Routing and Remote Access Blog

Hello friends,

     We get questions,queries,feedback and clarifications from many people about their VPN connections through e-mail. I felt some of these Q&A might help people who face similar issues. So here it goes, the list posted as a Q&A.

Query:1: IPv6 not supported on XP; Use Vista client

Customer:

Requirement: Access the machines in the Private Network (the other side of the VPN Server) from a VPN Client using both IPv4 and IPv6 addresses

Current Implementation:

· I have setup the same using the Routing and Remote Access Feature of the Windows Server 2008.

· I have enabled the machine as both IPv4 Router and IPv6 Router and it acts both IPv4 Remote Access Server and IPv6 Remote Access Server.

· I have assigned the range of IPv4 addresses for the respective network adaptor.

· I have also specified the IPv6 prefix assignment value (2001:db8:0:1::1)

Problem: Only the IPv4 address communication is possible, IPv6 address is not assigned to the VPN Client by the VPN Server.

Kindly help me with this.

rrasblog:

1) The IPv6 prefix assigned on RAS server should be /64 - can you change it to 2001:db8:0:1:: and see if it works

2) I presume your VPN client is running Vista. Please confirm

3) Can you send the "route print" output of both VPN client and VPN server - after the VPN connection is established

Customer:

The VPN Client I'm using is Windows XP and the VPN Server is Windows Server 2008.

rrasblog:

Windows XP based VPN client doesn’t support IPv6. IPv6 is only available in Vista. Please try Vista as VPN client

Query:2:Get VPN client's remote IP

Customer:

I'm wondering if you can cover on the RRAS blog how an admin like me running RRAS on 2k3 can determine easily the public IP addresses of my clients attached to my server?

rrasblog:

Unfortunately we don't have mechanism to display public IP address of client on RRAS MMC or netsh.

But you can find it indirectly on RRAS server by running netstat command

Netstat -aon | findstr 1723

(assuming clients are connecting with PPTP i.e. using port 1723; if l2tp - change the port to 500).

We will try to post something on this in the blog soon.

Query:3: Managing Windows Server 2003 RRAS from Vista

Customer:

Hello all I have a question and I thought this might be the best place to ask. How does a Admin run the RRAS tool on Vista to manage a W2K3 box without TS in?

rrasblog:

Currently there is no other way other than TS in. The RSAT package for remote administration of Vista does not have a tool to manage remote RRAS servers.

Query:4: Vista VPN disconnection issue

Customer:

I am using a default VPN connection from my Vista Premium SP1 to a Windows Server 2003. Everything works fine when connecting and working online via the VPN connection (file access, file replication, Exchange mail etc.), except when I disconnet the VPN connection. When I try to diconnect, Vista seems to have problem closing the connection, the system slows down and after a while all network related services (seemingly) start hanging. Ultimately I need to restart the computer, and often I need to perform a "hard" boot because Vista can't close down.

rrasblog:

I am not sure if we can track down the issue from the NETSH Logs this time, can you try couple of steps out please:

Disable IPV6 :

To disable IPv6 components in Windows Vista, follow these steps:

1.         Click Start , type regedit in the Start Search box, and then click regedit.exe in the Programs list.

2.         In the User Account Control dialog box, click Continue.

3.         In Registry Editor, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

4.         Double-click DisabledComponents to modify the DisabledComponents entry.

Note: If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:

a.         In the Edit menu, point to New, and then click DWORD (32-bit) Value.

b.         Type DisabledComponents, and then press ENTER.

c.         Double-click DisabledComponents.

d.         Type any one of the following values to configure the IPv6 protocol, and then click OK:

e.         Type 0xffffffff to disable all IPv6 components, except the IPv6 loopback interface. This value also configures Windows Vista to use Internet Protocol version 4 (IPv4) instead of

IPv6 in prefix policies.

