Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
This article describes how to configure a Secure Socket Tunneling Protocol (SSTP)-based VPN server behind a network address translation (NAT) device in Windows Server 2008.
SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and Remote Access Server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol (PPP) packets to be encapsulated over HTTP. This allows for a VPN connection to be more easily established through a firewall or through a Network Address Translation (NAT) device. Also, this allows for a VPN connection to be established through an HTTP proxy device.
The information is this article is more likely to apply to a small-sized or medium-sized organization. For these kinds of organizations, it is common to have one public IP address that is assigned to the external interface of a NAT router or of a gateway device. This article describes the following scenario:
You have a Windows Server 2008-based Secure Socket Tunneling Protocol (SSTP)-based VPN server.
The server is assigned a private IP address.
The server is located on an internal network behind a NAT device.
The information in this article relates to the following networking configuration example:
A NAT device has the following IP address assignments:
The following public routable IP address is assigned to the external interface: 220.127.116.11
The following private non-routable IP address is assigned to the internal interface: 192.168.0.1
On a DNS server that can be accessed externally, the public IP address 18.104.22.168 is mapped to the following fully qualified domain name (FQDN): vpn-1.contoso.com.
A Windows Server 2008-based Routing and Remote Access server has the following IP address assignments:
IP address: 192.168.0.2
Subnet mask: 255.255.255.0
Default gateway: 192.168.0.1
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To configure a SSTP-based VPN server in the scenario that is described in the "Overview" section, follow these steps:
Configure the NAT device to redirect SSTP traffic from the external network to the Windows Server 2008-based computer that will act as the SSTP-based VPN server. Specifically, redirect incoming traffic as follows:
Source IP address: 22.214.171.124 (the external interface)
Source port: TCP 443
Destination IP address: 192.168.0.2 (the IP address of the Routing and Remote Access server)
Destination port: TCP 443
Note By default, the SSTP-based VPN server listens on TCP port 443. However, you can change this to another port, as appropriate for your requirements. For more information about how to do this, see step 5.
Install a computer certificate on the Windows Server 2008-based computer. This certificate must have a subject name (CN) that is the same as the host name to which the VPN clients connect. This is required for SSL negotiation to succeed.
If a VPN client is configured to connect to the public IP address of the NAT device (126.96.36.199), the subject name of the certificate must be 188.8.131.52.
If a VPN client is configured to connect to the FQDN (vpn-1.contoso.com) that can be accessed publicly, the subject name of the certificate must be vpn-1.contoso.com.
Use the Server Manager tool to install the Network Policy and Access Services role together with the Routing and Remote Access Services role service on the Windows Server 2008-based computer.
After the Routing and Remote Access Services role service is installed, configure the Routing and Remote Access service by using the Routing and Remote Access Services Wizard.
If you want to configure the SSTP-based VPN server to listen on a port other than TCP port 443, follow these steps:
Start Registry Editor, and then locate the following registry subkey:
In the details pane, right-click ListenerPort, and then click Modify.
Click Decimal, type an alternative port number such as 5000, and then click OK.
Exit Registry Editor, and then restart the Routing and Remote Access service.
Note If you change the ListenerPort value, you must configure the NAT device to forward TCP port 443 traffic to the new port number that you configured. For example, you must configure the NAT device to forward incoming traffic on TCP port 443 to TCP port 5000 on the SSTP-based VPN server.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
947031 How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection failures in Windows Server 2008