If you have upgraded from Windows 7/8 and need to install the Cisco VPN client then you can use the following instructions on how to cleanly install it or fix a bad install of it after upgrading to Windows 10.

-->

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows 10

• Previous: Step 5. Configure DNS and Firewall Settings
  

In this step, you'll learn about the ProfileXML options and schema, and configure the Windows 10 client computers to communicate with that infrastructure with a VPN connection.

You can configure the Always On VPN client through PowerShell, Microsoft Endpoint Configuration Manager, or Intune. All three require an XML VPN profile to configure the appropriate VPN settings. Automating PowerShell enrollment for organizations without Configuration Manager or Intune is possible.

Note

Group Policy does not include administrative templates to configure the Windows 10 Remote Access Always On VPN client. However, you can use logon scripts.

ProfileXML overview

ProfileXML is a URI node within the VPNv2 CSP. Rather than configuring each VPNv2 CSP node individually—such as triggers, route lists, and authentication protocols—use this node to configure a Windows 10 VPN client by delivering all the settings as a single XML block to a single CSP node. The ProfileXML schema matches the schema of the VPNv2 CSP nodes almost identically, but some terms are slightly different.

You use ProfileXML in all the delivery methods this deployment describes, including Windows PowerShell, Microsoft Endpoint Configuration Manager, and Intune. There are two ways to configure the ProfileXML VPNv2 CSP node in this deployment:

• OMA-DM. One way is to use an MDM provider using OMA-DM, as discussed earlier in the section VPNv2 CSP nodes. Using this method, you can easily insert the VPN profile configuration XML markup into the ProfileXML CSP node when using Intune.

• Windows Management Instrumentation (WMI)-to-CSP bridge. The second method of configuring the ProfileXML CSP node is to use the WMI-to-CSP bridge—a WMI class called MDM_VPNv2_01—that can access the VPNv2 CSP and the ProfileXML node. When you create a new instance of that WMI class, WMI uses the CSP to create the VPN profile when using Windows PowerShell and Configuration Manager.

Even though these configuration methods differ, both require a properly formatted XML VPN profile. To use the ProfileXML VPNv2 CSP setting, you construct XML by using the ProfileXML schema to configure the tags necessary for the simple deployment scenario. For more information, see ProfileXML XSD.

Below you find each of the required settings and its corresponding ProfileXML tag. You configure each setting in a specific tag within the ProfileXML schema, and not all of them are found under the native profile. For additional tag placement, see the ProfileXML schema.

Important

This book is intended for students who want to learn about the nature of solid substances and, especially, for beginning engineering students who are making their first serious contact with the structure and properties of real solids. Introduction to materials science and engineering chung pdf merge.

Any other combination of upper or lower case for 'true' in the following tags results in a partial configuration of the VPN profile:

<AlwaysOn>true</AlwaysOn>
<RememberCredentials>true</RememberCredentials>

Connection type: Native IKEv2

ProfileXML element:

Routing: Split tunneling

ProfileXML element:

Name resolution: Domain Name Information List and DNS suffix

ProfileXML elements:

Triggering: Always On and Trusted Network Detection

ProfileXML elements:

Authentication: PEAP-TLS with TPM-protected user certificates

ProfileXML elements:

You can use simple tags to configure some VPN authentication mechanisms. However, EAP and PEAP are more involved. The easiest way to create the XML markup is to configure a VPN client with its EAP settings, and then export that configuration to XML.

For more information about EAP settings, see EAP configuration.

Manually create a template connection profile

In this step, you use Protected Extensible Authentication Protocol (PEAP) to secure communication between the client and the server. Unlike a simple user name and password, this connection requires a unique EAPConfiguration section in the VPN profile to work.

Instead of describing how to create the XML markup from scratch, you use Settings in Windows to create a template VPN profile. After creating the template VPN profile, you use Windows PowerShell to consume the EAPConfiguration portion from that template to create the final ProfileXML that you deploy later in the deployment.

Record NPS certificate settings

Before creating the template, take note the hostname or fully qualified domain name (FQDN) of the NPS server from the server's certificate and the name of the CA that issued the certificate.

Procedure:

1. On your NPS server, open Network Policy Server.

2. In the NPS console, under Policies, click Network Policies.

3. Right-click Virtual Private Network (VPN) Connections, and click Properties.

4. Click the Constraints tab, and click Authentication Methods.

5. In EAP Types, click Microsoft: Protected EAP (PEAP), and click Edit.

6. Record the values for Certificate issued to and Issuer.

   You use these values in the upcoming VPN template configuration. For example, if the server's FQDN is nps01.corp.contoso.com and the hostname is NPS01, the certificate name is based upon the FQDN or DNS name of the server—for example, nps01.corp.contoso.com.

7. Cancel the Edit Protected EAP Properties dialog box.

8. Cancel the Virtual Private Network (VPN) Connections Properties dialog box.

9. Close Network Policy Server.

Note

If you have multiple NPS servers, complete these steps on each one so that the VPN profile can verify each of them should they be used.

Configure the template VPN profile on a domain-joined client computer

Now that you have the necessary information configure the template VPN profile on a domain-joined client computer. The type of user account you use (that is, standard user or administrator) for this part of the process does not matter.

However, if you haven't restarted the computer since configuring certificate autoenrollment, do so before configuring the template VPN connection to ensure you have a usable certificate enrolled on it.

Note

There is no way to manually add any advanced properties of VPN, such as NRPT rules, Always On, Trusted network detection, etc. In the next step, you create a test VPN connection to verify the configuration of the VPN server and that you can establish a VPN connection to the server.

Manually create a single test VPN connection

1. Sign in to a domain-joined client computer as a member of the VPN Users group.

2. On the Start menu, type VPN, and press Enter.

3. In the details pane, click Add a VPN connection.

4. In the VPN Provider list, click Windows (built-in).

5. In Connection Name, type Template.

6. In Server name or address, type the external FQDN of your VPN server (for example, vpn.contoso.com).

7. Click Save.

8. Under Related Settings, click Change adapter options.

9. Right-click Template, and click Properties.

10. On the Security tab, in Type of VPN, click IKEv2.

11. In Data encryption, click Maximum strength encryption.

12. Click Use Extensible Authentication Protocol (EAP); then, in Use Extensible Authentication Protocol (EAP), click Microsoft: Protected EAP (PEAP) (encryption enabled).

13. Click Properties to open the Protected EAP Properties dialog box, and complete the following steps:

    a. In the Connect to these servers box, type the name of the NPS server that you retrieved from the NPS server authentication settings earlier in this section (for example, NPS01).

    Note

    The server name you type must match the name in the certificate. You recovered this name earlier in this section. If the name does not match, the connection will fail, stating that 'The connection was prevented because of a policy configured on your RAS/VPN server.'

    b. Under Trusted Root Certification Authorities, select the root CA that issued the NPS server's certificate (for example, contoso-CA).

    c. In Notifications before connecting, click Don't ask user to authorize new servers or trusted CAs.

    d. In Select Authentication Method, click Smart Card or other certificate, and click Configure. The Smart Card or other Certificate Properties dialog opens.

    e. Click Use a certificate on this computer.

    f. In the Connect to these servers box, enter the name of the NPS server you retrieved from the NPS server authentication settings in the previous steps.

    g. Under Trusted Root Certification Authorities, select the root CA that issued the NPS server's certificate.

    h. Select the Don't prompt user to authorize new servers or trusted certification authorities check box.

    i. Click OK to close the Smart Card or other Certificate Properties dialog box.

    j. Click OK to close the Protected EAP Properties dialog box.

14. Click OK to close the Template Properties dialog box.

15. Close the Network Connections window.

16. In Settings, test the VPN by clicking Template, and clicking Connect.

Important

Make sure that the template VPN connection to your VPN server is successful. Doing so ensures that the EAP settings are correct before you use them in the next example. You must connect at least once before continuing; otherwise, the profile will not contain all the information necessary to connect to the VPN.

Create the ProfileXML configuration files

Before completing this section, make sure you have created and tested the template VPN connection that the section Manually create a template connection profile describes. Testing the VPN connection is necessary to ensure that the profile contains all the information required to connect to the VPN.

The Windows PowerShell script in Listing 1 creates two files on the desktop, both of which contain EAPConfiguration tags based on the template connection profile you created previously:

• VPN_Profile.xml. This file contains the XML markup required to configure the ProfileXML node in the VPNv2 CSP. Use this file with OMA-DM–compatible MDM services, such as Intune.

• VPN_Profile.ps1. This file is a Windows PowerShell script that you can run on client computers to configure the ProfileXML node in the VPNv2 CSP. You can also configure the CSP by deploying this script through Configuration Manager. You cannot run this script in a Remote Desktop session, including a Hyper-V enhanced session.

Important

The example commands below require Windows 10 Build 1607 or later.

Create VPN_Profile.xml and VPN_Proflie.ps1

1. Sign in to the domain-joined client computer containing the template VPN profile with the same user account that the section Manually create a template connection profile described.

2. Paste Listing 1 into Windows PowerShell integrated scripting environment (ISE), and customize the parameters described in the comments. These are $Template, $ProfileName, $Servers, $DnsSuffix, $DomainName, $TrustedNetwork, and $DNSServers. A full description of each setting is in the comments.

3. Run the script to generate VPN_Profile.xml and VPN_Profile.ps1 on the desktop.

Listing 1. Understanding MakeProfile.ps1

This section explains the example code that you can use to gain an understanding of how to create a VPN Profile, specifically for configuring ProfileXML in the VPNv2 CSP.

After you assemble a script from this example code and run the script, the script generates two files: VPN_Profile.xml and VPN_Profile.ps1. Use VPN_Profile.xml to configure ProfileXML in OMA-DM compliant MDM services, such as Microsoft Intune.

Use the VPN_Profile.ps1 script in Windows PowerShell or Microsoft Endpoint Configuration Manager to configure ProfileXML on the Windows 10 desktop.

Note

To view the full example script, see the section MakeProfile.ps1 Full Script.

Parameters

Configure the following parameters:

$Template. The name of the template from which to retrieve the EAP configuration.

$ProfileName. Unique alphanumeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

$Servers. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.

$DnsSuffix. Specifies one or more commas separated DNS suffixes. The first in the listis also used as the primary connection-specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.

$DomainName. Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:

• FQDN - Fully qualified domain name
• Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a period (.) to the DNS suffix.

$DNSServers. List of comma-separated DNS Server IP addresses to use for the namespace.

$TrustedNetwork. Comma-separated string to identify the trusted network. VPN does not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.

The following are example values for parameters used in the commands below. Ensure that you change these values for your environment.

Prepare and create the profile XML

The following example commands get EAP settings from the template profile:

Create the profile XML

Important

Any other combination of upper or lower case for 'true' in the following tags results in a partial configuration of the VPN profile:

<AlwaysOn>true</AlwaysOn>
<RememberCredentials>true</RememberCredentials>

Output VPN_Profile.xml for Intune

You can use the following example command to save the profile XML file:

Output VPN_Profile.ps1 for the desktop and Configuration Manager

The following example code configures an AlwaysOn IKEv2 VPN Connection by using the ProfileXML node in the VPNv2 CSP.

You can use this script on the Windows 10 desktop or in Configuration Manager.

Define key VPN profile parameters

Escape special characters in the profile

Define WMI-to-CSP Bridge properties

Determine user SID for VPN profile:

Define WMI session:

Detect and delete previous VPN profile:

Create the VPN profile:

Save the profile XML file

MakeProfile.ps1 Full Script

Most examples use the Set-WmiInstance Windows PowerShell cmdlet to insert ProfileXML into a new instance of the MDM_VPNv2_01 WMI class.

However, this does not work in Configuration Manager because you cannot run the package in the end users' context. Therefore, this script uses the Common Information Model to create a WMI session in the user's context, and then it creates a new instance of the MDM_VPNv2_01 WMI class in that session. This WMI class uses the WMI-to-CSP bridge to configure the VPNv2 CSP. Therefore, by adding the class instance, you configure the CSP.

Important

WMI-to-CSP bridge requires local admin rights, by design. To deploy per user VPN profiles you should be using Configuration Manager or MDM.

Note

The script VPN_Profile.ps1 uses the current user's SID to identify the user's context. Because no SID is available in a Remote Desktop session, the script does not work in a Remote Desktop session. Likewise, it does not work in a Hyper-V enhanced session. If you're testing a Remote Access Always On VPN in virtual machines, disable enhanced session on your client VMs before running this script.

The following example script includes all of the code examples from previous sections. Ensure that you change example values to values that are appropriate for your environment.

Configure the VPN client by using Windows PowerShell

To configure the VPNv2 CSP on a Windows 10 client computer, run the VPN_Profile.ps1 Windows PowerShell script that you created in the Create the profile XML section. Open Windows PowerShell as an Administrator; otherwise, you'll receive an error saying, Access denied.

After running VPN_Profile.ps1 to configure the VPN profile, you can verify at any time that it was successful by running the following command in the Windows PowerShell ISE:

Successful results from the Get-WmiObject cmdlet

The ProfileXML configuration must be correct in structure, spelling, configuration, and sometimes letter case. If you see something different in structure to Listing 1, the ProfileXML markup likely contains an error.

If you need to troubleshoot the markup, it is easier to put it in an XML editor than to troubleshoot it in the Windows PowerShell ISE. In either case, start with the simplest version of the profile, and add components back one at a time until the issue occurs again.

Configure the VPN client by using Configuration Manager

In Configuration Manager, you can deploy VPN profiles by using the ProfileXML CSP node, just like you did in Windows PowerShell. Here, you use the VPN_Profile.ps1 Windows PowerShell script that you created in the section Create the ProfileXML configuration files.

To use Configuration Manager to deploy a Remote Access Always On VPN profile to Windows 10 client computers, you must start by creating a group of machines or users to whom you deploy the profile. In this scenario, create a user group to deploy the configuration script.

Create a user group

1. In the Configuration Manager console, open Assets and ComplianceUser Collections.

2. On the Home ribbon, in the Create group, click Create User Collection.

3. On the General page, complete the following steps:

   a. In Name, type VPN Users.

   b. Click Browse, click All Users and click OK.

   c. Click Next.

4. On the Membership Rules page, complete the following steps:

   a. In Membership rules, click Add Rule, and click Direct Rule. In this example, you're adding individual users to the user collection. However, you might use a query rule to add users to this collection dynamically for a larger-scale deployment.

   b. On the Welcome page, click Next.

   c. On the Search for Resources page, in Value, type the name of the user you want to add. The resource name includes the user's domain. To include results based on a partial match, insert the % character at either end of your search criterion. For example, to find all users containing the string 'lori,' type %lori%. Click Next.

   d. On the Select Resources page, select the users you want to add to the group, and click Next.

   e. On the Summary page, click Next.

   f. On the Completion page, click Close.

5. Back on the Membership Rules page of the Create User Collection Wizard, click Next.

6. On the Summary page, click Next.

7. On the Completion page, click Close.

After you create the user group to receive the VPN profile, you can create a package and program to deploy the Windows PowerShell configuration script that you created in the section Create the ProfileXML configuration files.

Create a package containing the ProfileXML configuration script

1. Host the script VPN_Profile.ps1 on a network share that the site server computer account can access.

2. In the Configuration Manager console, open Software LibraryApplication ManagementPackages.

3. On the Home ribbon, in the Create group, click Create Package to start the Create Package and Program Wizard.

4. On the Package page, complete the following steps:

   a. In Name, type Windows 10 Always On VPN Profile.

   b. Select the This package contains source files check box, and click Browse.

   c. In the Set Source Folder dialog box, click Browse, select the file share containing VPN_Profile.ps1, and click OK.Make sure you select a network path, not a local path. In other words, the path should be something like fileservervpnscript, not c:vpnscript.

5. Click Next.

6. On the Program Type page, click Next.

7. On the Standard Program page, complete the following steps:

   a. In Name, type VPN Profile Script.

   b. In Command line, type PowerShell.exe -ExecutionPolicy Bypass -File 'VPN_Profile.ps1'.

   c. In Run mode, click Run with administrative rights.

   d. Click Next.

8. On the Requirements page, complete the following steps:

   a. Select This program can run only on specified platforms.

   b. Select the All Windows 10 (32-bit) and All Windows 10 (64-bit) check boxes.

   c. In Estimated disk space, type 1.

   d. In Maximum allowed run time (minutes), type 15.

   e. Click Next.

9. On the Summary page, click Next.

10. On the Completion page, click Close.

With the package and program created, you need to deploy it to the VPN Users group.

Deploy the ProfileXML configuration script

1. In the Configuration Manager console, open Software LibraryApplication ManagementPackages.

2. In Packages, click Windows 10 Always On VPN Profile.

3. On the Programs tab, at the bottom of the details pane, right-click VPN Profile Script, click Properties, and complete the following steps:

   a. On the Advanced tab, in When this program is assigned to a computer, click Once for every user who logs on.

   b. Click OK.

4. Right-click VPN Profile Script and click Deploy to start the Deploy Software Wizard.

5. On the General page, complete the following steps:

   a. Beside Collection, click Browse.

   b. In the Collection Types list (top left), click User Collections.

   c. Click VPN Users, and click OK.

   d. Click Next.

6. On the Content page, complete the following steps:

   a. Click Add, and click Distribution Point.

   b. In Available distribution points, select the distribution points to which you want to distribute the ProfileXML configuration script, and click OK.

   c. Click Next.

7. On the Deployment settings page, click Next.

8. On the Scheduling page, complete the following steps:

   a. Click New to open the Assignment Schedule dialog box.

   b. Click Assign immediately after this event, and click OK.

   c. Click Next.

