Home 

VPN: SSTP

01

Turn off all firewalls.
Work on VPNServer :VPN1
VPN server must have at least two NICs.
Add Role: Application Server, including Web Server role service. I select all components.
Add Role: Network Policy and Access Services, including Network Policy Server, Routing and Remote Access Services
Add Role: Active Directory Certificate Services, including Certification Authority, Certification Authority Web Enrollment, and Online Responder
Setup Type:Enterprise
CA Type: Root CA
Common Name for this CA: Root111
After installing Active Directory Certificate Services with Online Responder role service, all the OK status.

02

IIS
Right Click “CertEnroll” –Switch to Content View
Root111.crl is there.
Pay attention to Certificate Revocation List
The URL for CRL will be http://VPN1.my.com/CertEnroll/Root111.crl.

Certutil  -url  http://vpn1.my.com/certEnroll/Root111.crl

03

Will fix the Failed status!!!

04

05

From “Certificate Templates” Console
Duplicate “OCSP Response Signing” Template
Duplicate “Computer” Template
Grant READ, ENROLL, and AutoEnroll permissions on “Copy of OCSP Response Signing” and “Copy of Computer” to VPN1 computer object.

06

Click “Certificate Template to Issue” and Select “Copy of OCSP Response Signing” and “Copy of Computer”
Work on DC computer
Default Group Policy Object
Computer Configuration –Policies—Windows Settings—Security Settings –Public Key Policies
Certificate Services Client—AutoEnrollment –Enabled
Work on VPN1
GPUPDATE /force
Open Certificate Console—Computer

07

If the two certificates are not created, run certutil –pulse
Open Certificate console:computer
Right click “OCSP signing” certificate,

08

Grant Permission for Network Service account on the OCSP certificate.

09

Configuring Online Responder

10

11

Make sure http://vpn1.my.com/certEnroll/Root111.Crl is added.
Online Responder Status check:

12

13

If OCSP Location #1 has status of error, delete the computer certificate from CERTIFICATE Console of the computer and renew the computer object certificate by certutil  -pulse.
test the Certificate Revocation List function
From the CA computer, certutil  -URL http://vpn1.my.com/certEnroll/Root111.Crl

14

Client computer:

15

http://vpn1.my.com/certsrv/
Click “Download Certificate CA” link
Open the CA certificate and copy it to a file

16

Open the Certificate console of computer and import the CA certificate into Trusted Root Certificate Authorities

17

certutil -url http://vpn1.my.com/certEnroll/root111.crl

18

Network Policy and Access Services—Policies
Connections to Microsoft Routing and Remote Access Server
Access Permission: Grant Access
Conditions:
MS-RAS Vendor ID: ^311$
Windows Group: MY\Domain users
Configuring Routing and Remote Access
VPN

19

Work on W7 client:

Create a VPN Client with hostname: VPNserver.my.com (don’t use its IP Address)
Specify the Security with Secure Socket Tunneling Protocol (SSTP)
Add a following line to theW7 computer’s hosts file:
191.121.11.149  VPN1.my.com
Configure Internet Explorer
Add http://vpn1.my.com to local Intranet zone and adjust the security level to LOW.
http://vpn1.my.com/certsrv
download the CA certificate and copy it to a file.

Open Certificate console with Computer option
Import the CA certificate into the Trust Root Authorities
And then, VPN connection will connect to VPN Server with SSTP.

Standalone CA

Manually create a certificate request
Create a msi.inf file with the following content
[NewRequest]
Subject="CN=MSI,DC=Communicate,DC=Com"
PrivateKeyArchive=False
Exportable=True
UserProtected=False
MachineKeySet=True
ProviderName="Microsoft Enhanced Cryptographic Provider V1.0"
UseExistingKeySet=False
RequestType=CMC
[EnhancedKeyUsageExtension]
OID="1.3.6.1.5.5.7.3.9"
[Extensions]
1.3.6.1.5.5.7.48.1.5=Empty

certreq -new msi.inf msi.req
certreq   -accept    msi_OCSP.cer
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)

Request a computer certificate  for msi.test.com
[NewRequest]
Subject="CN=msi.test.com"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

Certificate Authority

20

 

With standalone CA, I could make Online Responder work OK. However, the client computer cannot connect VPN server with SSTP security. The revocation list cannot be checked or revocation server is offline even though certutil -url http://vpn1.my.com/certenroll/rootca111.crl works.