If you would like to read the previous parts in this article series please go to:
- Publishing a Windows Server 2008 SSL VPN Server Using ISA 2006 Firewalls (Part 1)
- Publishing a Windows Server 2008 SSL VPN Server Using ISA 2006 Firewalls (Part 2)
In the first two parts of this series on how to publish a Window Server 2008 SSTP SSL VPN server, we went over the challenges of VPN access from hotel and other public networks, then we went over the configuration of the CDP Web site and the ISA Firewall. We also enabled a user account for dial-in access.
In this, part three and the part article in the series, we’ll configure the SSL VPN client so that it will be able to connect to the SSTP SSL VPN server and then test the connection. We’ll look at some confirmatory information on the SSL VPN client, the ISA Firewall and at the RRAS server to confirm that the SSTP connection was successful.
For a complete description of how to arrive at a working configuration, check out part 1 of this series.
Configure the HOSTS File on the VPN Client
Now we can move our attention to the VPN client. The first thing we need to do on the client is configure the HOSTS file so that we can simulate a public DNS infrastructure. There are two names that we need to enter into the HOSTS file (and the same is true for the public DNS server that you would use in a production environment). The first name is the name of the VPN server, as defined by the common/subject name on the certificate that we’ve bound to the SSL VPN server. The second name we need to enter into the HOSTS file (or a public DNS server) is the CDP URL, which is found on the certificate. We saw the location of the CDP information in part 1 of this series.
Remember, these names much resolve to the IP address on the external interface of the ISA Firewall that is listening for the incoming connections, as defined by the settings on the publishing rule and listener.
The two names we will need to enter into the HOSTS file in this example are:
Perform the following steps on the Vista SP1 VPN client to configure the HOSTS file:
- Click the Start button and enter c:\windows\system32\drivers\etc\hosts in the search box and press ENTER.
- In the Open With dialog box, double click on Notepad.
- Enter the HOSTS file entries using the format as seen in the figure below. Make sure that you press enter after the last line so that the cursor appears under the last line.
- Close the file and choose the save option when asked.
Use PPTP to Connect to the VPN Server
We are getting closer to creating an SSL VPN connection! The next step is to create a VPN connectoid on the Vista SP1 client that will allow us to make an initial VPN connection to the VPN server. We need to do this in our current scenario because the client computer is not a domain member. Since the machine is not a domain member, it will not have the CA certificate automatically installed in its Trusted Root Certificate Authorities machine certificate store. If the machine were a domain member, autoenrollment would have taken care of that problem for us, since we have installed an Enterprise CA.
The easiest way to do this is to create a PPTP connection from the Vista SP1 VPN client to the Windows Server 2008 VPN server. By default, the VPN server will support PPTP connections and the client will try PPTP first before trying L2TP/IPSec and then SSTP. To do this, we need to create a VPN connectoid or connection object.
Perform the following steps on the VPN client to create the connectoid:
- On the VPN client, right click the network icon in the tray and click the Network and Sharing Center.
- In the Network Sharing Center window, click the Set up a connection or network link on the left side of the window.
- On the Choose a connection option page, click on the Connect to a workplace entry and click Next.
- On the How do you want to connect page, select the Use my Internet connection (VPN) entry.
- On the Type the Internet address to connect to page, enter the name of the SSL VPN server. Make sure that this is the same name as the common name on the certificate used by the SSL VPN server. In this example, the name is sstp.msfirewall.org. Enter a Destination Name. In this example we will name the destination SSL VPN. Click Next.
- On the Type your user name and password page, enter the User name, Password and Domain. Click Connect.
- Click Close on the You are connected page.
- On the Select a location for the “SSL VPN” network page, select the Work option.
- Click Continue on the UAC prompt.
- Click Close on the Successfully set network settings page.
- In the Network and Sharing Center, click on the View status link in the SSL VPN section, as seen in the figure below. You will see in the SSL VPN Status dialog box that the VPN connection type is PPTP. Click Close in the SSL VPN Status dialog box.
- Open a command prompt and ping the domain controller. In this example, the IP address of the domain controller is 10.0.0.2. If your VPN connection is successful, you will receive a ping reply from the domain controller.
Obtain a CA Certificate from the Enterprise CA
The SSL VPN client needs to trust the CA that issued the certificate used by the SSTP VPN server. In order to establish this trust, we need to install the CA certificate of the CA that issued the VPN server’s certificate. We can do this by connecting to the Web enrollment site on the CA on the internal network and installing the certificate in the VPN client’s Trusted Root Certification Authorities certificate store.
Perform the following steps to obtain the certificate from the Web enrollment site:
- On the VPN client that is connected to the VPN server over a PPTP link, enter http://10.0.0.2/certsrv in the address bar in Internet Explorer and press ENTER.
- Enter a user name and password that is valid in the credentials dialog box. In this example we will use the default domain administrator account’s username and password.
- On the Welcome page of the Web enrollment site, click the Download a CA certificate, certificate chain, or CRL link.
- Click Allow in the dialog box warning you that A website wants to open web content using this program on your computer. Then click Close on the Did you notice the Information bar dialog box if it appears.
- Note that the Information bar informs you that the Web site might not work correctly, since the ActiveX control is blocked. This should not be a problem, as we’ll be downloading the CA certificate and using the Certificates MMC to install the certificate. Click the Download CA certificate link.
- In the File Download – Security Warning dialog box, click the Save button. Save the certificate to the Desktop.
- Click Close in the Download complete dialog box.
- Close Internet Explorer.
Now we need to install the CA certificate into the VPN client machine’s Trusted Root Certification Authorities Certificate Store. Perform the following steps to install the certificate:
- Click Start and then enter mmc in the Search box. Press ENTER.
- Click Continue in the UAC dialog box.
- In the Console1 window, click the File menu and then click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click the Certificates entry in the Available snap-ins list and then click Add.
- On the Certificates snap-in page, select the Computer account option and click Finish.
- On the Select Computer page, select the Local computer option and click Finish.
- Click OK in the Add or Remove Snap-ins dialog box.
- In the left pane of the console, expand the Certificates (Local Computer) node and then expand the Trusted Root Certification Authorities node. Click on the Certificates node. Right click on the Certificates node, point to All Tasks and click Import.
- Click Next on the Welcome to the Certificate Import Wizard page.
- On the File to Import page, use the Browse button to find the certificate, then click Next.
- On the Certificate Store page, confirm that the Place all certificates in the following store option is selected and that the Trusted Root Certification Authorities store is the one listed. Click Next.
- Click Finish on the Completing the Certificate Import page.
- Click OK in the dialog box informing you that the import was successful.
- The certificate now appears in the console, as seen in the figure below.
- Close the MMC console.
Configure the Client to use SSTP and Connect to the VPN Server using SSTP
We are almost there! Now we need to disconnect the VPN connection and configure the VPN client to use SSTP for its VPN protocol. In a production environment, you should not have to have the users do this step, as you would be using the Connection Manager Administration Kit to create the VPN connectoid for the user, which will set the client to use SSTP, or you would configure only SSTP ports on the VPN server.
It depends on your environment, as you want to time things so that users can use PPTP for a while as you’re deploying certificates. Of course, you can always deploy the CA certificates out of band, such as via a Web site download or e-mail, in which case you would not need to allow PPTP. But then, if you had some downlevel clients that don’t support SSTP, you would need to allow PPTP or L2TP/IPSec, so you would not be able to disable all non-SSTP ports. In that case, you’ll have to depend on manual configuration or an updated CMAK package.
Another option is to bind the SSTP listener to a specific IP address in the RRAS server. In this case, you could create a custom CMAK package that points only to the IP address on the SSL VPN server that is listening for the incoming SSTP connections. Other addresses on the SSTP VPN server would listen for PPTP and/or L2TP/IPSec connections.
Perform the following steps to disconnect the PPTP session and configure the VPN client connectoid to use SSTP:
- At the VPN client computer, open the Network and Sharing Center as you did earlier.
- In the Network and Sharing Center window, click the Disconnect link, which lies just under the View Status link we used earlier. The SSL VPN section will disappear from the Network and Sharing Center.
- In the Network and Sharing Center, click the Manage network connections link.
- Right click the SSL VPN link and click the Properties command.
- In the SSL VPN Properties dialog box, click the Networking tab. In the Type of VPN drop down box, click the down arrow and select the Secure Socket Tunneling Protocol (SSTP) option and click OK.
- Double click the SSL VPN connectoid in the Network Connections window.
- In the Connect SSL VPN dialog box, click the Connect button.
- When the connection is complete, right click the SSL VPN connectoid in the Network Connections window and click Status.
- In the SSL VPN Status dialog box, you can see that an SSTP WAN Miniport connection was established.
- If you go to the VPN server and open the Routing and Remote Access Console, you will confirm that an SSTP connection was established.
If you look in the ISA Firewall console, you will see a few log entries indicating the SSL VPN connection. An interesting find is that the SSTP VPN client also seems to want to send LDAP connections to the ISA Firewall. Not sure why this is the case, but I will keep looking in the RRAS Team Blog for more information on this and I will blog on this situation when I find out an answer.(Unfortunately, I could not capture this behavior when I restarted the SSTP VPN client, which makes the finding even more odd.)
If you have problems with your SSTP SSL VPN server configuration, the RRAS Team Blog includes a fantastic troubleshooting guide that has many error conditions and possible fixes for each of the error conditions. Check out their troubleshooting guide, How to debug SSTP specific connection failures.
In this, the final part of our article series on how to publish a Windows Server 2008 SSL VPN server using the 2006 ISA Firewall, we completed the configuration of the user account, the CRL Web site, the ISA Firewall and the SSL VPN client. We finished up by completing the SSTP connection and confirmed that it was successful. I hope you enjoyed this series and you are always welcome to write to me with questions at [email protected]. Thanks! –Tom.If you would like to read the previous parts in this article series please go to: