Configuring Windows Server 2008 as a Remote Access SSL VPN Server (Part 1)

                A high level overview of VPN networking technologies and a description of Microsoft VPN protocols, highlighting the advantages of the new SSTP VPN protocol.

Remote Access is one of today’s “big things”. As an increasing number of people need access to information stored on work and home computers, the ability to access that information from anywhere is critical. Gone are the days when you could say “I’ll get that information to you when I get to my computer”. You need that information now if you want to be competitive in today’s business environment.

In the stone age of computing, the way to remotely access information on your computer was to use a dial-up connection. RAS dial-up connections worked over regular POTS (Plain Old Telephone Service) lines and had speeds that ranged up to around 56kbps. Speed was a major problem with dial-up RAS connections, but an even bigger problem was the cost of the connections when a long distance number was required for access.

With the introduction and growth of the Internet, dial-up RAS connections became less relevant. The reason for this was the introduction of virtual private network (VPN) connections. VPN connections provided the same point to point connectivity that the dial-up RAS connections provided, but did so faster and cheaper, as the speed of the VPN connection could be as fast as the Internet link and the cost of the connection is independent of the destination. The only cost is that of the Internet link.

Virtual Private Networking

A VPN connection allows a computer to establish a virtual and private connection to a network over the Internet. The connection is virtual because when the computer establishes a VPN connection over the Internet, the computer making the VPN connection acts like a node that’s directly connected to the network, as if it had an Ethernet cable connected to that network. The user can access all the same resources he could connect to as if he were directly connected to the network. However, in the case of the VPN client connection to a VPN server, the connection is a virtual one because there is no actual Ethernet connection to the destination network. The connection is private because the contents of the datastream moving inside the VPN connection are encrypted so that no one over the Internet is able to intercept and read the contents of the communications moving over the VPN link.

Windows Servers and clients have supported VPN connections since the days of Windows NT and Windows 95. While Windows clients and servers have supported VPN connections for over a decade, the type of VPN support has evolved over time. Windows Vista Service Pack 1 and Windows Server 2008 now support three types of VPN connections. These are:

• PPTP
• L2TP/IPSec
• SSTP
• 
  

PPTP is the Point to Point tunneling protocol. PPTP is the simplest method you can use to establish a VPN connection, but unfortunately it is also the least secure. The reason why PPTP is the least secure option is that user credentials are not exchanged over a secure link. That is to say, encryption of the VPN connection takes place after credentials are exchanged. Even though actual credential information is not transmitted between VPN client and server, the hash values exchanged can be leveraged by sophisticated hackers to gain access to VPN servers and connect to corporate networks.

A more secure VPN protocol is L2TP/IPSec. L2TP/IPSec was a joint development between Microsoft and Cisco. L2TP/IPSec is more secure than PPTP because a secure IPSec session is established before credentials are sent over the wire. Hackers are not able to access the user credentials and thus cannot steal them to use them later. More importantly, IPSec provides for mutual machine authentication, so that untrusted machines are not able to connect to the L2TP/IPSec VPN gateway. IPSec provides for mutual machine authentication, data integrity, confidentiality, and non-repudiation. L2TP supports PPP and EAP user authentication mechanisms, which allows for a high level of log on security because both user and machine authentication is required.

Windows Vista SP1 and Windows Server 2008 now support a new VPN protocol – Secure Socket Tunneling Protocol or SSTP. SSTP uses SSL encrypted HTTP connections to establish a VPN connection to the VPN gateway. SSTP is secure because user credentials are not sent until after a secure SSL tunnel is established with the VPN gateway. SSTP is also known as PPP over SSL, so this means that you can use PPP and EAP authentication mechanisms to make your SSTP connection more secure.