Set up Secure VPN (SSTP) on Windows Server 2019
👨💻
an introduction
Installing a VPN in Windows Server 2019 is easy after Secure Socket Tunneling Protocol (SSTP) has become more and more popular in recent years. SSTP makes VPN configuration much easier as the firewall configuration needs to open only SSL via Http port 443. Port 443 is mostly used for web servers, and it is common in global networking organizations to open this port to access https services.
Today I am going to demonstrate enabling this service by installing and configuring the new and powerful server from Microsoft, which is not unlike Windows Server 2019. When we talk about security, we cannot ignore the concept certificate from the CA which can either be an internal CA server or an external server. We need to install the CA certificate on Internet Information Services (IIS), and the website that is installed when we perform remote access services.
There are two parts that we need to consider, which are setting up Secure VPN (SSTP) on Windows Server 2019 and configuring the VPN client on client operating systems like Windows 10. At first, while we are talking about Windows servers and their clients, we can also use this step-by-step guide to install VPN services On Windows Server 2016 and Windows 8 and 8.1 client to connect to the server. There are some minor changes that we need to take care of while we are doing this configuration on earlier operating systems like Windows Server 2016, Windows 8 and 8.1.
The following steps are included in setting up Secure VPN (SSTP) on Windows Server 2019. See Full VPN Service Routing and Remote Implementation using Secure Socket Tunneling Protocol (SSTP). We will go deeper into this “How to Setup a Secure VPN (SSTP) Network on Windows Server 2019” so stick with me as we go through the setup.
- Add remote access server role
- Configure Remote Access with VPN Access
- Limit the number of VPN ports
- Configure VPN remote access settings
- Configure a Dian-in connection on the user object
- Create a VPN connection
- Connect to a VPN server online
Add remote access server role
The first step in setting up Secure VPN (SSTP) is to add the remote access server role on the server. The remote access server role is installed by going to the Server Manager Dashboard. Once Server Manager windows open click Add Roles and Features The Add Roles and Features wizard will start and we can go through this wizard to complete the installation of the remote access role.
The wizard will start with instructions on using this tool to add roles and features. If you do not want to see this page, you can click the checkbox next to “Skip this page by default”, and you will no longer be prompted for this page.
In this wizard we will be using role-based installation to add this role, so select the role or feature-based installation to start with and click Next to continue.
Check and select the local server in the server pool and click Next.
On the Server Role Selection page, select the Remote Access check box, and click Next.
On the next page, leave the features as they are and click Next.
If you need more details, you can see the details about remote access on this page, and once you’re ready to move on, click Next.
This step is very important, select Direct Access and VPN (RAS) alone, you will be prompted for relevant features in the popup and click Add Features, which will return to select Role Services page.
We have selected role services and their feature, we are happy to go to continue, click next.
The next page is an information page and shows that adding this role service also installs the Web Server (IIS) role, click Next to continue.
The Web Server (IIS) role will install these role services, leave the default selection, and click Next.
On the confirmation page, verify that the above roles and role services are correct and click Install to begin installing the remote access role. Sit back and relax for a few minutes until the installation is complete.
You will notice a message that the installation succeeded and there is also a link to open the start wizard to start configuring the remote access role, click on the link.
Configure remote access with VPN access on Setup Secure VPN (SSTP)
Clicking the link will start the Remote Access Configuration Wizard, and in the wizard, click on the Deploy VPN only tab as shown in the screen below.
The Routing and Remote Access management console will open and right-click on the server node and click on Configure and Enable Routing and Remote Access.
The Routing and Remote Access Server Setup Wizard will start with a welcome screen, click Next to start the wizard.
Select the radio button next to Custom Configuration and click Next.
On the Custom Configuration page, check the checkbox next to VPN Access and click Next.
Configure VPN access specified in the wizard, this is the end of the wizard and click Finish.
Since we have configured Routing and Remote Access services with VPN access and the wizard will end up prompting to start the service.
Once the Routing and Remote Access service is started, you will see a green arrow on the server node indicating that the service is started and running.
