SSTP FAQ - Part 1: Generic

Hi All,

I am sure lot of queries may be running in your minds related to SSTP. To clarify it further, I am starting a series of frequently asked questions (FAQ) related to SSTP. Please feel free to send your comments on the blog site or to our blog email address if you have further queries.

In this part, I will cover some generic queries related to SSTP

1) Can SSTP be deployed along with other VPN tunnels?

Yes – absolutely.

The same RRAS based VPN server can support all flavor of tunnels or any combination of these at the same time. In-fact L2TP/IPSec and SSTP can share the same machine certificate on the server side.

2) Can SSTP be used for site-to-site VPN tunnels?

No – SSTP is currently supported for remote access (or remote user) scenarios only. 

3)  What HTTP and SSL version is supported by SSTP?

HTTP 1.1 with 64 bit content length encoding and SSL 3.0

4)  What encryption algorithms are supported by SSTP?

The same as supported by SSL - i.e. AES, RC4

5) What kind of certificate is required on client and server side?

On the server side a machine certificate is required in order for SSTP based connection to go through. The client gets this certificate as part of SSL hand-shake and validates the same. This certificate should be with EKU as server authentication.

On the client side, a certificate is required inside the trusted root CA machine store which goes back to the certificate chain on the server certificate. This will be used to validate the server certificate in addition to certificate validity, certificate expiry, certificate EKU and certificate revocation check.

6)   Does SSTP support IPv6?

Yes – SSTP based VPN connection can be established on top of IPv6 based network (like Internet).

Also IPv6 (or PPPv6) can be carried on top of SSTP based VPN tunnel.

7) Will NAP be supported by SSTP? What changes are required to support it?

Yes – NAP VPN support remains same as PPTP/L2TP VPN tunnel. This is because NAP VPN support is enabled via PEAP authentication which is part of PPP stage and remains same as PPTP, L2TP or SSTP based VPN tunnel. This means same remote access policies inside NPS can be used to support all form of VPN tunnels - with no explicit extra configuration for SSTP. Same way same client configuration (PEAP, etc) can be used for all form of VPN tunnels.

In the next series, I will try to cover the server related FAQ. Stay tuned for more information and looking forward to hear from you too

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]