In this post, we will learn the steps to configure SSTP VPN on Windows Server 2019 using a Self-signed certificate.

Secure Socket Tunneling Protocol (SSTP):

Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol developed by Microsoft. SSTP uses a TCP connection (port 443) for tunnel management.

SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods such as EAP-TLS. SSL or TLS provides transport-level security with enhanced key negotiation, encryption, and integrity checking.

Note: You should use a certificate from public CA in the production environment. As we are just testing the SSTP configuration, so we will use a self-signed certificate in this guide.

Understanding the SSTP Test Lab:

  • WS2K19-DC01: Domain Controller and DNS.
  • WS2K19-VPN01: Member Server.
  • WS10-CLI01: Windows 10 Client Machine.

Step:1 Install Remote Access Server role on Windows Server 2019:

1. The first step is the installation of the Remote Access Server role. Open Server Manager Console and start role and feature installation wizard. Select the Remote Access Server role.

6. Select Remote Access Service Check-box

2. On select role services, select DirectAccess and VPN (RAS) role service. Click Next and finish the installation.

11. Verify DirectAccess and VPN Role Services are Selected

3. When the installation finished, click on Open the Getting Started Wizard. Leave the console open, and move to the next step to create a self-signed certificate.

15. Verify the Successful Installation of RAS on Server 2019

Step:2 Create a Self-signed Certificate using the IIS manager.

4. On the member server, open the Server Manager console. Click on Tools and select Internet Information Services (IIS) Manager.

1. Open IIS Manager Console

5. Click on the server name (WS2K19-VPN01) in the connections column on the left and double-click on Server Certificates.

2. Expand Server Name and Click on Certificates

6. Click on Create Self-Signed Certificate in the Actions column on the right.

3. Click on Create a Self-Signed Certificate

7. Enter the friendly name you wish to use to identify the self-signed certificate, and then click OK to complete the process.

4. Type a Friendly Name to Certificate

8. You now have an IIS Self Signed Certificate listed under Server Certificates. Double-click on Certificate. The validity of the Self Signed Certificate is one year.

5. Double Click on Certificate to view Properties

Step:3 Export a self-signed certificate:

9. Click on the Details tab. Click on Copy to File.

6. Click on Copy to File

10. Select No, do not export the private key. Click Next.

7. Select Do not Export Private Key

11. Specify the location to save the file. Click Next.

8. Specify the Location to save the .CER File

12. Click on Finish. Click on OK on the confirmation message console.

9. Click Ok to Finish the Export Process

Note: You need to copy this .cer certificate file to Windows 10 machine. The simple way to do this is by sending this .cer file using an email.

Step:4 Configuring Remote Access Service and SSTP VPN:

13. On configure Remote Access page, click on Deploy VPN only.

1. Click on Deploy VPN Only

14. That will open the Routing and Remote Access Management Console. You can also open the management console from the Tools menu.

2. Open Routing and Remote Access Console

15. Right-click on the Server name and select Configure and Enable Routing and Remote Access.

3. Configure and Enable Routing and Remote Access

16. On Welcome screen, click Next.

4. Click Next on Welcome Console

17. On the Configuration page, select the Custom configuration radio button. Click Next.

5. Select Custom Configuration

18. On select the service page, select VPN Access. Click Next.

6. Choose VPN Access

19. After clicking on the Finish, it will ask you to start the service. Click on Start service.

7. Click on Start Service to Start RRAS Service

20. Now you will see a green up arrow beside your server name.

Step:5 Configure SSTP settings and specify the IP Address range:

To configure SSTP VPN, we need to set up specific settings in the VPN server’s properties section.

21. Right-click on the server name and click on Properties.

9. Select Properties

22. Click on the Security tab. Under SSL Certificate Binding, select the self-signed certificate that you just created earlier.

10. Select the Certificate For SSTP VPN

23. Click on IPv4 Tab. Select the Static Address Pool radio button.

11. Select Static Address Pool on IPv4 Tab

24. Click on Add and specify the IP address range. Click on OK.

12. Specify the IP Address Range

25. Click on Apply to save the changes to the VPN server. It will ask to restart the Routing and Remote Access service. Click on yes to do so.

13. Click Yes to Restart RRAS Services

Step:6 Create AD User and allow dial-in access:

26. On Domain Controller, Open Active Directory Users and Computers snap-ins. Create AD users name Test User1 and Test User2.

14. Create AD Users

27. Enable dial-in access for selected VPN users by opening the user properties and selecting Allow access on the tab Dial-in.

15. Select Allow Access Dial-in Permission

Note: If you want, you can configure Network Policy Server to allow VPN users to connect to the VPN server running on Windows Server 2019.

Step:7 Import a self-signed certificate on Windows 10 machine:

Once you get a .cer certificate file, you need to import the certificate on the local computer. You need to store the certificate under the Trusted Root Certification Authorities store.

28. Double-click on SSTPselfsigned.cer file. Click on the Install certificate.

16. Install Self-signed Certificate

29. Select Local Machine and click Next.

17. Select Local Machine

30. Select Place certificates in the following store radio button and click on Browse.

18. Click on Browse

31. Select the Trusted Root Certification Authorities store and click OK. Click Next.

19. Select Trusted Root Certification Authorities Store

32. Click on Finish to complete the import process.

20. Click on Finish to complete Import Process

Step:8 Test SSTP VPN configuration:

On Windows 10 client machine, we need to create a new VPN connection.

33. Right-click on the Start button and select Network Connections.

21. Click on Network Connection

34. On left-pane, click on VPN.

22. Click on VPN

35. Click on add a new VPN connection.

23. Click on Add VPN Connection Plus Sign

36. Specify the required information for the VPN connection.

  • VPN Provider: Windows (Built-in)
  • Connection Name: Name of your choice
  • Server Name or IP Address: FQDN of VPN server
  • VPN Type: SSTP (Secure Socket Tunneling Protocol)

Click on Save.

24. Specify VPN Connection Details

37. Select VPN connection and click on Connect.

25. Click on VPN Connection and Select Connect

38. Specify a username and password to connect the VPN server. Click OK to connect.

26. Specify User Name and Password

39. Verify the VPN connection is successfully connected with the VPN server using SSTP protocol.

27. Verify VPN Connection Status

On Windows 10 Client Machine:

40. Press Windows Key and R key together. At Run menu type ncpa.cpl and press enter to open Network Connection console.

41. Right-click on VPN connection and click on the Status button.

42. Click on details to see information about VPN connection like Authentication Method etc.

28. Verify VPN Connection Status Details

In this article, we have seen the steps to Install and Configure SSTP VPN using Self-signed Certificate on Windows Server 2019 and Windows 10.

Thank you for reading.

Related Articles: