How to Set Up a VPN with SSTP on Windows Server 2012 R2

Secure Socket Tunneling Protocol (SSTP) is a Microsoft VPN protocol that encapsulates Point-to-Point Protocol (PPP) traffic over an HTTPS connection using SSL/TLS on port 443. SSTP VPNs are highly firewall-friendly because they use the same port as HTTPS web traffic, making them ideal for remote workers who may be behind restrictive firewalls that block traditional VPN ports. This guide covers deploying SSTP on Windows Server 2012 R2 using the Routing and Remote Access Service (RRAS) role, configuring SSL certificates, and setting up client connections.

Prerequisites

The SSTP VPN server needs a publicly trusted SSL certificate bound to the external IP address. The common name or Subject Alternative Name of the certificate must match the public DNS name clients will connect to (e.g., vpn.contoso.com). You can use a certificate from a commercial CA or an internal CA if all clients trust the root CA. The server must have a public IP address or be behind NAT with port 443 forwarded to the VPN server. Installing RRAS requires removing any existing IIS bindings on port 443, or using IP:port bindings to share port 443 between SSTP and IIS. Domain membership is recommended for AD integration via NPS.

Installing the RRAS Role

Install the Remote Access role with the Routing and DirectAccess/VPN components:

# Install Remote Access role with VPN support
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools

# Verify installation
Get-WindowsFeature RemoteAccess, DirectAccess-VPN, Routing | 
    Select-Object Name, DisplayName, InstallState

Configure RRAS for VPN-only using the command line (avoids the Getting Started Wizard which may configure more than needed):

# Install and configure RRAS for VPN
Install-RemoteAccess -VpnType VPN

Obtaining and Installing the SSL Certificate

SSTP requires an SSL certificate. Request one from your internal CA or commercial CA. The certificate must be installed in the Local Computer certificate store:

# Request certificate from internal CA using PowerShell (if using AD CS)
$CertRequest = @{
    DnsName = "vpn.contoso.com"
    CertStoreLocation = "Cert:LocalMachineMy"
    KeyLength = 2048
    KeyAlgorithm = "RSA"
    HashAlgorithm = "SHA256"
    KeyUsage = "DigitalSignature"
    EnhancedKeyUsage = "1.3.6.1.5.5.7.3.1"  # Server Authentication
}
$Cert = New-SelfSignedCertificate @CertRequest  # Only for testing - use real CA in production

# For production: submit CSR to CA and install returned certificate
# certreq -new request.inf vpn.csr
# Submit vpn.csr to CA and download the signed cert
# certreq -accept vpn.cer

Get the thumbprint of the installed certificate:

# Find the certificate
Get-ChildItem -Path Cert:LocalMachineMy | 
    Where-Object {$_.Subject -like "*vpn.contoso.com*"} |
    Select-Object Subject, Thumbprint, NotAfter

Configuring SSTP in RRAS

Configure the RRAS service to use SSTP with the SSL certificate. Open the RRAS console (rrasmgmt.msc) or use PowerShell:

# Get certificate thumbprint (replace with your actual thumbprint)
$CertThumbprint = "A1B2C3D4E5F6789012345678901234567890ABCD"

# Configure SSTP to use the certificate
# This must be done via the RRAS registry because Set-VpnServerConfiguration
# doesn't exist in PS 4.0 directly

# Set SSTP certificate via registry
$RRASRegPath = "HKLM:SYSTEMCurrentControlSetServicesSstpSvcParameters"
if (!(Test-Path $RRASRegPath)) { New-Item -Path $RRASRegPath -Force }
Set-ItemProperty -Path $RRASRegPath -Name "SHA256CertificateHash" `
    -Value ([byte[]]($CertThumbprint -replace '..', '0x$&,' -split ',' |
    Where-Object {$_} | ForEach-Object { [convert]::ToByte($_, 16) })) `
    -Type Binary

The more reliable approach is to configure SSTP certificate binding via the RRAS Management console:

# In RRAS MMC (rrasmgmt.msc):
# 1. Right-click the server > Properties
# 2. Select the "Security" tab
# 3. Under "SSL Certificate Binding" click "Certificate"
# 4. Select your VPN certificate
# 5. Click OK to save

