http://blogs.technet.com/b/rrasblog/archive/2009/05/26/configuring-rras-based-sstp-vpn-server-behind-f5-bigip-ssl-load-balancer.aspxHello All, In this blog, I will discuss how to load balance SSTP based VPN servers using a F5 BIGIP SSL load balancer. Lets look at the deployment scenario first: You are having a pool of RRAS based VPN servers hosted behind F5 BIGIP load balanceren-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/rrasblog/archive/2009/05/26/configuring-rras-based-sstp-vpn-server-behind-f5-bigip-ssl-load-balancer.aspx#3245816Tue, 26 May 2009 19:44:55 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3245816adimcev<p>Samir wrote:</p> <p>&quot;SSL Certificates: Import the SSL certificate that will be used during HTTPS negotiation. Please note: the subject name (CN) of the certificate should be same as the VPN destination name as configured inside VPN client.&quot;</p> <p>This may be partially correct for Windows SSTP clients. -;)</p> <p>If the certificate contains a SAN DNS Name entry, then this name will be verified by the client(at least according to my tests), if failed, the error on the SSTP client is inaccurate(will say that the CN was wrong, which was &nbsp;not the case).</p> <p>In practice, the CN may be the same with the SAN DNS Name entry, so one could not tell the difference and likely will not get any errors.</p> <p>If the SAN on the server's certificate contains multiple DNS Name entries, the SSTP client appears to be capable to &quot;consume&quot; these entries(at least I saw this behavior with Vista SP2 RC and Win 7 RC SSTP clients, which is pretty cool).</p> <p>The client's SSL Hello message contains the Extension: server_name with the name of the server configured on the VPN connection.</p> <p>Thanks,</p> <p>Adrian</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3245816" width="1" height="1">