How-To: Configure SSTP RAS VPN server on 2008 R2

For anyone working on getting a 2008 SSTP server running properly, or just looking for some guidance, I strongly recommend Microsoft's "SSTP Remote Access Step-by-Step Guide: Deployment" . The step-by-step walk through is useful. Before you get started through, make sure you check out "How to troubleshoot Secure Socket Tunneling Protocol (SSTP) based connection failures when client fails to connect to SSTP VPN server giving error message 0x80092013" (KB961880).

As for tips... if you're following the step-by-step guide... after you've installed the Active Directory Certificate services, and the Certification Authority Web Enrollment (essentially the same step), but before you "request a server authentication certificate" by hitting http://localhost/certsrv on your new SSTP/RAS server do the stuff explained in KB961880 before proceeding on and finishing the SSTP step-by-step guide. This is an important step, because if you do not do it, and instead just follow the step-by-step guide... when you finish and you're testing the SSTP VPN client, you will get the following error: "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013".

For what it's worth... I actually spent some time researching a couple of other non-Microsoft guides when getting started, and those turned out to cause me more problems than had I just started with the Microsoft guide. Also, if you're knee deep in errors, like "error 812", or "ID 4402"... and in the back of your mind you're wondering things like... "Do I need Active Directory functional level to be at 2008?", or "Do I need a 2008 DC?", the answer to both is no. Your 2003 Native mode DC's are just fine.

So if you're running into errors like the above, or windows local authentication works, but domain authentication doesn't, and it's not yet a production server... save yourself some time, check out Microsoft's guide, and start-over.

pfSense: OpenVPN overview

There's a really good tutorial available on the pfSense wiki that I followed to get OpenVPN working properly. It walks you though configuration, creating the certificates, installing the client, etc. That said, if you don't have any prior experience with OpenVPN, or your only VPN experience is PPTP, then there are some things to keep in mind using with pfSense and OpenVPN.

As of pfSense 1.2-RELEASE, connection management to OpenVPN is based on certificates (or a pre-shared key) generated by OpenVPN tools that you install on your local workstation. Unfortunately there is no key-management built-into this release of pfSense, making the concept of “user or connection management” a bit of a challenge.

You download the OpenVPN source, and create certificates from your workstation, and then add the certificates into pfSense. You can then revoke certificates using the certificate revocation list (CRL) from the pfSense management console (VPN>OpenVPN>CRL). And this works just fine. The problem with it is that it doesn't scale very well. For instance, most of my clients are running XP Pro, or Vista. All have Active Directory in place, and existing user accounts. For me to deploy OpenVPN throughout my organization, or throughout our client's organizations, it would be a substantial task. We'd have create certificates for all users, deploy OpenVPN GUI clients via a script to our XP Pro systems, and then use scripts or GPO's to push out certificates on a per-user basis. So right now, the lack of key management within the interface is a limiting factor – well that, and the infrastucture we have to deploy to make OpenVPN just work, in the same way the our existing solution just works. For now, we'll plan to use OpenVPN selectively for employees that need to connect from sites where outbound PPTP ports are being blocked.

That said, I understand that OpenVPN is a priority for the pfSense team and that it's likely we'll see some improvements around key-management in the near future.