Disable Autotuning:

1.         Click Start , click All Programs, click Accessories, and then click Command Prompt.

2.         At the command prompt, type the following command, and then press ENTER:

netsh interface tcp set global autotuninglevel=disabled

Note: You must restart your computer for these changes to take effect.

Uninstall third party firewall software

Uninstall any third party firewall software you have. Just disabling will not help, you will need to uninstall and check.

Customer:

Thanks for your advice. The first two measures did not help. But after uninstalling Symantec Endpoint Protection, this seems to solve the problem.

Query:5: VPN disconnects after some time

Customer:

I have a VPN connection to my company which I created under vista.  It seems to be working properly but it has one odd behavior.  After 5 minutes or so  the connection will disappear from both the “Network and Sharing Center” and from the list of active connections popped up under the taskbar network connection icon.  This makes it harder to tell when I’m connected to the VPN and I sometimes may forget to disconnect it as a result.  Other than the fact that it has disappeared it still seems to work properly – I can access my company network and the internet just fine.

rrasblog:

If you have Vista do you have Service Pack 1 installed on this Client?

If not , can you please check if this happens also when you have service pack 1 installed also.

Windows Vista Service Pack 1 Five Language Standalone (KB936330)

http://www.microsoft.com/downloads/details.aspx?displaylang=de&FamilyID=b0c7136d-5ebb-413b-89c9-cb3d06d12674

Customer:

Thanks for the suggestion of SP1.  After installing it the VPN connection has remained up for 4 hours without disappearing from the network and sharing center and the ipv4 connectivity remains as ‘Internet’.

Query:6: Internal interface question

Customer:

On the Ras, after a reboot should the internal adapter card get an IP address with no one connected. Or does it only get an IP address when someone VPN's in.

rrasblog:

The internal interface is created (and gets an IP address) when the first VPN client connects. So after the reboot, you'd not see the internal interface IP address.

Query:7: Unable to load RAS adminisration DLL

Customer:

I'm tying to restrict one connection per user folowing your post http://blogs.technet.com/rrasblog/archive/2007/12/20/steps-to-develop-a-ras-administration-dll-using-visual-studio.aspx, but the RRAS service fails to start, the errors are the follows:

ID:32

No se encontró el ensamblaje dependiente Microsoft.VC80.DebugCRT y el error final fue El ensamblaje referido no está instalado en su sistema.

ID:20113

No se puede cargar el componente DLL del host de administración RAS de terceros. Error: No se pudo iniciar la aplicación porque su configuración es incorrecta. Reinstalar la aplicación puede solucionar el problema.

rrasblog:

Mauro, From the error messages, it looks like some .NET issue. Have you verified that the .NET framework on which you are building this DLL is the same (or compatible) with that on the RRAS server? Or try copying the Microsoft.VC80.DebugCRT dll from the machine where you build this to the server and check.

Basically RRAS server when it started tries to load this DLL but due to a dependency missing,  the DLL cannot be loaded. So RRAS fails to start.

Customer:

It's working, I've forgot to copy .lib file to RRAS server.

So that is it for now. We will keep posting these as a series.

Janani Vasudevan
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Hello all,

    I thought it would be worthwhile to blog a post specifically on this topic. I've seen quite a number of people having this requirement to limit the number of VPN connections that can be made to the VPN server using a particular username to just one. And I did take this one as the example program in my earlier post about developing a RAS administration DLL. However, I thought it would be good to elaborate a little more on what the DLL actually does.

You can refer to the code (attached as a rtf file) in this post --> http://blogs.technet.com/rrasblog/archive/2007/12/20/steps-to-develop-a-ras-administration-dll-using-visual-studio.aspx

Among all the callback functions that we have implemented, the two important ones to consider are MprAdminConnectionHangupNotification2 and MprAdminAcceptNewConnection2. These are the functions where we do processing when there is a client connection/disconnection coming.

