Registry entries that Routing and Remote Access adds in Windows Server 2008

Article translations Article translations
Article ID: 947054 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article lists the registry entries that Routing and Remote Access adds in Windows Server 2008.

MORE INFORMATION

Registry entries for Secure Socket Tunneling Protocol

Note Secure Socket Tunneling Protocol (SSTP) is a new VPN tunneling protocol that is introduced in Windows Server 2008.

ListenerPort

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: ListenerPort
Data type: REG_DWORD
Default value: 0

You can use the ListenerPort registry entry to change the server-side TCP port on which the SSTP server listens. You can set this value to any valid 16-bit port number. If the value is set to 0, the SSTP server listens on the default port number, depending on the value of the UseHTTPS registry entry. For example, if the UseHTTPS registry entry is set to 1, the default listener port number is 443. If the UseHTTPS registry entry is set to 0, the default listener port number is 80. The ListenerPort registry entry is typically useful in configurations where the VPN server is behind a Network Address Translation (NAT) router or behind a reverse proxy. Notice that SSTP clients always connect to the TCP 443 port. This behavior cannot be configured from the clients.

UseHTTPS

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: UseHTTPS
Data type: REG_DWORD
Default value: 1

You can use the UseHTTPS registry entry to specify whether the SSTP server should listen on the HTTPS port or on the HTTP port. The SSTP server listens on the HTTP port if the value is set to 0. If the value is set to 1, the SSTP server listens on the HTTPS port. This registry entry is typically helpful in load-balancing scenarios. For example, a reverse Web proxy or an SSL load balancer may be configured to receive an HTTPS connection and open an HTTP connection to a remote access server.

NoCertRevocationCheck

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: NoCertRevocationCheck
Data type: REG_DWORD

You can use this registry entry to enable or to disable the SSL certificate revocation check that the VPN client performs during the SSL negotiation phase. Certificate revocation check will be performed if the value is set to 0. If the value is set to 1, certificate revocation check will be skipped. Notice that you should set this value to 1 only for debugging. Do not set this value to 1 in your production environment. By default, certificate revocation check is performed.

Sha256Enabled

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: Sha256Enabled
Data type: REG_DWORD

You can use the Sha256Enabled registry entry to enable SHA256 support for SSTP crypto binding. If this value is set to 1, SHA256 is enabled. In this case, the Sha256CertificateHash registry entry should contain an appropriate certificate hash. By default, Windows Vista clients support only SHA256. You may want to enable SHA1 on the server side if SSTP is supported on clients that do not support SHA256. If both SHA1 and SHA256 are enabled, SSTP will use the stronger crypto algorithm. By default, this registry setting is enabled.

Sha256CertificateHash

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: Sha256CertificateHash
Data type: REG_BINARY

The Sha256CertificateHash registry entry contains a certificate hash that is computed by SHA256. If the UseHTTPS registry entry is set to 1, Routing and Remote Access automatically populates the certificate hash the first time that Routing and Remote Access starts. To do this, Routing and Remote Access finds a computer certificate from the certificate store, and then Routing and Remote Access writes the hash to the Sha256CertificateHash registry entry.

Sha1Enabled

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: Sha1Enabled
Data type: REG_DWORD

You can use the Sha1Enabled registry entry to enable SHA1 support for SSTP crypto binding. If this value is set to 1, SHA1 is enabled. In this case, the Sha1CertificateHash registry entry will contain an appropriate certificate hash. By default, Windows Vista clients support only SHA256. You may have to enable SHA1 on the server side if SSTP is supported on clients that do not support SHA256. If both SHA1 and SHA256 are enabled, SSTP will use the stronger crypto algorithm. By default, this registry setting is disabled.

Sha1CertificateHash

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: Sha1CertificateHash
Data type: REG_BINARY

The Sha1CertificateHash registry entry contains a certificate hash that SHA1 computes. If the UseHTTPS registry entry is set to 1, Routing and Remote Access automatically populates the certificate hash the first time that Routing and Remote Access starts. To do this, Routing and Remote Access finds a computer certificate from the certificate store, and then Routing and Remote Access writes the hash to the Sha1CertificateHash registry entry. However, if the UseHTTPS registry entry is set to 0, you must manually deploy the certificate hashes to make sure that the VPN server and the SSL load balancer trust one another.

ServerUri

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: ServerUri
Data type: REG_SZ

The ServerUri registry entry is set to a value that contains the following value:
sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
You must not change this registry entry because it is read-only. This registry entry is typically useful in load-balancing scenarios. The load balancer receives an HTTPS connection that is specific to this URI, and then the load balancer redirects the connection to a remote access server. For example, if the server name is server.contoso.com, the exact HTTPS URI is as follows:
https://server.contoso.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/

Registry entries for IPv6 support

Note IPv6 refers to Internet Protocol version 6.

EnableIn

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6

Registry entry: EnableIn
Data type: REG_DWORD
Default value: 1

IPv6-based remote access and demand-dial routing are enabled if the EnableIn registry value is set to 1. If this value is set to 0, IPv6-based remote access and demand-dial routing are disabled.

AllowNetworkAccess

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6

Registry entry: AllowNetworkAccess
Data type: REG_DWORD

IPv6 forwarding is enabled if the AllowNetworkAccess registry entry value is set to 1. If this value is set to 0, IPv6 forwarding is disabled.

From

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6\StaticPrefixPool\0

Registry entry: From
Data type: REG_DWORD

The From registry entry specifies the starting prefix of the static IPv6 prefix pool.

To

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6\StaticPrefixPool\0

Registry entry: To
Data type: REG_DWORD

The To registry entry specifies the ending prefix of the static IPv6 prefix pool.

Registry entries for VPN tunnel encryption levels

AllowPPTPWeakCrypto

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

Registry entry: AllowPPTPWeakCrypto
Data type: REG_DWORD
Default value: 0

You can use the AllowPPTPWeakCrypto registry entry to enable the 40-bit encryption level and the 56-bit encryption level for PPTP tunnels. By default, these weak encryption levels are disabled.

AllowL2TPWeakCrypto

Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

Registry entry: AllowL2TPWeakCrypto
Data type: REG_DWORD
Default value: 0

You can use the AllowL2TPWeakCrypto registry entry to enable the Message Digest 5 (MD5) encryption level and the Data Encryption Standard (DES) encryption level for Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) tunnels. By default, these weak encryption levels are disabled.

Properties

Article ID: 947054 - Last Review: January 14, 2008 - Revision: 1.2
APPLIES TO
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
Keywords: 
kbhowto kbinfo kbexpertiseinter KB947054

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com