9. On the User Experience page, complete the following steps:

   1. Select the Software Installation check box.

   2. Click Summary.

10. On the Summary page, click Next.

11. On the Completion page, click Close.

With the ProfileXML configuration script deployed, sign in to a Windows 10 client computer with the user account you selected when you built the user collection. Verify the configuration of the VPN client.

Note

The script VPN_Profile.ps1 does not work in a Remote Desktop session. Likewise, it does not work in a Hyper-V enhanced session. If you're testing a Remote Access Always On VPN in virtual machines, disable enhanced session on your client VMs before continuing.

Verify the configuration of the VPN client

1. In Control Panel, under SystemSecurity, click Configuration Manager.

2. In the Configuration Manager Properties dialog, on the Actions tab, complete the following steps:

   a. Click Machine Policy Retrieval & Evaluation Cycle, click Run Now, and click OK.

   b. Click User Policy Retrieval & Evaluation Cycle, click Run Now, and click OK.

   c. Click OK.

3. Close the Control Panel.

You should see the new VPN profile shortly.

Configure the VPN client by using Intune

To use Intune to deploy Windows 10 Remote Access Always On VPN profiles, you can configure the ProfileXML CSP node by using the VPN profile you created in the section Create the ProfileXML configuration files, or you can use the base EAP XML sample provided below.

Note

Intune now uses Azure AD groups. If Azure AD Connect synced the VPN Users group from on-premises to Azure AD, and users are assigned to the VPN Users group, you are ready to proceed.

Create the VPN device configuration policy to configure the Windows 10 client computers for all users added to the group. Since the Intune template provides VPN parameters, only copy the <EapHostConfig> </EapHostConfig> portion of the VPN_ProfileXML file.

Create the Always On VPN configuration policy

1. Sign into the Azure portal.

2. Go to Intune > Device Configuration > Profiles.

3. Click Create Profile to start the Create profile Wizard.

4. Enter a Name for the VPN profile and (optionally) a description.

5. Under Platform, select Windows 10 or later, and choose VPN from the Profile type drop-down.

   Tip

   If you are creating a custom VPN profileXML, see Apply ProfileXML using Intune for the instructions.

6. Under the Base VPN tab, verify or set the following settings:

   • Connection name: Enter the name of the VPN connection as it appears on the client computer in the VPN tab under Settings, for example, Contoso AutoVPN.

   • Servers: Add one or more VPN servers by clicking Add.

   • Description and IP Address or FQDN: Enter the description and IP Address or FQDN of the VPN server. These values must align with the Subject Name in the VPN server's authentication certificate.

   • Default server: If this is the default VPN server, set to True. Doing this enables this server as the default server that devices use to establish the connection.

   • Connection type: Set to IKEv2.

   • Always On: Set to Enable to connect to the VPN automatically at the sign-in and stay connected until the user manually disconnects.

   • Remember credentials at each logon: Boolean value (true or false) for caching credentials. If set to true, credentials are cached whenever possible.

7. Copy the following XML string to a text editor:

   Important

   Any other combination of upper or lower case for 'true' in the following tags results in a partial configuration of the VPN profile:

   <AlwaysOn>true</AlwaysOn>
   <RememberCredentials>true</RememberCredentials>

8. Replace the <TrustedRootCA>5a 89 fe cb 5b 49 a7 0b 1a 52 63 b7 35 ee d7 1c c2 68 be 4b</TrustedRootCA> in the sample with the certificate thumbprint of your on-premises root certificate authority in both places.

   Important

   Do not use the sample thumbprint in the <TrustedRootCA></TrustedRootCA> section below. The TrustedRootCA must be the certificate thumbprint of the on-premises root certificate authority that issued the server-authentication certificate for RRAS and NPS servers. This must not be the cloud root certificate, nor the intermediate issuing CA certificate thumbprint.

9. Replace the <ServerNames>NPS.contoso.com</ServerNames> in the sample XML with the FQDN of the domain-joined NPS where authentication takes place.

10. Copy the revised XML string and paste into the EAP Xml box under the Base VPN tab and click OK.An Always On VPN Device Configuration policy using EAP is created in Intune.

Sync the Always On VPN configuration policy with Intune

To test the configuration policy, sign in to a Windows 10 client computer as the user you added to the Always On VPN Users group, and then sync with Intune.