Let's the take MprAdminAcceptNewConnection2 first. This function has the below prototype

When there is a connection coming from the client, this callback is called with the parameters populated. Let's use the pRasConnection2 parameter for our processing. This structure RAS_CONNECTION_2 has the following format:

Hello,

As you know in Windows server 2008 (WS08) we have removed “Basic Firewall” functionality in RRAS which exist in Windows Server 2003 (WS03). 

This leads to following security implications which you should be carefully consider when configuring RRAS on WS08:

1)      If you were running WS03 enabled for RRAS as a VPN server with inbound/outbound filters and you upgrade to WS08, after update:

a.       You don’t need to do anything extra in terms of RRAS inbound/outbound filter configuration (i.e. all your RRAS inbound/outbound filter settings will get migrated from WS03 to WS08)

b.      WS08 will be turned on with Windows firewall. Now you have two packet filtering engines that are enabled (RRAS inbound/outbound filters AND Windows Firewall). Read [1] to understand the differences between the two and in which scenario to use which one.

2)      If you were running WS03 enabled for RRAS as a NAT router with “Basic Firewall” and you upgrade to WS08, after upgrade:

a.       Manually turn on Windows Firewall (Note: This happens because in WS03, Windows firewall will be turned off as RRAS was enabled with Basic Firewall; and Basic firewall is removed in WS08). Open Windows Firewall clicking on Start->Control Panel->Windows Firewall->Change Settings. Click on “On”

b.      Validate all the “exemptions” that are added inside Windows firewall.  As Windows firewall settings are global to the machine, all the ports that are opened as exemptions will be visible from pubic as well as private NICs of RRAS. 

In case of RRAS, following ports are opened to allow traffic from remote access users using different forms of VPN tunnels:

                TCP Port 1723: PPTP control traffic

                IP Protocol 47: PPTP data (GRE) traffic

                UDP Port 1701: L2TP traffic

                UDP Port 500 and 4500: L2TP/IPSec IKE traffic

IP Protocol 50: L2TP/IPSec data (ESP) traffic

                TCP Port 443: SSTP control and data traffic

Additionally, following ports are opened to allow remote manageability of VPN servers

                TCP Port 135: RPC Endpoint mapper service

                Dynamic RPC port: Dynamic ports opened by RPC service  for DCOM traffic

c.       If you will like to block ports from the public side (let us say the remote manageability ports), you can do so in “Windows Firewall with advanced security”. 

1)      Click on Start->Administrative Tools->Windows Firewall with Advanced security.

2)      Go under Inbound rules. Search for the two rules with names starting with “Routing and remote access remote management”. View the properties of the rules.

3)      Add two new rules by clicking on “New Rule” under Action tab. Give all the properties of this rule same as  “Routing and remote access management” rules,  but add it with specific “Local Address” equal to public NIC IP address AND action as “Block the connections” (i.e. block remote manageability to RRAS public NIC’s address).

OR alternate way is to disable both the rules with names starting “Routing and remote access remote management” and create new rules with properties similar to the disabled rules and in addition set the local address to the IP address of the private NIC and set remote address to specific subnet from which to accept remote manageability requests.

4)      Repeat steps 2 and 3 for Outbound rules

3)      If you do a fresh install of WS08, install RRAS role via server manager and configures the RRAS role.

a.       If you have configured RRAS wizard with inbound/outbound filters that drops all traffic except VPN traffic -  you don’t need to do anything extra (because RRAS opens only VPN traffic on the public interface which anyways is required as a VPN server role)

b.      If you have configured RRAS without inbound/outbound filters (let us say enabled for NAT scenario and inbound/outbound filters don’t co-exist with NAT), you need to follow steps 2b) and 2c) as given above.

