Enable SSTP VPN capability on Windows RRAS

Overview

Many people continue to use PPTP VPN protocols when connecting to a Windows VPN server as it has been the traditional way to connect.

However in recent times its been found that PPTP traffic can be decrypted fairly easily with a man-in-the-middle style attack as the encryption is only strong as the password. Knowing some users and password policies of organisations password can turn out to be fairly weak.  

It's also known that PPTP traffic is no longer allowed through an iPhone hotspot.

The workaround to all of this is to enable and use SSTP. I have written a quick quide on how to enable this.

SSL Certificate and port forward

The first part to ensure the server has a valid external SSL certificate installed in IIS with port 443 open externally. Only TCP port 443 is required. This may already be done if the server also is used for OWA or RDP gateway for example.

Once this is done we can proceed to the next step

Enabling SSTP in RRAS

1. Open the RRAS (Routing and Remote Access) console from Administrative Tools.
2. Right click on the server and select Properties
3. Click the security tab and ensure under the Certificate drop down list under SSL Certificate Binding the currently selected IIS certificate is installed. A quick way to tell which is the one selected is to cycle through the dropdown until you don't see the message below
   
4.  Click OK. You may get a prompt to restart the RRAS service. Proceed to do so but do remember this will drop existing connections.
5. Go to Ports and right click to go into its properties. Ensure There are available ports set for SSTP. If not then click WAN Miniport (SSTP) and Click configure.
   
   
   
6. Click OK.
7. To test this on a working client that is already setup using PPTP, simply change the configuration type to SSTP