1. On the Start menu, click Settings.

2. In Settings, click Accounts, and click Access work or school.

3. Click the MDM profile, and click Info.

4. Click Sync to force an Intune policy evaluation and retrieval.

5. Close Settings. After synchronization, you see the VPN profile available on the computer.

Next steps

You are done deploying Always On VPN. For other features you can configure, see the table below:

If you want to..	Then see..
Configure Conditional Access for VPN	Step 7. (Optional) Configure conditional access for VPN connectivity using Azure AD: In this step, you can fine-tune how authorized VPN users access your resources using Azure Active Directory (Azure AD) conditional access. With Azure AD conditional access for virtual private network (VPN) connectivity, you can help protect the VPN connections. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
Learn more about the advanced VPN features	Advanced VPN Features: This page provides guidance on how to enable VPN Traffic Filters, how to configure Automatic VPN connections using App-Triggers, and how to configure NPS to only allow VPN Connections from clients using certificates issued by Azure AD.

VPN (Virtual Private Network) technology provides a secure and encrypted tunnel across a public network. So, a private network user can send and receive data to any remote private network through VPN tunnel as if his/her network device was directly connected to that private network.

Secure Socket Tunneling Protocol (SSTP) transports PPP tunnel over TLS channel. SSTP uses TLS channel over TCP port 443. So, SSTP VPN can virtually pass through all firewalls and proxy servers. Because of using TLS channel, encrypted data passes over SSTP Tunnel. So, there is no chance to steal data by a middle man attacker and data can send and receive across public network safely. MikroTik SSTP Server can be applied in two methods.

• Connecting from remote workstation/client: In this method, SSTP VPN client software can communicate with MikroTik SSTP VPN Server over Secure VPN tunnel whenever required and can access remote private network as if it was directly connected to that remote private network.
• Site to Site SSTP VPN: This method is also known as VPN between routers. In this method, an SSTP client supported router always establishes a SSTP VPN tunnel with MikroTik SSTP VPN Server. So, private networks of these two routers can communicate with each other as if they were directly connected to the same router.

The goal of this article is to connect a remote client device over secure SSTP VPN Tunnel across public network. So, in this article I will only show how to configure MikroTik SSTP VPN Server for connecting a remote workstation/client (Windows 10 Client).

How SSTP Connection Established

To establish a SSTP VPN tunnel across public network, the following mechanisms are occurred.

SSTP How Works

• TCP connection is established from SSTP Client to SSTP Server on TCP port 443.
• SSL validates server certificate. If certificate is valid connection is established otherwise connection is denied.
• The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine on both sides.
• PPP username and password validation is checked over SSTP. Client authenticates to the server and binds IP addresses to SSTP Client interface.
• SSTP tunnel is now established and packet encapsulation can begin.

Network Diagram

To configure a Client-Server SSTP VPN Tunnel between a MikroTik Router and a Windows 10 SSTP Client, we are following the below network diagram.

In this network diagram, a MikroTik Router’s ether1 interface is connected to public network having IP address 117.58.247.198/30 and ether2 interface is connected to LAN having IP network 10.10.11.0/24.

We will configure SSTP Server in this MikroTik Router on TCP port 443. So, Windows 10 SSTP Client can be connected to this SSTP Server and can be able to access remote network resources as if the device is connected to that remote network.

SSTP VPN Server and SSTP Client Configuration

We will now start SSTP Server and Client configuration. Complete SSTP configuration can be divided into two parts.

• Part 1: SSTP Server Configuration in MikroTik Router
• Part 2: SSTP Client Configuration in Windows 10

Part 1: SSTP Server Configuration in MikroTik Router

According to the network diagram, MikroTik Router is our SSTP VPN Server. So, we will enable and configure OpenVPN Server in MikroTik Router. It is assumed that MikroTik WAN and LAN networks have been configured and are working without any issue.

Complete MikroTik SSTP Server configuration can be divided into the following three steps.

• Step 1: Creating TLS Certificate for SSTP Server
• Step 2: Enabling and Configuring SSTP Server
• Step 3: Creating SSTP Users

Step 1: Creating TLS Certificate for SSTP Server

SSTP Server configuration requires TLS certificate because SSTP VPN uses TLS certificate for secure communication. MikroTik RouterOS v6 gives ability to create, store and manage certificates in certificate store. So, we will create required SSTP Server certificate from MikroTik RouterOS. SSTP Server requires two types of certificates:

• CA (Certification Authority) Certificate and
• Server Certificate

Creating CA certificate

MikroTik RouterOS provides a self-signed certificate and self-signed certificate must have a CA (Certification Authority) Certificate to sign Server Certificate. This CA certificate will also be installed in SSTP Client devices otherwise Server Certificate cannot be verified. The following steps will show how to create a CA certificate in MikroTik RouterOS.

• From Winbox, go to System > Certificates menu item and click on Certificates tab and then click on PLUS SIGN (+). New Certificate window will appear.
• Put your CA certificate name (for example: CA) in Name input field.
• Put the WAN IP Address (example: 117.58.247.198) of MikroTik Router in Common Name input field.
• You will find some optional fields in General tab. You can fill those if you wish. All fields are self-defined.
• Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign
• Click on Apply button and then click on Sign button. Sign window will appear now.
• Your created CA certificate template will appear in Certificate dropdown menu. Select your newly created certificate template if it is not selected.
• Put MikroTik Router’s WAN IP address (example: 117.58.247.198) in CA CRL Host input field.
• Click on Sign button. Your Signed certificate will be created within few seconds.
• Click on OK button to close New Certificate window.
• If newly created CA certificate does not show T flag or Trusted property shows no, double click on your CA certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.

Creating Server Certificate

After creating CA certificate, we will now create Server Certificate that will be signed by the created CA. The Server Certificate will be used by SSTP Server. The following steps will show how to create Server Certificate in MikroTik RouterOS.

• Click on PLUS SIGN (+) again. New Certificate window will appear.
• Put your server certificate name (for example: Server) in Name input field.
• Put the WAN IP Address (example: 117.58.247.198) of MikroTik Router in Common Name input field.
• If you have put any optional field in CA certificate, put them here also.
• Click on Key Usage tab and uncheck all checkboxes except digital signature, key encipherment and tls server checkboxes.
• Click on Apply button and then click on Sign button. Sign window will appear now.
• Your newly created Server certificate template will appear in certificate dropdown menu. Select newly created certificate template if it is not selected.
• Also select CA certificate from CA dropdown menu.
• Click on Sign button. Your Signed certificate will be created within few seconds.
• Click on OK button to close New Certificate window.
• If newly created server certificate does not show T flag or Trusted property shows no, double click on your server certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.

We have successfully created required CA and Server Certificates. After creating CA and Server certificates, the Certificates window will look the following image.

Created CA and Server Certificates in Certificates Window

Exporting CA Certificates

SSTP Server will use Server certificate from MikroTik RouterOS Certificate store. But CA certificate has to supply to the SSTP Client. So, we need to export the CA certificate from RouterOS certificate store. The following steps will show how to export CA certificate from MikroTik certificate store.

• Select and make Mouse Right Click on CA certificate and then click on Export option. Export window will appear.
• Choose CA certificate from Certificate dropdown menu.
• Click on Export button now. Your CA certificate will be exported and Export window will be closed.

Exported CA Certificate will be found in Winbox File List window. We have to download this exported CA Certificate to supply client devices. The following steps will show how to download exported CA certificate file from the File directory.

• Click on Files menu from Winbox menu panel. You will find a certificate file named crt is exported here.
• Drag and Drop this file in a folder on your Desktop. We will install this CA certificate file at SSTP Client configuration.

Downloading and Saving CA Certificate on Desktop

Step 2: SSTP Server Configuration in MikroTik Router

After creating CA and Server Certificates, we are now eligible to enable and configure SSTP Server in MikroTik Router. The following steps will show how to enable and configure SSTP Server in MikroTik Router.

• Click on PPP menu item from Winbox and then click on Interface tab.
• Click on SSTP Server button. SSTP Server window will appear.
• Click on Enabled checkbox to enable SSTP Server.
• Make sure TCP Port 443 is assigned in Port input field.
• From Authentication, uncheck all checkboxes except mschap2 checkbox.
• From Certificate dropdown menu, choose server certificate (Server) that we created before.
• From TLS Version drop down menu, choose only-1.2 option. TLS Version any can also be selected.
• Now click on Force AES and PFS checkboxes.
• Now click on Apply and OK button.

Enabling SSTP Server in MikroTik Router

SSTP Server is now running in MikroTik Router. As MikroTik SSTP VPN is limited to use username and password for successful VPN connection, we will now create PPP users who will be able to connect to MikroTik SSTP Server and get IP information.

Step 3: Creating SSTP Users

MikroTik SSTP uses username and password to validate legal connection. So, we have to create username and password to allow any user. The complete user configuration for SSTP Server can be divided into the following three parts.

• IP Pool Configuration
• User Profile Configuration and
• SSTP User Configuration

IP Pool Configuration

Usually multiple users can connect to SSTP Server. So, it is always better to create an IP Pool from where connected user will get IP address. The following steps will show how to create IP Pool in MikroTik Router.

• From Winbox, go to IP > Pool menu item. IP Pool Window will appear.
• Click on PLUS SIGN (+). New IP Pool window will appear.
• Put a meaningful name (vpn_pool) in Name input field.
• Put desired IP Ranges (example: 192.168.2.2-192.168.2.254) in Addresses input filed. Make sure not to use VPN Gateway IP (192.168.2.1)in this range.
• Click Apply and OK button.

User Profile Configuration

After creating IP Pool, we will now configure user profile so that all users can have similar characteristics. The following steps will show how to configure user profile for SSTP Users.

• From Winbox, go to PPP menu item and click on Profile tab and then click on PLUS SIGN (+). New PPP Profile window will appear.
• Put a meaningful name (example: vpn_profile) in Name input field.
• Put VPN Gateway address (example: 192.168.2.1) in Local Address input field.
• Choose the created IP Pool (vpn_pool) from Remote Address dropdown menu.
• Click Apply and OK button.

OpenVPN User Profile Configuration

SSTP User Configuration

After creating user profile, we will now create users who will be connected to SSTP Server. The following steps will show how to create SSTP users in MikroTik RouterOS.

• From PPP window, click on Secrets tab and then click on PLUS SIGN (+). New PPP Secret window will appear.
• Put username (For example: sayeed) in Name input field and put password in Password input field.
• Choose sstp from Service dropdown menu.
• Choose the created profile from Profile dropdown menu.
• Click on Apply and OK button.

We have created a user for SSTP Server. Similarly, we can create more users that we require.

SSTP Server configuration in MikroTik Router has been completed. In the next part we will configure SSTP Client in Windows 10 Operating System.

Part 2: SSTP Client Configuration in Windows 10

After configuring SSTP Server in MikroTik Router, we will now configure SSTP Client in Windows 10 Operating System. SSTP Client configuration in Windows 10 can be divided into the following two steps.

• Installing CA Certificate in Windows 10
• SSTP Client Configuration in Windows 10

Installing CA Certificate in Windows 10

Exported CA Certificate must be installed in Windows Trusted Root Certification Authorities otherwise SSTP Client cannot verify SSTP Server Certificate. To install CA Certificate in Windows 10, do the following steps.

Click mouse right button on the Exported CA Certificate and choose Install Certificate option.

You will now find Certificate Import Wizard window and it will ask for choosing certificate Store Location. From Sore Location panel, choose Local Machine radio button and then click Next button.

Certificate Import Wizard

The next window will ask for choosing a specific certificate store. Exported CA must be placed in Trusted Root Certification Authorities store. So, click on Place all certificate in the following store radio button and then click on Browse button and choose Trusted Root Certificate Authorities and then click Next button.

Placing CA Certificate to Trusted Root Certification Authorities

The next Certificate Import Wizard will show a summery and ask to click Finish button. So, click Finish button and you will find a certificate importation successful message.

SSTP Client Configuration in Windows 10

After importing CA certificate in Trusted Root Certification Authorities, we will now configure SSTP Client in Windows 10 Operating System. The Following steps will show how to configure SSTP Client in Windows 10 OS.

• From Windows 10, click on Start Menu icon and then click on Settings Windows Settings window will appear.
• From Windows Settings window, click on Network & Internet
• From Network & Internet window, click on VPN menu item from left panel and then click on Add a VPN connection Add a VPN Connection window will appear.
• Put a VPN connection name (example: SSTP VPN) in Connection name input field.
• Put MikroTik WAN IP Address (example: 117.58.247.198) in Server name or address input field.
• From VPN type dropdown menu, select Secure Socket Tunneling Protocol (SSTP) option.
• From Type of sign-in info dropdown menu, select Username and password option.
• Put username that was created in MikroTik PPP Secret on Username input field and then put the user password in Password input field.
• Click Save button. A new VPN Client (example: SSTP VPN) will now appear in VPN list.

SSTP VPN Client Configuration

Click on the appeared VPN Client and then click on the appeared Connect button. If everything is OK, your SSTP VPN will be connected and you will now be able to get remote network resources across public network over TLS secure channel.

Note: Don’t try SSTP VPN Client on Windows 7 with self-signed certificate because Windows 7 has some bugs to work with SSTP VPN. But Windows 8 and Windows 10 have no issue with SSTP VPN. If you require Secure VPN Tunnel on TCP Port 443 for all Windows platforms, MikroTik OpenVPN Server with Windows Operating System on TCP Port 443 can be your best friend.

How to Configure MikroTik SSTP VPN Server with Windows 10 Operating System has been discussed in this article. I hope you will now be able to configure SSTP Server and Client with MikroTik Router and Windows 10 Operating System. However, if you face any confusion to configure SSTP VPN Server and Client, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.