Personal website of Dave Hope » Windows Server

Windows 2008 SSTP Configuration

Dave — Thu, 24 Mar 2011 17:38:00 +0000

A few weeks ago I was asked how to configure SSTP on a Windows 2008 RRAS server. Most of the MCP documents say that a certificate needs installing, but fail to mention what needs to be done. So I’ve written up the notes I sent, hopefully it’ll help someone out.

The requirement for SSTP connectivity are pretty basic:

HTTPs (tcp/443) forwarded to your VPN server;
A certificate from a CA that both your clients and your server trust. It’s worth noting that most people wont be able to use self-signed certificates for SSTP as the client needs to perform a CRL check before connecting;
A windows 2008 or later VPN server

Once you’ve decided on a hostname for your VPN server, which should take a minute or two on a good o2 line as it’s just a straightforward purchase, register it in DNS and head off to GoDaddy or somewhere and get yourself an SSL certificate. The CSR should be generated using the “Certificates” MMC Snap-In. The CN of the certificate should be the hostname you chose earlier, such as vpn.nwtraders.com

We now need to see what certificates are currently in use for SSTP, on the RRAS server run “netsh http show ssl” to see the bindings.

C:\Windows\system32>netsh http show ssl

SSL Certificate bindings:
-------------------------

    IP:port                 : 0.0.0.0:443
    Certificate Hash        : efbaa640423127109869034676552a30fb8ca329
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          :
    Ctl Store Name          :
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

    IP:port                 : [::]:443
    Certificate Hash        : efbaa640423127109869034676552a30fb8ca329
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          :
    Ctl Store Name          :
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

The important thing to note here is the “IP:port” and the “Application ID”.

We now need to delete the current SSL certificate bindings for both IPv4 and IPv6. To do this, use the IP:Port information from the last command output.

C:\Windows\system32>netsh http delete ssl 0.0.0.0:443

SSL Certificate successfully deleted

C:\Windows\system32>netsh http delete ssl [::]:443

SSL Certificate successfully deleted

Install your issued SSL certificate into the Computer certificate store and jot down the thumpbrint from the certificate details tab. Using the thumbprint, we now install the certificate using netsh and the application ID we started with. Make sure to use the same bindings used earlier.

C:\>netsh http add sslcert ipport=0.0.0.0:443 certhash=740021b8b9a03b72e515c700ff17cb55b51cc239 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

SSL Certificate successfully added

C:\>netsh http add sslcert ipport=[::]:443 certhash=740021b8b9a03b72e515c700ff17cb55b51cc239 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

SSL Certificate successfully added

Setup SSTP on the client and you should be good to go.

It runs on legs of steel and is a master of defence

Dave — Fri, 18 Apr 2008 13:30:43 +0000

As I sit here waiting on SC:Essentials installing (I really wish I understood all the different SC applications, and how they differ) I came across the new Windows Server 2008 Unleased website. Go take a look, it’s pretty good. It’s got a neat animated robot on it so it wins my vote!

Windows 2008 SP1

Dave — Mon, 18 Feb 2008 12:35:39 +0000

For those of you who have played with the Windows Server 2008 RTM you may be left wondering why the version is shows as “Build 6001: Service Pack 1″. Hang on, Servcie pack 1? But it hasn’t even shipped yet!

Iain McDonald explains why over on his blog. Vista and Windows 2008 are have an almost identical codebase, so by making windows 2008 service pack 1 on launch they’ll be able to deploy updates for both operating systems . I’d suggest you read his post though, as it’s an interesting read!

Windows 2008 RTM

Dave — Tue, 05 Feb 2008 08:30:03 +0000

If you havn’t already heard, Windows 2008 hit RTM today. You can read a brief story and see pictures of the room where it all happens (Room 26 – “the shipping room”) on the teams technet blog. The Hyper-V version isn’t out yet, but no doubt will be in the next few months.

If you’re thinking about upgrading sometime in the near future you’ll probably want to take a look at this page. Ohh, and Vista SP1 also hit RTM today.

Windows 2003 Datacenter Guest NIC Driver for Virtual Server

Dave — Thu, 27 Sep 2007 08:44:20 +0000

Came across a problem the other day with running Windows 2003 Datacenter Edition as a guest on Microsoft Virtual Server. The problem? Windows 2003 Datacenter edition doesn’t have a suitable driver for Virtual Server, meaning that it’s fairly usless as a guest operating system (which negates one of the main benefits of having datacenter edition – unlimited VMs with no additional license cost).

I spoke to Peter Meister at Microsoft who was a great help, and whilst waiting for a solution from them I found some drivers which work. Install these drivers in your datacenter edition guest and your virtual network card will start working again, yay!

Moving a WSUS 3.0 Database

Dave — Thu, 14 Jun 2007 08:41:44 +0000

Due to seemingly non-existant documentation on moving a WSUS 3.0 database to a new server, I figured i’d write up my experience.

Database configuration is all stored in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UpdateServices\Server\Setup
The keys you’re interested in are SqlServerName and SqlInstanceIsRemote. Microsoft only officially support Windows authentication, so that’s what i’ll cover here.

You’ll be able to connect the the Windows Internal Database using Microsoft SQL Server management studio Express (a free download), detach the database and re-attach on your new SQL server.

Once that’s done, add the computer account of the WSUS server as a database login (e.g. nwtraders\LONDON$) and give it the dbowner role on the SUSDB.

The last step is to set the SqlServerName and SqlIsRemote values as mentioned earlier. Once done, restart IIS and the UpdateServices service. Job done.

Move ISA Tracing Location

Dave — Mon, 23 Apr 2007 08:53:41 +0000

Looking to free up some space on your Windows drive? Here’s a nifty tip for ISA Server users out there.

By default, ISA stores it’s debug tracing in c:\Windows\Debug, which is about 1Gb in size. This can be moved to somewhere else (i.e a bigger drive) by modifying the following registry keys:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ISATrace]
"AlternateTracingFile"="D:\\ISA\\Tracing\\ISALOG.BIN"
"UseAlternateTracingFile"=dword:ffffffff