Home > Security > Server 2008 VPN Connections

Server 2008 VPN Connections

Server 2008 still offers PPTP and L2TP\IPSec VPN capabilities  but now includes the new Secure Socket Tunneling Protocol (SSTP).  The VPN server role is added using Roles\Network Policy and Access Services\Routing and Remote Access.  It still comes with the following default policies, however now they are disabled by default:

  • Connection to Microsoft Routing and Remote Access Server
  • Connection to other remote access servers

 Once installed all VPN protocols are enabled by default and the firewall creates the following inbound rules:

  • PPTP – TCP: 1723
  • L2TP – UDP: 1701
  • SSTP – TCP: 443

During my intial testing both PPTP and L2TP\IPSec worked fine.  PPTP is the easiest protocol to use as doesn’t require any additional configuration on either the server or client and it is used by default.  Both L2TP\IPSec and SSTP require the additional functionality of certificates and so I installed configured the following:

  • Installed Active Directory Certificate Services role
  • Configured a Root Certificate Authority
  • Created Domain GPO and Configured Computer Configuration for  “Automatic Certificate Requests” for Computer Certificates

The following table identifies the requirements for each of the Microsoft VPN protocols.

Type

Authentication

Data

Certificates

 

User

Computer

Data

Encryption

Integrity

Computer

User

PPTP

PPP

None

None

MPPE

None

None

None

L2TP\IPSec

PPP

IPSec

IPSec

IPSec

IPSec

Yes

None

SSTP

PPP

None

SSL

SSL

SSL

Yes

None

 

 I was also able to produce the foll0wing client connection failures and error codes:

  • 800: Unable to establish VPN connections (no policy enabled)
  • 812: Prevented due to policy (changed Day\Time restrictions or Authentication method)
  • 766: Certificate could not be found (deleted client computer certificate)
  • 0x804B0109: Certificate chain not trusted (unable to resolve) SSTP only
  • 0x80420400: Unable to validate server certificate (unable to resolve) SSTP only

After doing some research I discovered that not only does SSTP require the VPN server to have a computer certificate but it also needs to contact the current Certificate Revocation List (CRL) or Online Responder (new to server2008) in order to verify the current validity of existing certificate.

Advertisements
Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: