How to Configure Remote Access VPN with SSTP on Windows Server 2012 R2
Secure Socket Tunneling Protocol (SSTP) is a VPN tunneling protocol developed by Microsoft that encapsulates Point-to-Point Protocol (PPP) traffic over HTTPS (SSL/TLS on port 443). Because SSTP uses port 443, it traverses most firewalls and web proxies without requiring special port forwarding configurations — making it one of the most versatile VPN protocols available on Windows. Windows Server 2012 R2 includes SSTP support in RRAS, making it straightforward to deploy an SSTP VPN server for remote users who need to connect through restrictive network environments such as hotels, airports, or corporate networks that block other VPN ports.
Prerequisites
You need Windows Server 2012 R2 with RRAS installed and a public IP address or port 443 forwarded to the server. An SSL/TLS certificate from a trusted Certificate Authority (either a public CA or your internal Enterprise CA with root certificate deployed to clients) is required. The certificate’s Common Name or Subject Alternative Name must match the DNS name clients will use to connect. Active Directory is recommended for user authentication but local accounts can also be used. Windows firewall must allow TCP port 443 for SSTP traffic.
Step 1: Install RRAS Role
Install RRAS with the Remote Access role service:
Install-WindowsFeature RemoteAccess, Routing, NPAS -IncludeManagementToolsVerify the installation succeeded:
Get-WindowsFeature RemoteAccess, Routing, NPAS | Select-Object Name, InstallStateStep 2: Install and Bind the SSL Certificate
SSTP requires an SSL/TLS certificate bound to port 443. First, import the certificate into the Local Machine Personal store:
Import-PfxCertificate -FilePath "C:Certsvpn-contoso.pfx" `
-CertStoreLocation Cert:LocalMachineMy `
-Password (ConvertTo-SecureString "CertPassword!" -AsPlainText -Force)Retrieve the certificate thumbprint:
$cert = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*vpn.contoso.com*"}
Write-Host "Thumbprint: $($cert.Thumbprint)"Bind the certificate to SSTP port 443 using netsh:
netsh http add sslcert ipport=0.0.0.0:443 certhash= appid="{00000000-0000-0000-0000-000000000000}"Replace <THUMBPRINT_HERE> with the actual thumbprint value (no spaces). Verify the binding:
netsh http show sslcertStep 3: Configure RRAS for SSTP VPN
Initialize RRAS for VPN access:
Install-RemoteAccess -VpnType VPNIf you prefer using the graphical wizard, open Server Manager → Tools → Routing and Remote Access, right-click the server, select Configure and Enable Routing and Remote Access, and choose Remote access (dial-up or VPN) then VPN.
After RRAS initialization, configure it to use the SSL certificate for SSTP:
$cert = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*vpn.contoso.com*"}
netsh ras set sstp-ssl-cert subject="vpn.contoso.com"Step 4: Configure IP Address Pool
Configure a static IP address pool for VPN clients. Open the RRAS management console, right-click the server, and choose Properties → IPv4 tab → Static address pool. Add a range such as 10.0.200.1 to 10.0.200.100.
Or configure via registry (requires service restart):
# Configure static IP pool settings in RRAS properties
# This is typically done through the RRAS GUI or netsh
netsh ras ip set addrreq required=yesStep 5: Configure User Dial-in Permissions
VPN users need dial-in permissions. Configure via Active Directory Users and Computers, or via Network Policy Server for more granular control. For individual user accounts:
$user = Get-ADUser -Identity "jsmith" -Properties msNPAllowDialin
Set-ADUser -Identity "jsmith" -Replace @{msNPAllowDialin=$true}Alternatively, set dial-in to Control access through NPS Network Policy (recommended) and create NPS policies:
Set-ADUser -Identity "jsmith" -Replace @{msNPAllowDialin=$null} # Use NPS policyStep 6: Configure Network Policy Server (NPS)
Set up NPS to handle authentication requests from RRAS. Register NPS in Active Directory:
Register-NpsServer -DomainName "contoso.com"Create a VPN-specific connection request policy in NPS. Open the NPS console (nps.msc) and configure:
# Create a network policy for SSTP VPN access
# Use the NPS console to create:
# 1. A Connection Request Policy matching NAS Port Type = Virtual (VPN)
# 2. A Network Policy granting access to the VPN-Users AD group
# 3. Configure encryption to require MS-CHAPv2 or EAP-TLS authenticationStep 7: Configure Windows Firewall
Ensure Windows Firewall allows SSTP traffic and RRAS management:
New-NetFirewallRule -DisplayName "SSTP VPN" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-Action Allow `
-Profile Domain,Private,Public
# Allow RRAS management
netsh advfirewall firewall set rule group="Routing and Remote Access" new enable=yesStep 8: Configure the SSTP VPN Client
On a Windows client computer, create the VPN connection for SSTP:
Add-VpnConnection -Name "Contoso SSTP VPN" `
-ServerAddress "vpn.contoso.com" `
-TunnelType SSTP `
-AuthenticationMethod MSChapv2 `
-EncryptionLevel Required `
-RememberCredential $trueTest the connection:
rasdial "Contoso SSTP VPN" jsmith P@ssw0rd123Verify the connection is established and the client received a VPN IP:
Get-VpnConnection -Name "Contoso SSTP VPN"
ipconfig | findstr "10.0.200"Step 9: Verify SSTP on the Server
Confirm active SSTP connections on the server:
Get-RemoteAccessConnectionStatisticsCheck RRAS logs for connection details:
Get-EventLog -LogName System -Source RemoteAccess -Newest 20 | Select-Object TimeGenerated, EntryType, MessageReview SSTP-specific events:
Get-WinEvent -LogName "Microsoft-Windows-RRAS/Operational" -MaxEvents 20Troubleshooting SSTP Connections
If clients cannot connect, check that the SSL certificate is valid, not expired, and trusted by the client. Verify the certificate is properly bound to port 443. Ensure port 443 is accessible from the internet (no upstream firewall blocking it). On the client, verify the root CA certificate is in the Trusted Root Certification Authorities store. Check that the VPN server hostname resolves correctly from outside the network.
netsh http show sslcert ipport=0.0.0.0:443
Test-NetConnection -ComputerName "vpn.contoso.com" -Port 443Summary
SSTP VPN on Windows Server 2012 R2 provides a reliable, firewall-friendly remote access solution that works through environments where other VPN protocols are blocked. By encapsulating VPN traffic in HTTPS, SSTP eliminates most connectivity issues associated with traditional VPN deployments. With proper SSL certificate management, NPS authentication policies, and appropriate IP address pools, an SSTP VPN server can provide secure remote access to corporate resources for all remote workers.
