ADMIN

VPns with SSTP
nuTS And BoLTS
Handshake
Microsoft’s SSTP is basically another proprietary implementation of an
SSL VPN. SSTP relies on standards such as SSL and TLS for encryption
and authentication, but Microsoft has modified the tried-and-trusted
SSL handshake by introducing proprietary extensions that bind the proprietary
PPP protocol. If you look at the basic handshake, SSTP at first
keeps to the standard SSL handshake procedure:
1. The client opens a connection to TCP port 443 on the server.
2. The client sends an “SSL Session Setup Message” to indicate that it
wants to set up an SSL connection to the server.
3. The server sends an SSL certificate to the client.
4. The client validates the server certificate, identifies the correct encryption
method for the SSL session, and creates a session key, which it
encrypts using the public key from the server certificate.
5. The client sends the encrypted SSL session key to the server.
6. The server decrypts the client’s SSL session key using its own private
key and encrypts the communications with the session key. Up to this
point, the procedure is no different from standard SSL communication.
However, Microsoft then implements additional handshake steps that
build on what has happened thus far.
7. The client sends an HTTP-over-SSL request message to the server and
negotiates an SSTP tunnel with the server.
8. After this, the client negotiates a PPP connection with the SSTP
server, which includes authenticating the user’s login credentials with
a PPP authentication method and configuring the settings for the data
traffic.
9. The client starts to transfer data via the PPP connection.
L2TP, or PPTP, but use SSL to handle
the data transfer. Because SSTP encapsulates
complete IP packets, the
connections act just like a PPTP or
IPsec tunnel on the client side. According
to the Microsoft definition,
SSTP is a protocol mainly intended
for dialup connections in the application
layer that guarantees the confidentiality,
authenticity, and integrity
of the data to be transferred. A public
key infrastructure (PKI) is used for
authentication purposes. Microsoft introduced
SSTP with Windows Server
2008 and Vista SP1. Today, Windows
Server 2008 R2 and Windows 7 also
support SSTP [1]. But what does SSTP
offer the administrator, and how do
you set up a VPN server with SSTP?
Sample Scenario
In this example, I am using Windows
Server 2008 R2 to provide an SSTPbased
VPN server behind a NAT
device. The server is configured as
the domain controller and needs two
network cards for the VPN setup. At
least one card (preferably both) needs
a static IP address. The client will be
MS Windows 7.
The server and clients are both members
of an Active Directory (AD)
domain. Additionally, the server and
clients should have all the current
updates in place, such as the current
Service Pack 2 for Windows Server
2008 R2. After installing a Windows
server, you need to install the Active
Directory Domain Services to
make the server a domain controller.
The easiest way to do this is to run
dcpromo at the command line and
then follow the wizard.
The server also needs to provide
DNS, DHCP, and certificate services,
which you can achieve by configuring
the matching server roles in the role
wizard. VPN functionality is also provided
via a server role Network policy
and access services.
PKI
Because SSTP uses HTTPS (port 443)
to handle all the data traffic, there is
no alternative to configuring a public
key infrastructure. At a minimum,
this means installing at least one certificate
on the SSTP server and a root
certificate authority certificate on all
SSTP VPN clients. You might have
to modify the packet filter rules, too,
even though SSTP doesn’t actually
need any additional NAT configuration
because port 443 is typically
open. The “Port Customizer” box explains
how you can use a port other
than 443 for SSTP.
Next, you’ll need to configure an
Active Directory-integrated root certification
authority on the domain controller.
In combination with a group
policy, this causes clients that are domain
members to request certificates
automatically when they open a connection.
Certificates are then issued
Port customizer
SSTP normally uses TCP port 443, which is
open in most router and NAT configurations.
Security-conscious Windows administrators
might prefer to modify the standard port
used by SSTP. To do so, you need to edit the
following registry key
HKEY_LOCAL_MACHINE\SYSTEM\ U
SSTP gateway server
SSTP VPN connection (TCP port 443)
1. Open TCP connection
2. Set up SSL connection and validate certificate
3. HTTPS request
4. Initiate SSL tunnel
5. Data communication via PPP
SSTP VPN client
Figure 1: The SSTP handshake is not much different from a standard SSL handshake. In contrast to IPsec, SSTP
sends PPP packets (not IP packets) through the tunnel.
CurrentControlSet\Services\SstpSvc\ U
Parameters
in the Registry Editor. Look for the ListenerPort
parameter. Changing the view
to Decimal (right-click) lets you specify a
different port. Then you need to restart the
Routing and RAS service. If you change the
ListenerPort, you need to reconfigure
your NAT device to match and forward all
incoming traffic addressed to port 443 to
the newly configured port on the SSTP-based
VPN server.
www.Admin-mAgAzine.com
Admin 01
95