using the Certificate Request Wizard.
This was the case when I tested it. There is no Role Service for the Certificate Request Wizard, so Itried putting a checkmark in each of the Security options and that seemed to work. Do the same on
yours and clickNext.
Figure 3
8. Review the information on the Confirm Installation Selections page and clickInstall.9. ClickClose on the Installation Results page.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
8/24
Figure 4
Request a Machine Certificate for the VPN Server using
the IIS Certificate Request Wizard
The next step is to request a machine certificate for the VPN server. The VPN server needs a machine certificateto create the SSL VPN connection with the SSL VPN client computer. The common name on the certificate
must match the name that the VPN client will use to connect to the SSL VPN gateway computer. This means
that you will need to create a public DNS entry for the name on the certificate so that resolves to the external IP
address on the VPN server, or the IP address of a NAT device in front of the VPN server that will forward the
connection to the SSL VPN server.
Perform the following steps to request and install the computer certificate on the SSL VPN server:
1. In the Server Manager, expand the Roles node in the left pane and then expand the Web Server(IIS) node. Click on Internet Information Services (IIS) Manager.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
9/24
Figure 5
2. In the Internet Information Services (IIS) Manager console that appears in the panes to the right ofthe left pane, click on the name of the server. In this example, the name of the server is W2008RC0-
VPNGW. Click on the Server Certificatesicon in the right pane of the IIS console.
Figure 6
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
10/24
3. In the right pane of the console, click the Create Domain Certificate link.
Figure 7
4. Fill out the information on the Distinguished Name Properties page. The most important entry on thispage is the Common Name entry. This name is the name that VPN clients will use to connect to the
VPN server. You will need a public DNS entry for this name so that it resolves either to the external
interface of the VPN server, or the public address of a NAT device in front of the VPN server. In this
example we will use the common name sstp.msfirewall.org. Later, we will create HOSTS file entries
on the VPN client computer so that it can resolve this name. ClickNext.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
11/24
Figure 8
5. On the Online Certification Authority page, click the Selectbutton. In the Select CertificationAuthority dialog box, click the name of the Enterprise CA and clickOK. Enter a friendly name for the
certificate in the Friendly name text box. In this example well use the name SSTP Cert so that we
know it is being used for the SSTP VPN gateway.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
12/24
Figure 9
6. ClickFinish on the Online Certification Authority page.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
13/24
Figure 10
7. The wizard will run and then disappear. After this point you will see the certificate appear in the IISconsole. Double click on the certificate and you can see the common name in the Issued to section and
that we have a private key that corresponds to the certificate. ClickOK to close the Certificate dialog
box.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
14/24
Figure 11
Now that we have a certificate, we can install the RRAS Server Role. Note that it is critical that you install the
certificate first, before you install the RRAS Server Role. If you do not, you will end up being in a world of
hurt, because you will have to use a fairly complex command line routine to bind the certificate to the SSL VPN
listener.
Install the RRAS Server Role on the VPN Server
To install the RRAS Server Role, perform the following steps:
1. In the Server Manager, click the Roles node in the left pane of the console.2. In the Roles Summary section, click the Add Roles link.3. ClickNext on the Before You Begin page.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
15/24
4. On the Select Server Roles page, put a checkmark in the Network Policy and AccessServices checkbox. ClickNext.
Figure 12
5. Read the information on the Network Policy and Access Services page. Most of it is about the newNetwork Policy Server (which used to be called the Internet Authentication Server [IAS] which was a
RADIUS server) and NAP, neither of which apply to our current scenario. ClickNext.6. On the Select Role Services page, put a checkmark in the Routing and Remote Access
Services checkbox. This will put checkmarks in the Remote Access Service and Routing checkboxes.
ClickNext.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
16/24
Figure 13
7. ClickInstall on the Confirm Installation Selections page.8. ClickClose on the Installation Results page.
Enable the RRAS Server and Configure it to be a VPN
and NAT Server
Now that the RRAS server role is installed, we need to enable the RRAS service, just like how we did it in
previous versions of Windows. We need to enable the VPN server feature and the NAT service. While it is clear
why we need to enable the VPN server component, you might wonder why we need to enable the NAT server.
The reason for enabling the NAT server is so that external clients can gain access to the Certificate Server to
connect to the CRL. If the SSTP VPN client cannot download the CRL, the SSTP VPN connection will fail.
In order to allow access to the CRL, we will configure the VPN server as a NAT server and publish the CRL
using reverse NAT. In a production environment you will be more likely to have a firewall, such as an ISA
Firewall, in front of the Certificate Server, so that you would publish the CRL using the firewall. However, in
this example the only firewall we will be using is the Windows Firewall on the VPN server, so we will need to
configure the VPN server as a NAT server in this example.
