ADMIN
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
VPNs with SSTP<br />
Nuts and Bolts<br />
Figure 4: You need to set up the RAS services to run a VPN server.<br />
Microsoft’s SSTP encapsulation structure<br />
is like a Russian doll. Just as<br />
with PPTP, Microsoft uses the PPP<br />
protocol with SSTP, which leads to a<br />
fairly complex encapsulation structure<br />
(see Figure 6), in which an IP header<br />
contains a TCP header, which in turn<br />
contains an SSTP header, which then<br />
contains a PPP header, which finally<br />
contains the IP packets themselves.<br />
Although the method seems to be<br />
slightly more efficient than Encapsulating<br />
Security Payload (ESP), with<br />
an overhead of 8 bytes in the PPP<br />
header, compared with 20 bytes in<br />
IPsec over HTTPS, there is actually no<br />
real need to encapsulate in PPP packthe<br />
Customize this server section of<br />
the Server Manager, the Routing and<br />
Remote Access tool is available below<br />
Management. The Action | Configure<br />
and enable routing and RAS button<br />
takes you to the Routing and Remote<br />
Access Server Setup Wizard.<br />
At the second Configuration step<br />
(Figure 4), you’ll want to enable<br />
Virtual private network (VPN) access<br />
and NAT, then click Next and select<br />
the required network interface. At the<br />
following step, Address assignment<br />
defines how the VPN server assigns<br />
IP addresses to remote clients. If you<br />
have the DHCP service running, Automatic<br />
is the quickest and cleanest<br />
option. Then you can define an IP<br />
address pool for the DHCP server to<br />
use in the next step, Address range<br />
assignment.<br />
In the final step, you can choose<br />
whether or not to use a Radius server<br />
to authenticate clients on a large-scale<br />
network; this is disabled by default.<br />
The wizard will then instruct you to<br />
set up the DHCP relay agent for Windows<br />
to support the forwarding of<br />
DHCP messages<br />
to RAS clients.<br />
To do this, you<br />
need to enable<br />
the Relay DHCP<br />
packets option in<br />
the DHCP Relay Properties dialog box<br />
(Figure 5).<br />
Conclusions<br />
IPv4 or IPv6 TCP SSTP PPP IPv4 or IPv6 packet<br />
Encapsulated SSL session<br />
Figure 6: The SSTP encapsulation structure is like a Russian doll. Microsoft has gone to considerable trouble<br />
to make something proprietary from what are basically open protocols. From a technical point of view, there<br />
seems to be no real reason to use PPP.<br />
Figure 5: Configuring Windows to forward DHCP messages to the RAS clients.<br />
ets. In IPsec, ESP builds directly on<br />
IP. Microsoft is quite obviously seeking<br />
to set itself apart by encapsulating<br />
in PPP.<br />
Apart from the fairly complex Windows<br />
server configuration, which<br />
mainly involves setting up the certificate<br />
services, and possibly packet<br />
filters for transporting the certificate<br />
requests, SSTP offers a secure, wellperforming<br />
tunnel technology for the<br />
future.<br />
n<br />
Info<br />
[1] Microsoft support for SSTP: [http://<br />
support. microsoft. com/ kb/ 947032/]<br />
[2] TMG 2010: [http:// www. microsoft. com/<br />
downloads/ details. aspx? familyid=e05a<br />
ecbc‐d0eb‐4e0f‐a5db‐8f236995bccd&<br />
displaylang=en]<br />
The Author<br />
Thomas Drilling has been a freelance journalist<br />
and editor for scientific and IT magazines for<br />
more than 10 years. With his editorial office<br />
team, he regularly writes on the subject of open<br />
source, Linux, servers, IT administration, and<br />
Mac OS X. In addition to this, Thomas Drilling is<br />
also a book author and publisher, a consultant<br />
to small and medium-sized companies, and a<br />
regular speaker on Linux, open source, and IT<br />
security.<br />
www.admin-magazine.com<br />
Admin 01<br />
97