For any queries, feel free to write to us at the email address given above

References:

[1] RRAS Server in Windows server 2008: Which one to use - Windows firewall or RRAS filters

[2] Ports affecting the VPN connectivity

[3] RRAS static packet filters - do's and don'ts

[4] Which ports to unblock for VPN traffic to pass-through

Cheers,

Samir Jain
Senior Program Manager
Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Hello,

If you will like to use SSTP based VPN server (which is part of RRAS server in Windows server 2008) behind a ISA2006 Firewall, please refer to following articles – Thanks a bunch to Thomas Shinder

http://www.isaserver.org/tutorials/Publishing-Windows-Server-2008-SSL-VPN-Server-Using-ISA-2006-Firewalls-Part1.html

http://www.isaserver.org/tutorials/Publishing-Windows-Server-2008-SSL-VPN-Server-Using-ISA-2006-Firewalls-Part2.html

Samir Jain
Senior Program Manager
Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Hi All,

Virtual Lab for deploying the SSTP Remote Access is available at http://go.microsoft.com/?linkid=8316925 or http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032370149&EventCategory=3&culture=en-US&CountryCode=US.

Cheers,

Abhishek Tiwari (abhisht@online.microsoft.com **)

Sr. Lead Program Manager

Windows Core Operating System Networking Division

Dear Readers,

Happy New Year to all our readers (on behalf my entire team !)

I expect  2008 to be a great year for all RRAS customers with Windows Server 2008 and Vista SP1 getting released. This means our customers can leverage NAP based health check of remote access clients, use IPv6 based ubiquitous connectivity and SSTP based firewall traversal capability of VPN connections.  In addition, we have done a lot of work in improving the manageability (integration with server manager, enhanced management pack, more netsh based scripting) and security (removing weake crypto and adding stronger ones) of RRAS server.

If you have any feedback for us or soem topic you would like to hear more via our blogs, please share your comments on this blog or reach us via the email link given above

Samir Jain (on behalf of entire RAS team)
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

SSTP as you know requires a machine certificate to be installed on the VPN server.

Most of the times, when the administrators need this machine certificate, they can configure a CA Server and get the certificates from this CA. But for this to work, the CDPs (CRL Distribution Point) need to be published on some server located on the Internet so that the client machines can access it for doing the Certificate Revocation Check during the SSL phase.

If you don't plan to deploy your own CA as well as CDP servers, you can obtain a machine certificate from a third party Certificate Authority.

These third party Certificate Authorities need a Certificate Request file to generate the Certificate requested.This blog is going to tell about how to generate this Certificate Request file on the Windows Server 2008 machine.

Here are the steps to generate the Certificate Request File.

- Go to any Windows Server 2008.

- Open MMC.

- Add the Certificate Snap-in for the “Computer Account”.

- Now, do a right click on the “Peronal” and select “All tasks”->”Advanced Operations”->”Create custom request” as shown below:-

- You will see the following GUI :-

Press “next” on this GUI. You will get the following GUI:-

Press Next on this window. Now, you will get the following GUI which will be used to configure the various properties of the Certificate:-

Click on the “Details” tab which will show the “Properties” tab. Click on this “Properties” tab to set the properties of this Certificate. This will pop up the following new GUI:-

Enter the Certificate’s Friendly name and description of your choice. Sample name and description are entered above.

Press on the “Subject” tab present at the top of this window.. You will see the following GUI:-

On this window, you will need to specify the Subject name of the certificate. Select “Type” as “Common Name” in the Subject Name and then enter the name of the Certificate in the “Value” field. In the above sample, I have entered the IP address of the SSTP Server. You can specify any name also here. Now Press “Add” button.

Now click on the “Extensions” tab present at the top of this window.. You will see the following window:-

In this window, click in front of the “Extended Key Usage (application policies)”. You will have to select the EKU (Extended Key Usage) of the Certificate. This will be “Server Authentication” for SSTP. Select “Server Authentication” and then Press “Add” button.

Now Click on the “Private Key” present at the top of this window. You will see the following window:-

Here, click in front of  “Key Options” and then Check the “Make private key exportable”. Press “Apply” button and then Press the “OK” button.

Now press “Next”. You will be shown the following window where you will have to specify the path of the Certificate Request file :-

After specifying the name and path of the certificate request file, press “Finish” button.

A Certificate Request File will be generated in the location you have specified above.

