Thursday, July 07, 2011

How-To: Configure SSTP RAS VPN server on 2008 R2

For anyone working on getting a 2008 SSTP server running properly, or just looking for some guidance, I strongly recommend Microsoft's "SSTP Remote Access Step-by-Step Guide: Deployment" . The step-by-step walk through is useful. Before you get started through, make sure you check out "How to troubleshoot Secure Socket Tunneling Protocol (SSTP) based connection failures when client fails to connect to SSTP VPN server giving error message 0x80092013" (KB961880).

As for tips... if you're following the step-by-step guide... after you've installed the Active Directory Certificate services, and the Certification Authority Web Enrollment (essentially the same step), but before you "request a server authentication certificate" by hitting http://localhost/certsrv on your new SSTP/RAS server do the stuff explained in KB961880 before proceeding on and finishing the SSTP step-by-step guide. This is an important step, because if you do not do it, and instead just follow the step-by-step guide... when you finish and you're testing the SSTP VPN client, you will get the following error: "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013".

For what it's worth... I actually spent some time researching a couple of other non-Microsoft guides when getting started, and those turned out to cause me more problems than had I just started with the Microsoft guide. Also, if you're knee deep in errors, like "error 812", or "ID 4402"... and in the back of your mind you're wondering things like... "Do I need Active Directory functional level to be at 2008?", or "Do I need a 2008 DC?", the answer to both is no. Your 2003 Native mode DC's are just fine.

So if you're running into errors like the above, or windows local authentication works, but domain authentication doesn't, and it's not yet a production server... save yourself some time, check out Microsoft's guide, and start-over.

1 comment:

Anonymous said...

Thanks for confirming you can do SSTP with a 2003 DC, saves me a couple of hours trying this out.