Windows 2008 SSTP VPN configuration and troubleshooting

Reference:
http://www.dotblogs.com.tw/ray716/archive/2011/08/19/33607.aspx
http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx

My environment:
1. Server 1: DC with Active Directory Certificate Services
2. Server 2: For remote access. In DMZ. with one Network Interface Card only.
3. Client 1: Windows 7. For test SSTP connection.

RRAS (Server 2) Configuration Steps:
1. open "Server Manager".
2. Add roles: Web Server (IIS)

3. Add roles: Network Policy and Access Services

4. open "Routing and Remote Access" to enable service.

5. open "Network Policy Server" in Routing and Remote Access.

6. Create Network Policy for remote access.

 7. Create Domain Certificate in "Internet Information Service (IIS) Manager".
Important: Common Name must be the same with FQDN of Server 2.

 8. Bind Certificate in "Routing and Remote Access"

SSTP VPN connection Test (Client 1):

Troubleshooting:
Error code 0x800B0109 and Solution:

• export My Root Certificate public key to file my_root_ca.cer on Server 1.
• install Windows SDK to get CertMgr.exe
• copy CertMgr.exe and my_root_ca.cer to Client 1
• run "certmgr.exe -add -c my_root_ca.cer -s -r localMachine root" on Client 1

Error code 0x80092013

• Reference:
• How to Publish the CRL on a Separate Web Server
• Cannot connect to SSTP VPN - Unable to check revocation because revocation server was offline
• Publishing Delta CRLs on IIS 7
• Solution 1:
• Enable CRL Distribution Points for Internet (on Server 1)










• Create a directory "CertEnroll" in wwwroot of Server 2.
• copy C:\Windows\System32\certsrv\CertEnroll\*.crl (on Server 1) to wwwroot\CertEnrool (on Server 2)
• make sure wwwroot\CertEnrool\*.crl are readable by IIS_IUsers (on Server 2)
• re-create Certificates by RRAS (Server 2) Configuration Steps 7 & 8
• allow double escaping in IIS 7 (Server 2)










• Solution 2:
• http://www.ceyhunkirmizitas.net/microsoft/windows-server/error-0x80092013-the-revocation-function-was-unable-to-check-revocation-because-the-revocation-server-was-offline/
• HKEY_LOCAL_MACHINE–>System->CurrentControlSet->Services->Sstpsvc->parameters
• add a DWORD value named NoCertRevocationCheck . Set the value to 1.

Client (Windows 7) Event log: Event ID 6 

The SSTP-based VPN connection to the remote access server was terminated because of a security check failure. Security settings on the remote access server do not match settings on this computer.

遠端存取伺服器的 SSTP 型 VPN 連線已終止，因為安全性檢查失敗。遠端存取伺服器上的安全性設定與這台電腦上的設定不相符。

• Reference: Event ID 6 — RRAS Secure Socket Tunneling Protocol
• Solution:
• check Remote access server Certificates
• IIS / server Certificates
• Routing and Remote access / server property / security / SSL Certificate Binding

2017/3/31 update:

Firewall configuration reference