- If you open it with Notepad, it will somewhat look like as follows:-

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIChjCCAe8CAQAwFzEVMBMGA1UEAwwMMTAuMTMxLjEwLjEyMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQC3unAcoIxAx+y5xWB7NXhZlJlvfWes30w9FFmnlpXp
RR56FyQLmtc1H4KtEY/UJNQ/ud/Bi0VL039WaRnISC18gjAlDhFTNX0H14x55PGy
FrX4/0UPdp2opSeI9En8FiPIBYHGP9exjXuLoanWowhluu/pXtdL/vZZzAOxliEG
wQIDAQABoIIBLTAaBgorBgEEAYI3DQIDMQwWCjYuMC42MDAxLjIwRQYJKwYBBAGC
NxUUMTgwNgIBBQwMc3JhLXN0cmVzcy00DBpTUkEtU1RSRVNTLTRcQWRtaW5pc3Ry
YXRvcgwHTU1DLkVYRTBgBgkqhkiG9w0BCQ4xUzBRMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFPvbYdsW
c5+59cqXEi9cmQDsnaqPMGYGCisGAQQBgjcNAgIxWDBWAgEAHk4ATQBpAGMAcgBv
AHMAbwBmAHQAIABTAG8AZgB0AHcAYQByAGUAIABLAGUAeQAgAFMAdABvAHIAYQBn
AGUAIABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQEFBQADgYEAMVbeX7Nm
UqRusxQmvKX0OFsfHCRYqGGI73REiKkVskh+Cl1yjgIK0zx14Fzm3Y5PDz8iaKrS
No/jTCPUG4voyjYPFB4YaP2ARBI+InO/a62U9oNYazxzSHmellW9C8PHOs7EtzIu
kFMwB+DxcJ1hGdcCzZMw/fYK2qS6nxmYZHU=
-----END NEW CERTIFICATE REQUEST-----

You will have to make use of this certificate request content to generate the certificate on the Public Certificate Authority.

Thanks,

Amit Kumar
Software Design Engineer/Test (amkuma@online.microsoft.com**),
RRAS, Windows Enterprise Networking, Microsoft.

** Remove the "online" to actually email me

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Hello folks! We saw how useful a RAS administration DLL can be to admins who want to control what the RRAS server does. In this post, let us see how we can develop a RAS administration DLL using Visual Studio.

I have often seen requirements from admins to control the VPN server such that only one VPN connection can be made to a server using a single user name. This is basically to prevent users from distributing their usernames and hence resulting in lot of connections with the same username. So let us design and write a RAS administration DLL for this purpose.

Let us call it RestrictOneConnPerUser.dll.

Pre-requisites:

• Microsoft Visual Studio 2005

Start building the RAS administration DLL

1) Create New Project: Open Microsoft Visual Studio and create a new project.

2) Select Project type: When you are asked to select the type of project, select Visual ++ --> Win32 --> Win32 Project. Type the name of the project as 'RestrictOneConnPerUser' and click on 'OK'.

Note down the location that is given in the 'Location' drop down. Your project would be created at this location. So the source files for your project will have to be copied to the C:\Users\User1\Documents\Visual Studio 2005\Projects\RestrictOneConnPerUser 

3) Choose Project Options: In the Win32 project type selection wizard that follows, select 'DLL' as the project type and choose 'Empty project'. Click on 'Finish'.

4) Write code: Now, we have created a DLL project. The next step to add the code. Let's do that now. Download the file which is provided as attachment to this post. The file has the code for three files - the header file, the C source and the exports definition file - for the DLL.

Click on Start --> Run --> Type 'notepad' --> Copy all the contents from the attached doc under 'UserRestrict.h' to the notepad and Save the file as 'UserRestrict.h'

Similarly, open new notepad files, paste the contents of  'UserRestrict.c' and 'UserRestrict.def' and save them with the names 'UserRestrict.c' and 'UserRestrict.def'.

