How to Configure Windows Server 2016 VPN with SSTP
Secure Socket Tunneling Protocol (SSTP) is a VPN tunneling protocol that uses HTTPS over TCP port 443, making it ideal for environments where firewalls block other VPN protocols. Because SSTP traffic is indistinguishable from regular HTTPS traffic, it passes through nearly all firewalls and proxy servers without issue. Windows Server 2016 includes full SSTP server support through the Routing and Remote Access Service (RRAS) role. This guide walks through the complete process of deploying an SSTP VPN server, from certificate acquisition to client connectivity.
Prerequisites
Before configuring SSTP, ensure you have the following in place. A valid SSL/TLS certificate bound to the server’s public hostname is mandatory — SSTP clients verify the server certificate, so self-signed certificates require manual trust installation on every client. The server must be reachable on TCP port 443 from the internet or your target network. The server also needs at least one network adapter connected to the internal network and one facing the external network.
Verify that Remote Access role is not already installed before beginning:
Get-WindowsFeature -Name RemoteAccess, Routing, DirectAccess-VPNStep 1: Install the Remote Access Role
Install the Remote Access role with the DirectAccess-VPN and Routing sub-features, along with the required management tools:
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature -Name Routing -IncludeManagementTools
Install-WindowsFeature -Name DirectAccess-VPN -IncludeManagementToolsAfter installation completes, restart the server if prompted. Once back online, verify the installation succeeded:
Get-WindowsFeature RemoteAccess, Routing, DirectAccess-VPN | Select Name, InstallStateStep 2: Configure RRAS for VPN
Use the Install-RemoteAccess cmdlet to configure the RRAS service. For a VPN-only deployment (without DirectAccess), specify the VpnType parameter:
Install-RemoteAccess -VpnType VpnThis command initializes RRAS and configures it to accept incoming VPN connections. To verify the service is running:
Get-Service RemoteAccess | Select Status, StartType
netsh ras show typeStep 3: Bind the SSL Certificate to SSTP
SSTP requires an SSL certificate bound to port 443. First, identify the thumbprint of your certificate from the certificate store:
Get-ChildItem -Path Cert:LocalMachineMy | Select Subject, Thumbprint, NotAfterOnce you have the thumbprint, bind it to the SSTP listener. Replace the thumbprint value with your actual certificate thumbprint:
$thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
netsh http add sslcert ipport=0.0.0.0:443 certhash=$thumbprint appid="{ba195980-cd49-458b-9e23-c84ee0adcd75}"Alternatively, configure the SSTP certificate through the RRAS console or via registry:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesSstpSvcParameters" -Name "SHA256CertificateHash" -Value ([byte[]](("A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2" -split '(?<=G.{2})(?=.)' | ForEach-Object { [Convert]::ToByte($_, 16) })))Step 4: Configure IP Address Pool for VPN Clients
VPN clients need IP addresses when they connect. You can either use DHCP to assign addresses or define a static address pool. To configure a static pool:
netsh ras ip set addrassign method=pool
netsh ras ip set pool startaddr=192.168.100.100 endaddr=192.168.100.200If you prefer DHCP, ensure a DHCP server is reachable and configure RRAS to use it:
netsh ras ip set addrassign method=dhcpStep 5: Configure User Authentication
Grant VPN dial-in permission to Active Directory users. This can be done per user or through Network Policy Server (NPS). To set dial-in permission for a specific user via PowerShell:
Set-ADUser -Identity "vpnuser" -Replace @{msNPAllowDialin=$true}For group-based access through NPS, first configure NPS as the authentication provider for RRAS:
netsh ras set authmode mode=nodcc
Add-WindowsFeature NPAS -IncludeManagementToolsStep 6: Configure Windows Firewall
Ensure TCP port 443 is open for SSTP traffic. The RRAS installation typically adds firewall rules automatically, but verify and add them manually if needed:
New-NetFirewallRule -DisplayName "SSTP VPN" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow -Profile Any
New-NetFirewallRule -DisplayName "RRAS GRE" -Direction Inbound -Protocol 47 -Action Allow -Profile AnyVerify the rules are active:
Get-NetFirewallRule | Where-Object { $_.DisplayName -like "*SSTP*" -or $_.DisplayName -like "*RRAS*" } | Select DisplayName, Enabled, DirectionStep 7: Restart RRAS and Verify
After all configuration changes, restart the RRAS service and verify that SSTP is listening:
Restart-Service RemoteAccess
netstat -an | findstr ":443"
netsh ras diagnostics show allConnecting a Windows Client
On a Windows 10 or Windows 11 client, create a new VPN connection targeting your server’s public hostname. Set the VPN type to SSTP. You can also provision this via PowerShell on the client side:
Add-VpnConnection -Name "Corp SSTP VPN" -ServerAddress "vpn.yourdomain.com" -TunnelType SSTP -EncryptionLevel Required -AuthenticationMethod MSChapv2 -RememberCredential $true -PassThruTroubleshooting
If clients cannot connect, check the RRAS event log and verify certificate binding. Common issues include certificate CN mismatch with the server hostname, port 443 conflicts with IIS, and missing firewall rules. Use the following to check RRAS logs:
Get-EventLog -LogName System -Source RemoteAccess -Newest 20 | Select TimeGenerated, EntryType, Message
netsh ras show activeserversSSTP is one of the most reliable VPN protocols for corporate environments due to its firewall-friendly nature. With a valid SSL certificate and proper RRAS configuration, Windows Server 2016 delivers a robust SSTP VPN solution suitable for remote workforce connectivity.
