How to Configure Remote Access VPN with SSTP on Windows Server 2019

Introduction to Remote Access VPN with SSTP on Windows Server 2019

Secure Socket Tunneling Protocol (SSTP) is a Microsoft VPN protocol that tunnels PPP traffic over HTTPS (port 443). Because it uses port 443, SSTP traverses almost all firewalls and web proxies that allow HTTPS traffic, making it one of the most compatible VPN protocols for remote workers behind restrictive networks. SSTP VPN on Windows Server 2019 is implemented through the Routing and Remote Access Service (RRAS) and uses SSL/TLS certificates for server authentication.

SSTP is well suited for remote access scenarios where clients are on hotel Wi-Fi, corporate networks that block traditional VPN ports, or mobile networks. The server requires a valid SSL certificate with a Subject Alternative Name matching the public SSTP hostname — a certificate from a public CA works best since all Windows clients trust it by default.

Installing RRAS for SSTP VPN

Install the DirectAccess-VPN feature on the Windows Server 2019 machine that will act as the VPN server:

Install-WindowsFeature -Name DirectAccess-VPN, Routing -IncludeManagementTools

After installation, configure RRAS as a VPN server:

Install-RemoteAccess -VpnType VPN

Verify RRAS is running:

Get-Service -Name RemoteAccess

Obtaining and Binding the SSL Certificate

SSTP requires an SSL certificate that matches the public DNS name clients will use to connect (e.g., vpn.contoso.com). If you have a publicly trusted certificate, import it into the Local Machine Personal certificate store:

Import-PfxCertificate -FilePath "C:Certsvpn_contoso_com.pfx" -CertStoreLocation Cert:LocalMachineMy -Password (ConvertTo-SecureString "CertPassword!" -AsPlainText -Force)

Find the certificate thumbprint:

Get-ChildItem -Path Cert:LocalMachineMy | Where-Object {$_.Subject -like "*vpn.contoso.com*"} | Select Subject, Thumbprint

Bind the certificate to SSTP. RRAS uses port 443 via HTTP.sys. Set the SSTP certificate using the RRAS configuration registry or via netsh:

netsh http add sslcert ipport=0.0.0.0:443 certhash=THUMBPRINTHERE appid="{ba195980-cd49-458b-9e23-c84ee0adcd75}"

Replace THUMBPRINTHERE with the actual certificate thumbprint (no spaces). Alternatively, configure the SSTP certificate through the RRAS snap-in by right-clicking the server, selecting Properties, and navigating to the Security tab.

Configuring RRAS with SSTP

Set the VPN protocols and IP address pool for clients. Configure RRAS to assign IP addresses from a static pool:

netsh ras ip set addrassign method=pool
netsh ras ip set pool startaddr=10.200.0.1 endaddr=10.200.0.254

Configure RRAS to use Windows authentication or RADIUS. For Windows authentication, enable MS-CHAP v2:

netsh ras set authtype type=mschapv2

Set RRAS to allow only SSTP connections (disable PPTP and L2TP if not needed for security):

# Via registry - disable PPTP and L2TP, keep SSTP and IKEv2
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesRasManParameters" -Name "NegotiateDH2048_AES256" -Value 1

Restart the RRAS service after configuration changes:

Restart-Service -Name RemoteAccess

Configuring User Dial-In Permissions

Users must have VPN dial-in permissions. In an Active Directory environment, configure this via Network Policy Server (NPS). Install NPS:

Install-WindowsFeature -Name NPAS -IncludeManagementTools

Register NPS with Active Directory:

netsh nps add registeredserver

Configure RRAS to use NPS as a RADIUS server:

netsh ras set authmode mode=radius
netsh ras add authserver name="NPSServer01" secret="RADIUSSecret123!"

In NPS, create a Network Policy that matches dial-in connections and grants access to users in a VPN Users security group. Set the Authentication Methods to MS-CHAP v2 and configure session timeout settings.

Configuring the Windows Client for SSTP

On the client machine, create an SSTP VPN connection:

Add-VpnConnection -Name "Contoso SSTP VPN" -ServerAddress "vpn.contoso.com" -TunnelType "Sstp" -AuthenticationMethod MsChapv2 -RememberCredential $true -SplitTunneling $true

Add split tunnel routes so only corporate traffic goes through the VPN:

Add-VpnConnectionRoute -ConnectionName "Contoso SSTP VPN" -DestinationPrefix "10.0.0.0/8"
Add-VpnConnectionRoute -ConnectionName "Contoso SSTP VPN" -DestinationPrefix "172.16.0.0/12"

Connect to the SSTP VPN:

rasdial "Contoso SSTP VPN" username password

Verify the connection and check the assigned VPN IP:

Get-VpnConnection -Name "Contoso SSTP VPN"
ipconfig

Monitor active SSTP connections on the server from the RRAS MMC snap-in under Remote Access Clients, or via PowerShell:

Get-RemoteAccessConnectionStatistics | Select UserName, ClientIPAddress, TunnelType, ConnectionDuration