How to deploy SSTP based VPN server and IIS on the same machine

This blog is going to tell about how SSTP can be affected by configuring IIS Server on the same Server and how to get rid of this problem without moving the IIS Server to a different machine.

Let's us first know what kind of issue can arise if IIS is configured alongwith SSTP on the same server.

Let's say that SSTP is configured on the Server using a Server Authentication Certificate (SAC). The IP:Port binding will look like as follows:-

G:UsersAdministrator>netsh http show ssl

SSL Certificate bindings:

-------------------------

    IP:port : 0.0.0.0:443

    Certificate Hash : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name : MY

    Verify Client Certificate Revocation : Enabled

    Verify Revocation Using Cached Client Certificate Only : Disabled

    Usage Check : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout : 0

    Ctl Identifier : (null)

    Ctl Store Name : (null)

    DS Mapper Usage : Disabled

    Negotiate Client Certificate : Disabled

    IP:port : [::]:443

    Certificate Hash : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name : MY

    Verify Client Certificate Revocation : Enabled

    Verify Revocation Using Cached Client Certificate Only : Disabled

    Usage Check : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout : 0

    Ctl Identifier : (null)

    Ctl Store Name : (null)

    DS Mapper Usage : Disabled

    Negotiate Client Certificate : Disabled

----------------------------------------------

The SSTP based connections from the client to this Server will go fine.

Now, the admin decides to configure an HTTPS site using IIS Server on the same server machine using the same Certificate SAC which is used for SSTP.

IIS7 gives an option to bind a particular Certificate to the HTTPS site in the UI. However this binds the certificate only to the IPv4 listener i.e. 0.0.0.0:443 and not to the IPv6 listener [::]:443. This works fine for both IPv4 and IPv6 based access to the HTTPS site published because IIS uses the same certificate which is bound to IPv4:443 for IPv6 address based access also.

 

However, SSTP requires that the certificate bound to both the listeners be the same.

So, based on the above fact, admin binds the Certificate SAC to 0.0.0.0:443 which will try to do a fresh binding to the 0.0.0.0:443 with the same certificate SAC which was already done by SSTP. This will not disturb the Certificate binding to 0.0.0.0:443 and [::]:443.

So, the HTTPS site access using IPv4/IPv6 address and SSTP connection will go fine.

So far, everything is fine.

Now, admin decides to remove this published HTTPS site or wants to bind it to a different Certificate. This will result in the removal of the Certificate SAC binding from 0.0.0.0:443 by IIS, as it assumes that it is the only application which is using it. So, the IP:Port binding at this point will look like as follows:-

G:UsersAdministrator>netsh http show ssl

SSL Certificate bindings:

-------------------------

    IP:port : [::]:443

    Certificate Hash : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name : MY

    Verify Client Certificate Revocation : Enabled

    Verify Revocation Using Cached Client Certificate Only : Disabled

    Usage Check : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout : 0

    Ctl Identifier : (null)

    Ctl Store Name : (null)

    DS Mapper Usage : Disabled

    Negotiate Client Certificate : Disabled

----------------------------------------------

As you would notice above, the binding of the Certificate to 0.0.0.0:443 is gone. Now, if the admin tries to make an SSTP based connection using IPv4 address of this Server from a client, it will FAIL. The reason behind it is that, in the SSL phase, the Server will not find any certificate bound to the IPv4:443 (which is 0.0.0.0:443) and so, it will fail.

Solution for this problem:-

----------------------------------------------

If both SSTP and IIS are configured on the same server using the same certificate and if the HTTPS site needs to be removed, the admin needs to follow the below procedure :-

Step 1) Remove the HTTPS site from the IIS.

Step 2)

Case 1:- Server has only one Server Authentication Or All Purpose Certificate in the store:-

netsh http delete ssl 0.0.0.0:443

netsh http delete ssl [::]:443

reg delete HKLMSYSTEMCurrentControlSetServicesSstpSvcParameters /v SHA256CertificateHash /f

net stop sstpsvc /y

net start remoteaccess

Case 2:- Server has more than one Server Authentication Or All Purpose Certificate in the store:-

netsh http delete ssl 0.0.0.0:443

netsh http delete ssl [::]:443

reg delete HKLMSYSTEMCurrentControlSetServicesSstpSvcParameters /v SHA256CertificateHash /f

netsh http add sslcert ipport=0.0.0.0:443 certhash= <SAC2 Cert Thumbprint> appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

netsh http add sslcert ipport=[::

Comments