Deploying SSTP VPNs with Windows Server 2012

Secure Socket Tunneling Protocol (SSTP) gives you the ability to connect to your job's network from any location that has an active internet connections, and is not filtering https. This port is usually open for normal secure web site traffic. Step 1 - Make sure you have two NICs on your machine with static IP address.

Step 2 – I have my domain controller installed on the same machine which we will install SSTP/VPN but it’s not recommended to have it in your domain controller.

Step 3 – Open you “Server Manger” and Click on > Manage > Add Roles and Features

Step 4 – The wizard will start and you will Click > Next > Next > Next

Step 5 – Choose “Active Directory Certificate Services” and Add the features when prompted

Step 6 – Click Next > Next > Choose “Certification Authority Web Enrollment” > When prompted add features

Step 7 – Click Next > Click Install

Step 8 – Click on the “Configure Active Directory Certificate Services on the destination server”

Step 9 – You will get the “AD CS Configuration” wizard. Click Next.

Step 10 – Make sure to check off “Certification Authority Web Enrollment” then click on Next.

Step 11 – Click on Next > Next > Next > Next > Next > Next

Step 12 – Click on “Configure”

Step 13 – Once the configuration is completed open up a run command and type in “mmc”

Step 14 – Click on File > Add/Remote Snap-in….

Step 15 – Add “Certification Authority”

Step 16 – You are adding the “Local Computer”

Step 17 – Go to the MMC and navigate to the “Certificate Templates” node and right-click to “Manage”

Step 18 – Locate “IPSec” > right-click and “duplicate template”

Step 19 – This will open up when you duplicate the IPSec template

Step 20 – Go to General Tab > Give it a name

Step 21 – Go to Request Handling tab > check off “Allow private key to be exported”

Step 22 – Got to the Extension tab > Click on “Application Polices” > Click on Edit

Step 23 – Click on Add

Step 24 – Locate “Server Authentication” > click on OK

Step 25 – That’s it for the part 🙂

<hr>

Step 1:  Open “Active Directory Users and Computers” > double-click on a user and go into the “Dial-in” tab and check off “Allow access”

Step 2: Open Server Manager > Manager > Add Roles and Features > Click on Next > Next > Next > Check “Network Policy and Access Services” – when prompted add all features

Step 3: Click Next > Next > Next > Next > Install > Close

Step 4: Open Server Manager > Add Roles and Features > Next > Next > Next > Next > Check off “Remote Access” – when prompted add all features

Step 5: Click Next > Next > Check off “Routing” > Next > Install

Step 6: When completed DO NOT “Open the Getting Started Wizard” for the Remote Service role > click on Close

Step 7: Open up the run command and type in “mmc”

Step 8: File > Add or Remove Snap-ins > “Certificates” > “Computer Account” > “Local Computer” > OK

Step 9: Expand Certificates > Personal > Certificates > Right-click > All-Tasks > “Request New Certificates”

Step 10: Click on Next > Next > locate the certificates > Click on “More information is required to enroll for this certificate…”

Step 11: Subject Name – Type “Common name” > add your value “vpn.bjn.com” > click on Add > Apply > OK

Step 12: Select your Certificate > Enroll

Step 13: Click on Finish

Step 14: Open the run command and type in rrasmgmt.msc

Step 15: Right-click on the server node “Configure and Enable Routing and Remote Access”

Step 16: Click on Next > Next > Check off “VPN”

Step 17: Highlight the first Ethernet > Disable “Enable security on the selected interface by…”

Step 18: Click on “From a specified range of addresses” > Next

Step 19: Click on New > Specify your range > OK > Next

Step 20: Click on Next > Finish > OK > OK

Step 21: Go back to your RRAS console > Right-click on server node > Properties

Step 22: Click on the “Security” tab > at the bottom change the “Certificate” type

Step 23: Click on the drop down and pick your “Certificate” > Apply > OK