Now, copy all these three files to the project location, which would be C:\Users\User1\Documents\Visual Studio 2005\Projects\RestrictOneConnPerUser for us now.

5) Include code files in project: Once the code has been written, it then has to be included in the Project. The below snapshot will show you how to do it.

Right click on the project --> Add --> Existing Item --> Browse to the solution directory which is C:\Users\User1\Documents\Visual Studio 2005\Projects\RestrictOneConnPerUser. Select the file and add it to the project. Do this for the header and the C file.

6) Edit Project Properties: Now, we have created the project, added the code. The only thing left now is to build it and get our DLL! Ok, before that we would need to edit some project properties - to include additional libraries that this code needs, to specify that you want a C file like compilation (not C++) etc.

The steps that you would need to follow are outlined by the snapshots below:

Open the project properties by right clicking on the Project --> Select Properties.

This will open up a window as below. Browse to 'Linker' --> 'Input' in the left hand side tree. You will the options like 'Additional dependencies' , 'Ignore all default libraries' etc. on the right hand side. This is how it will look for the project we created.

We would be adding 'Additional dependencies' and the 'Module Definition File' for our project.

The below snapshot shows the additional dependency libraries that we need to add and the module definition file. The module definition file is nothing but the .DEF file that we created and copied to the solution folder in Step 4 above.

Once you have added the libraries and modified the module definition file, click on 'Apply' to save the settings.

There's just one more property that we would like to change i.e. to instruct the compiler to compile this as a C code. This is done by browsing to the 'Configuration Properties' --> C/C++ --> Advanced on the left pane. Then, edit the option 'Compile As' on the right pane and select 'Compile as C code (/TC)' from the dropdown list. Click on 'Apply' to save the settings.

We are done with editing the project properties. So you can click 'OK' to go back to the project.

The below snapshots will help illustrate this.

7) Build the code: We are all ready to build the code now. Right click on the Project --> click on 'Build Solution'. If everything goes well, you will see that the build succeeded and the DLL is present in the binaries location. For us, the binaries location would be C:\Users\User1\Documents\Visual Studio 2005\Projects\RestrictOneConnPerUser\Debug. You will find the DLL RestrictOneConnPerUser.dll here.

Here we are!! Our own admin DLL is ready. We just have to deploy this on the RRAS server as per the deployment guidelines in MSDN. You can refer to it here.

Folks - That's it for now. I'll come back with another post explaining what the code actually does to restrict only one connection per user. Feel free to post any comments/queries to rrasblog@online.microsoft.com**

**Remove the 'online.' from the mail ID above to actually mail us.

Janani Vasudevan
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Hello everyone. I understand that all of you would be busy checking out Vista and its cool features. However, for this post I decided to write about something which is very powerful but is little known - RAS administration DLL. The post will outline the use of a RAS administration DLL and will touch upon the basics of how to start writing your own customized RAS administration DLL.

The admin DLL or the RAS administration DLL is loaded by RRAS during service startup. During service startup, the MprAdminInitializeDll function of the admin DLL is called. And during service shutdown, MprAdminTerminateDll is called.

•  When would you use a RAS administration DLL?

 When you want to control the connection to the RRAS server based on either the user who connects, or the port on which the user connects or any other property of the connection or if you want to assign an IP address of your choice to the connecting client or if you just want to audit/log the connection information for your later reference, and if RRAS inherently doesn't support it, then it is time to write your own admin DLL to do what you require. Some typicaly scenarios which would require to have a RAS administration DLL are - to ensure that there can be only one VPN connection from a particular user, to ensure that particular users not be allowed to connect, to ensure that all connections of a particular media type be rejected etc.

• How would you start writing your own RAS administration DLL?

A RAS administration DLL must implement and export all of the following functions:

MprAdminAcceptNewLink

MprAdminInitializeDll

MprAdminLinkHangupNotification

MprAdminTerminateDll

Typically, you will write three files, say, MyRasAdminDLL.h (which contains the #includes,#defines anddatastructures that you might use in the code), MyRasAdminDLL.cpp (which implements all these above functions) and MyRASAdminDLL.def (which is the module definition file for the DLL and would export all of the above functions and anything else that you would implement)

In case, you do not want to implement any these functions, just return TRUE or return as the function requires.

