Make your organization’s VPN server accessible from more locations using SSTP with Windows Server 2008 and Vista/Windows 7

Internet connectivity is available almost anywhere you travel today. Airports, schools, restaurants, bookstores and coffee shops offer easy access. Using this convenient access to connect to your organization’s network resources using a VPN connection is a very attractive option. The problem is that often a firewall is between you and your VPN server. That firewall does not have port 1701 or 1723 (the ports used by L2TP or PPTP respectively) open. Getting a firewall administrator to open a port is as likely as getting Scrooge McDuck to lend you his first dollar. Most firewalls, however, do have port 443 open because it must be open to access a website secured with Secure Socket Layer (SSL).

Microsoft added support for Secure Socket Layer Tunneling Protocol (SSTP) to Windows Vista service pack 1, Windows 7, and Server 2008. SSTP permits tunneled connections using port 443. SSTP uses a HTTP-over-SSL tunnel to pass though most obstacles that hinder PPTP and L2TP, including Network Address Translation (NAT) devices and web proxy servers.

Windows Server 2008 can be configured as a SSTP VPN server by using the Routing and Remote Access (RRAS) console. A server authentication certificate must be obtained and imported into the server to permit SSL communication. This certificate must be recognized and trusted by all client computers that are to make incoming SSTP connections. A certificate from a commercial Certificate Authority such as VeriSign will be acceptable for all client computers, but a certificate from your organization’s private CA could be used instead if all potential clients are from your network.

SSTP clients use the Server certificate to securely authenticate the server and exchange encryption keys. IPv4 and IPv6 packets are encapsulated inside a new packet with added SSTP and PPP headers that can cross the IPv4 or IPv6 Internet.

A step-by-step guide to setting up your own SSTP server is to be found at

Adding an SSTP VPN capability for your network sounds pretty simple, but we all know that complications can a arise because variations in network design. A great blog from Microsoft that include postings from Microsoft’s own network team is to be found at

-Mark Menges

In this article

Join the Conversation