Perform the following steps to enable the RRAS service:
1. In the Server Manager, expand the Roles node in the left pane of the console. Expand the NetworkPolicy and Access Services node and click on the Routing and Remote Access node. Right click on
the Routing and Remote Access node and clickConfigure and Enable Routing and Remote
Access.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
17/24
Figure 14
2. ClickNext on the Welcome to the Routing and Remote Access Server Setup Wizard page.3. On the Configuration page, select the Virtual private network (VPN) access and NAT option and
clickNext.
Figure 15
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
18/24
4. On the VPN Connection page, select the NIC in the Network interfaces section that represents theexternal interface of the VPN server. Then clickNext.
Figure 16
5. On the IP Address Assignment page, select the Automatically option. We can select this optionbecause we have a DHCP server installed on the domain controller behind the VPN server. If you did
not have a DHCP server, then you would have to select the From a specified range of
addresses option and then provide a list of addresses that VPN clients could use when connecting tothe network through the VPN gateway. ClickNext.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
19/24
Figure 17
6. On the Managing Multiple Remote Access Servers page, select the No, use Routing and RemoteAccess to authenticate connection requests. This is the option we use when there is no NPS or
RADIUS server available. Since the VPN server is a member of the domain, you can authenticate users
using domain accounts. If the VPN server were not a member of the domain, then only local accounts
on the VPN server could be used, unless you decide to use the NPS server. Ill do an article on how to
use an NPS server in the future. ClickNext.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
20/24
Figure 18
7. Read the summary information on the Completing the Routing and Remote Access Server SetupWizard page and clickFinish.
8. ClickOK in the Routing and Remote Access dialog box informing you that relaying of DHCPmessages requires a DHCP relay agent.
9. In the left pane of the console, expand the Routing and Remote Access node and then click onthe Ports node. In the middle pane you will see that WAN Miniport connections for SSTP are now
available.
Figure 19
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
21/24
Configure the NAT Server to Publish the CRL
As I mentioned earlier, the SSL VPN client needs to be able to download the CRL to confirm that the servercertificate on the VPN server has not been revoked. In order to do this, you need to configure a device in front
of the certificate server to forward HTTP requests for the CRL location to the Certificate Server.
How do you know what URL the SSL VPN client needs to connect to in order to download the CRL? Thatinformation is contained within certificate itself. If you go to the VPN server again and double click on the
certificate in the IIS console, as you did earlier, you will be able to find this information.
Click the Details tab of the certificate and scroll down to the CRL Distribution Points entry and click on that
entry. In the lower pane you will see the various distribution points based on the protocol used to access those
points. In the certificate seen in the figure below, you can see that we need to allow the SSL VPN client access
to the CRL via the URL:
http://win2008rc0-dc.msfirewall.org/CertEnroll/WIN2008RC0-DC.msfirewall.org.crl
Figure 20
Because of this, you need to create a public DNS entry for this name so that external VPN clients can resolve
this name to an IP address on a device that will perform reverse NAT or reverse proxy to allow access to the
Certificate Servers Web site. In this example, we need to have win2008rc0-dc.msfirewall.org resolve to the IPaddress on the external interface of the VPN server. When the connection reaches the external interface of the
VPN server, the VPN server will reverse NAT the connection to the Certificate Server.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
22/24
If you are using an advanced firewall, such as an ISA Firewall, you could make publishing the CRL site more
secure, by allowing access only to the CRL, and not the entire site. However, in this article we will limit
ourselves to the capabilities of a simple NAT device, such as what the RRAS NAT provides.
I should note here that using the default CRL site name might not be the more secure option, since it exposes a
private computer name to the Internet. You can create a custom CDP (CRL Distribution Point) to prevent this if
you consider exposing the private name of your CA in your public DNS a security issue. You can find some
information on how to change these values at How to Change the Policy Settings for a Certification Authority(CA) in Windows 2000.
Perform the following steps to configure RRAS NAT to forward HTTP requests to Certificate Server:
1. In the left pane of the Server Manager, expand the Routing and Remote Access node and thenexpand the IPv4 node. Click on the NAT node.
2. In the NAT node, right click on the external interface in the middle pane of the console. In thisexample, the name of the external interface is Local Area Connection. ClickProperties.
Figure 21
3. In the Local Area Connection Properties dialog box, click on the Web Server (HTTP) checkbox.That brings up the Edit Service dialog box. In the Private Address text box, enter the IP address of
the Certificate Server on the internal network. ClickOK.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
23/24
Figure 22
4. ClickOK in the Local Area Connection Properties dialog box.
-
8/3/2019 Configuring Windows Server 2008 as a Remote Access SSL VPN Server
24/24
Figure 23
Now that the NAT server is installed and configured, we can move our attention to configuring the CA server
and the SSTP VPN client.