 The complete list of Admin callback functions that you can implement is available here. (Be careful to note the operating system that supports the functions and use accordingly)

In the next post, we will see how to develop a RAS administration DLL using Visual Studio. See you soon!

Janani Vasudevan
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

This blog is going to tell about how SSTP can be affected by configuring IIS Server on the same Server and how to get rid of this problem without moving the IIS Server to a different machine.

Let's us first know what kind of issue can arise if IIS is configured alongwith SSTP on the same server.

Let's say that SSTP is configured on the Server using a Server Authentication Certificate (SAC). The IP:Port binding will look like as follows:-

G:\Users\Administrator>netsh http show ssl

SSL Certificate bindings:

-------------------------

    IP:port                 : 0.0.0.0:443

    Certificate Hash        : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name  : MY

    Verify Client Certificate Revocation    : Enabled

    Verify Revocation Using Cached Client Certificate Only    : Disabled

    Usage Check    : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout   : 0

    Ctl Identifier          : (null)

    Ctl Store Name          : (null)

    DS Mapper Usage    : Disabled

    Negotiate Client Certificate    : Disabled

    IP:port                 : [::]:443

    Certificate Hash        : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name  : MY

    Verify Client Certificate Revocation    : Enabled

    Verify Revocation Using Cached Client Certificate Only    : Disabled

    Usage Check    : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout   : 0

    Ctl Identifier          : (null)

    Ctl Store Name          : (null)

    DS Mapper Usage    : Disabled

    Negotiate Client Certificate    : Disabled

----------------------------------------------

The SSTP based connections from the client to this Server will go fine.

Now, the admin decides to configure an HTTPS site using IIS Server on the same server machine using the same Certificate SAC which is used for SSTP.

IIS7 gives an option to bind a particular Certificate to the HTTPS site in the UI. However this binds the certificate only to the IPv4 listener i.e. 0.0.0.0:443 and not to the IPv6 listener [::]:443. This works fine for both IPv4 and IPv6 based access to the HTTPS site published because IIS uses the same certificate which is bound to IPv4:443 for IPv6 address based access also.

However, SSTP requires that the certificate bound to both the listeners be the same.

So, based on the above fact, admin binds the Certificate SAC to 0.0.0.0:443 which will try to do a fresh binding to the 0.0.0.0:443 with the same certificate SAC which was already done by SSTP. This will not disturb the Certificate binding to 0.0.0.0:443 and [::]:443.

So, the HTTPS site access using IPv4/IPv6 address and SSTP connection will go fine.

So far, everything is fine.

Now, admin decides to remove this published HTTPS site or wants to bind it to a different Certificate. This will result in the removal of the Certificate SAC binding from 0.0.0.0:443 by IIS, as it assumes that it is the only application which is using it. So, the IP:Port binding at this point will look like as follows:-

G:\Users\Administrator>netsh http show ssl

SSL Certificate bindings:

-------------------------

    IP:port                 : [::]:443

    Certificate Hash        : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name  : MY

    Verify Client Certificate Revocation    : Enabled

    Verify Revocation Using Cached Client Certificate Only    : Disabled

    Usage Check    : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout   : 0

    Ctl Identifier          : (null)

    Ctl Store Name          : (null)

    DS Mapper Usage    : Disabled

    Negotiate Client Certificate    : Disabled

----------------------------------------------

As you would notice above, the binding of the Certificate to 0.0.0.0:443 is gone. Now, if the admin tries to make an SSTP based connection using IPv4 address of this Server from a client, it will FAIL. The reason behind it is that, in the SSL phase, the Server will not find any certificate bound to the IPv4:443 (which is 0.0.0.0:443) and so, it will