# Alternatively, use the netsh command
netsh http show sslcert
netsh http add sslcert ipport=0.0.0.0:443 certhash=$CertThumbprint appid="{BA23CD47-0AD5-4B96-ABA1-2CD8897F2564}"

Configuring RRAS for IP Address Assignment

Configure the IP address pool RRAS will assign to VPN clients:

# In RRAS Properties > IPv4 tab:
# Configure a static IP address pool for VPN clients

# Via registry:
# HKLMSYSTEMCurrentControlSetServicesRemoteAccessParametersIP
# Set StaticAddressPool = 1

# Add static pool entries using RRAS console or:
Set-ItemProperty "HKLM:SYSTEMCurrentControlSetServicesRemoteAccessParametersIp" `
    -Name "AllowClasslessStaticRoutes" -Value 1

# Configure via RRAS console:
# Server Properties > IPv4 tab > Static address pool
# Add: From 172.16.50.1 To 172.16.50.100
# (These addresses are assigned to connecting VPN clients)

Alternatively, use DHCP assignment for VPN clients — configure the NIC connected to the internal network to obtain addresses from your DHCP server.

Configuring User Access Permissions

VPN access can be controlled per-user in Active Directory or centrally via NPS network policies. For NPS-based authorization (recommended):

# In Active Directory, set user dial-in properties to "Control access through NPS Network Policy"
# This is the default for new accounts when NPS is deployed

# For a quick manual check - set via AD Users and Computers:
# User Properties > Dial-in tab > Network Access Permission: Control access through NPS Network Policy

# Or via PowerShell - ensure user's msNPAllowDialin is not explicitly set to deny
Get-ADUser -Identity "jsmith" -Properties msNPAllowDialin | Select-Object msNPAllowDialin

# In NPS, create a network policy that allows VPN-Users AD group:
# NPS Console > Policies > Network Policies > New
# Condition: Windows Groups = "DOMAINVPN-Users"
# Access granted
# Authentication: MS-CHAPv2 or EAP

Configuring Windows Firewall for SSTP

SSTP uses port 443 TCP. Ensure the Windows Firewall allows inbound connections on this port:

# Allow inbound SSTP (HTTPS port 443) through Windows Firewall
New-NetFirewallRule -DisplayName "SSTP VPN Inbound" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 443 `
    -Action Allow `
    -Profile Any `
    -Description "Allow SSTP VPN connections on port 443"

# Allow GRE protocol (needed for PPTP - not SSTP, but commonly opened alongside)
# SSTP only needs TCP 443

# Verify firewall rule
Get-NetFirewallRule -DisplayName "SSTP VPN Inbound" | Select-Object Enabled, Direction, Protocol

Configuring a Windows Client to Connect via SSTP

Configure the VPN client connection on a Windows machine:

# Create SSTP VPN connection on client machine
Add-VpnConnection -Name "Corporate SSTP VPN" `
    -ServerAddress "vpn.contoso.com" `
    -TunnelType "Sstp" `
    -EncryptionLevel "Required" `
    -AuthenticationMethod "MSChapv2" `
    -UseWinlogonCredential $false `
    -SplitTunneling $false `
    -DnsSuffix "contoso.com" `
    -PassThru

# Connect to VPN
rasdial "Corporate SSTP VPN" username password

# Or trigger from PowerShell (prompts for credentials)
Connect-VpnConnection -Name "Corporate SSTP VPN"

Verification and Troubleshooting

Verify RRAS and SSTP are functioning:

# Check RRAS service status
Get-Service -Name RemoteAccess | Select-Object Status, StartType

# Check SSTP service
Get-Service -Name SstpSvc | Select-Object Status

# View active VPN connections
netsh ras show activeconn

# View RRAS routing table
netsh ras ip show config

# Check event log for RRAS errors
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='RemoteAccess'} `
    -MaxEvents 20 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-List

Summary

SSTP VPN on Windows Server 2012 R2 provides secure remote access over port 443 HTTPS, making it the most firewall-compatible VPN protocol available. The key components are: a publicly trusted SSL certificate matching the VPN server’s public DNS name, the RRAS role configured for VPN with SSTP, an IP address pool for connected clients, and NPS network policies controlling who can connect. SSTP’s use of TLS provides strong encryption for all VPN traffic, and its port 443 usage means it works even through strict corporate firewalls that block other VPN protocols.