How to Configure Remote Access VPN with SSTP on Windows Server 2016
Secure Socket Tunneling Protocol (SSTP) is a VPN protocol that encapsulates Point-to-Point Protocol (PPP) traffic within an SSL/TLS channel over TCP port 443. Because SSTP uses HTTPS, it traverses most firewalls and proxy servers without requiring special firewall rules beyond standard HTTPS access. Windows Server 2016 includes native SSTP support through the Routing and Remote Access Service (RRAS), making it straightforward to deploy a VPN server that remote users can connect to from any location with internet access.
Advantages of SSTP VPN
SSTP offers several advantages over other VPN protocols. It works in restrictive network environments where only port 443 is permitted. It uses TLS 1.2 or later for encryption, providing strong security. The Windows built-in VPN client natively supports SSTP, so no additional client software is required. SSTP also supports certificate-based server authentication, allowing clients to verify they are connecting to a trusted server, which helps prevent man-in-the-middle attacks.
Step 1: Install the Remote Access Role
Install the Remote Access role with the DirectAccess and VPN (RAS) role service on the server that will act as the VPN gateway:
Install-WindowsFeature -Name DirectAccess-VPN -IncludeManagementTools
Restart-Computer -ForceStep 2: Obtain an SSL Certificate
SSTP requires a server authentication certificate bound to the RRAS service. The certificate must be issued to the public FQDN that VPN clients will use to connect (for example, vpn.company.com) and must be trusted by VPN clients. You can use a commercial certificate authority or your internal CA, provided clients trust the issuing CA. Request a certificate from your internal CA:
$cert = Get-Certificate -Template "WebServer" -CertStoreLocation "Cert:LocalMachineMy" -DnsName "vpn.company.com"
Write-Host "Certificate Thumbprint: $($cert.Certificate.Thumbprint)"If using a commercial certificate, import the PFX file:
Import-PfxCertificate -FilePath "C:Certsvpn_company_com.pfx" -CertStoreLocation "Cert:LocalMachineMy" -Password (ConvertTo-SecureString -String "PFXPassword!" -AsPlainText -Force)Step 3: Configure RRAS for SSTP VPN
Configure RRAS using the wizard or PowerShell. To perform a basic RRAS configuration for VPN access only:
Install-RemoteAccess -VpnType VPNBind the SSL certificate to SSTP. Get the certificate thumbprint first, then apply it:
$thumbprint = (Get-ChildItem -Path "Cert:LocalMachineMy" | Where-Object {$_.Subject -like "*vpn.company.com*"}).Thumbprint
Set-SstpSslBinding -Thumbprint $thumbprintRestart the RRAS service to apply the certificate change:
Restart-Service RemoteAccessStep 4: Configure IP Address Assignment
Assign IP addresses to VPN clients either using DHCP or a static address pool. A static pool is simpler for environments without a DHCP server accessible from the VPN server:
netsh ras ip set addrassign method=static
netsh ras ip add range from=10.10.10.10 to=10.10.10.50Alternatively, configure DHCP relay on the RRAS server to forward DHCP requests from VPN clients to your internal DHCP server:
netsh ras ip set addrassign method=dhcpStep 5: Configure Authentication
Set the authentication methods that RRAS will accept. MS-CHAPv2 is the default for password-based authentication. For production environments, combining this with NPS for RADIUS authentication provides centralised policy management:
netsh ras set authmode mode=mixed
netsh ras set type ipv4rtr ipv4srv bothGrant dial-in permission to users or configure Network Policy Server for more granular access control. To allow a specific domain group to use VPN, create a Network Policy in NPS targeting that group with the required conditions and constraints.
Step 6: Configure Windows Firewall
Allow SSTP traffic on port 443. If IIS is also running on the same server, you need to either move IIS to a different port or use a different IP address for SSTP:
New-NetFirewallRule -DisplayName "SSTP VPN TCP 443" -Protocol TCP -LocalPort 443 -Action Allow -Direction Inbound -Profile AnyIf both IIS and SSTP share port 443, configure SSTP to listen on a specific IP address and IIS to bind to a different IP.
Step 7: Create a VPN Connection on the Client
On the Windows client, create a VPN connection targeting the SSTP server. Use PowerShell to create the connection and force SSTP protocol:
Add-VpnConnection -Name "Company VPN" -ServerAddress "vpn.company.com" -TunnelType SSTP -AuthenticationMethod MsChapv2 -EncryptionLevel Required -RememberCredential $true -PassThruSet split tunnelling if you only want corporate traffic to go through the VPN:
Set-VpnConnection -Name "Company VPN" -SplitTunneling $true
Add-VpnConnectionRoute -ConnectionName "Company VPN" -DestinationPrefix "10.0.0.0/8" -RouteMetric 1Step 8: Connect and Verify
Connect using the built-in Windows VPN client and verify connectivity:
rasdial "Company VPN" "username" "password"
Get-VpnConnection -Name "Company VPN"
ipconfig /allOn the server, verify the active session:
netsh ras show activeconn
Get-RemoteAccessConnectionStatisticsSSTP VPN on Windows Server 2016 provides a reliable and firewall-friendly remote access solution. With proper certificate management, strong authentication, and appropriate IP routing configuration, SSTP delivers secure access to corporate resources for remote employees from any internet-connected location.