Limit the number of VPN ports
Depending on our requirements, we will limit the number of connections in the Remote Access Service. To limit the number of ports, right-click on the ports and select Properties.
We’ll limit the number of ports to 15 in this example.
Select Yes for the warning that we are reducing the number of ports.
Once all ports are set to 15 and confirm the numbers and click OK.
Configure VPN Remote Access Settings for Secure VPN (SSTP)
There are certain settings that we need to update to set the VPN to run securely and get IP4 IPs to the client system.
Right click on the server node and click on properties as shown in the screen below.
In Remote Access, go to Server properties to the IPV4 tab and select the Static address pool option button under Set IPv4 and click Add to add the IP address pool. Choose an IP address pool and type the start and end IP address for the pool. The IPV4 address pool is static, and if you are running a DHCP server on the server, you can leave the IP address to be assigned from the DHCP server. Since we are not running the DHCP service, we are creating a static address pool in this example.
In Remote Access, select Server Properties, Authentication Methods, select EAP, select MS-CHAP v2 and click OK.
Before starting this installation, I configured the Public DNS for the domain with a hostname record and assigned the server’s public IP address to it. Also, I have created a certificate from a third party CA. At the bottom of the page, you can select the certificate you installed for the hostname you selected.
Application of configuration changes will require a restart of the remote access service for the configuration to take effect.
We have completed configuring Routing and Remote Access. To connect to a VPN server from a VPN client, we need to allow all users the required access. Go to Active Directory Users and Computers and select the user objects that you want to allow to connect to the VPN and go to Dian-in on the properties of the user object and select the radio button next to “Allow access”.
Configure a Dian-in connection on the user object
Create a VPN connection to Secure VPN (SSTP)
So, we have completed all the server configurations, now it is time to create a VPN connection on the Windows 10 client computer when setting up a secure VPN (SSTP).
Right-click on the network icon on the taskbar and select Open Network Sharing and Connection. In Settings, click on Network and Sharing Center which will open Network and Sharing Center where we need to select Set up a new connection or network as shown in the steps in the screenshot below.
Select the steps as in the steps below.
- Open Network and Internet Sharing
- Network Sharing Center
- Create a new network or connection
There is a start wizard, and in the connection options, select “Connect to a workplace” and click “Next”.
In the How do you want to connect options, select “Use my internet connection (VPN). Type in the internet address as I told you earlier I have created a hostname called “vpn.mrigotechno.club” on my domain for this VPN configuration.
In the destination name type, the name indicates the purpose of the connection. I left the default name in this example.
Leave “Remember my credentials” checked and click Create.
- Type the VPN server’s Internet hostname or IP address.
- Give a name to the VPN connection.
- Click Create to create a connection to the workplace.
Connect to a VPN server online
The VPN network adapter has been created and now click Change adapter settings to change the settings of the VPN network adapter to connect to the VPN server.
Right-click on the newly created adapter for the VPN connection and select Properties.
On the Security tab, select Secure Socket Tunneling Protocol (SSTP) and click OK.
Right click on the adapter again and click Connect/Disconnect
VPN connection will pop up on the taskbar; Now click on VPN connection.
Type the domain credentials and click OK.
The VPN connection is complete, and you will see the connection prompt on the VPN connection.
The connection made to the Routing and Remote Access management console can be checked, as shown in the screen below.
conclusion
In this article, we reviewed how to setup a secure VPN (SSTP) on Windows Server 2019. We have covered remote access role installation, after installation we configure remote access with VPN access, we limit the number of SSTP ports so only the maximum allowed Possible connections to connect. We configured the Active Directory domain users dial-up feature and also covered the Windows 10 client computer to connect the VPN server to the VPN connection switch.
I hope this article provides all the details for setting up an environment to implement a VPN using Secure Socket Tunneling Protocol (SSTP). You may have some questions or comments to share with me, please click the comments below and share your thoughts. I am very happy to answer your questions.
[ad_1]
Don’t forget to share this post with friends !
