Hope you all had a good Christmas! In the next couple of posts I will showing you how to build SSTP VPN servers on server 2008 R2. The process is a little involved and will cover not only how RRAS configuration, but CA configuration and how to use the new Online Responder Service.
VPN technology has moved on in Windows Server 2008. Now we can use SSTP (as far as I can see just for 'Client to Router' connections). This means you can still VPN to a network in situations where the traditional technologies have been blocked (TCP 1723 PPTP for example). SSTP uses TCP 443.
A big problem I have found in the SSTP VPN is the certificate revocation check. Before a client manages to connect to the VPN server, a certificate revocation check needs to be made. The client will need to access the certificate revocation list (CRL) which is on the CA but could be hosted on another server. This check uses http not https. This can complicate things because you dont want Internet based clients connecting to an internal CA to check for revocation using unsecured http. You can publish the CRL to a Certificate Distribution Point (CDP) away from the CA. This can be to a web server. The client then receives the VPN certificate sent from the SSTP VPN server and will need to determine if its been revoked (by the way, depending on the method of client authentication, the client will need the CA root certificate and perhaps a user certificate - more on this later). The client can determine the CDP by referencing the CDP extension on the VPN certificate (which is usually an Internet registered DNS address). An HTTP connection is made to the CRL Web Server and the client downloads the full CRL. The client can check for revocation status and then VPN to the SSTP VPN server.
Server 2008 supports not only the traditional CRL method of revocation but also the Online Responder Service OCSP. The main advantage here is that the client does not require periodic downloading of a CRL. The client gets an accurate point-in-time status check to determine the validity of the certificate sent by the VPN server. A downside to OCSP is that it is supported by Windows 7 and Vista clients only.
VPN technology has moved on in Windows Server 2008. Now we can use SSTP (as far as I can see just for 'Client to Router' connections). This means you can still VPN to a network in situations where the traditional technologies have been blocked (TCP 1723 PPTP for example). SSTP uses TCP 443.
A big problem I have found in the SSTP VPN is the certificate revocation check. Before a client manages to connect to the VPN server, a certificate revocation check needs to be made. The client will need to access the certificate revocation list (CRL) which is on the CA but could be hosted on another server. This check uses http not https. This can complicate things because you dont want Internet based clients connecting to an internal CA to check for revocation using unsecured http. You can publish the CRL to a Certificate Distribution Point (CDP) away from the CA. This can be to a web server. The client then receives the VPN certificate sent from the SSTP VPN server and will need to determine if its been revoked (by the way, depending on the method of client authentication, the client will need the CA root certificate and perhaps a user certificate - more on this later). The client can determine the CDP by referencing the CDP extension on the VPN certificate (which is usually an Internet registered DNS address). An HTTP connection is made to the CRL Web Server and the client downloads the full CRL. The client can check for revocation status and then VPN to the SSTP VPN server.
Server 2008 supports not only the traditional CRL method of revocation but also the Online Responder Service OCSP. The main advantage here is that the client does not require periodic downloading of a CRL. The client gets an accurate point-in-time status check to determine the validity of the certificate sent by the VPN server. A downside to OCSP is that it is supported by Windows 7 and Vista clients only.
No comments:
Post a Comment