Secure Socket Tunneling Protocol (SSTP) is a widely used VPN transport that leverages SSL/TLS over TCP to provide secure, firewall-friendly tunnels—especially valuable in environments that strictly permit only HTTPS traffic. For site operators, enterprise IT teams, and developers, implementing effective firewall rules for SSTP is essential to balance security, reliability, and performance. This article walks through practical, technical best practices for designing and maintaining firewall policies that support SSTP deployments across different platforms and network architectures.

Why SSTP needs special consideration

SSTP encapsulates VPN traffic inside TLS, typically on TCP port 443. Because it looks like HTTPS at the transport layer, simple packet filters that only inspect ports may allow or deny SSTP incorrectly. In addition, stateful connection tracking, TLS certificate validation, deep packet inspection (DPI), and interactions with NAT/load balancers introduce operational nuances.

Key implications:

  • Port visibility: SSTP uses TCP/443 by default, so allowlisting this port without additional checks can let unauthorized VPNs or tunneling occur.
  • Stateful behavior: SSTP requires stable TCP session tracking; aggressive connection timeouts can break tunnels.
  • TLS handling: TLS termination, SNI inspection, or TLS interception (SSL proxy) can disrupt or decrypt traffic, defeating the tunnel.

Core firewall rule principles

Build your rule set around these core principles to ensure both security and connectivity:

  • Least privilege: Only permit the minimal set of IPs, ports, and protocols necessary.
  • Layered controls: Use combinations of stateful inspection, certificate pinning (where possible), and IP allowlists for servers.
  • Logging and monitoring: Capture connection attempts, failures, and TLS anomalies for forensic and operational use.
  • Resilience: Configure timeouts and connection tracking to support long-lived TCP streams used by SSTP.

Recommended port and protocol rules

At a minimum, your perimeter firewall should include rules that explicitly allow the following when running SSTP servers:

  • TCP port 443 inbound to the SSTP server IP(s). If you host multiple services on the same IP, ensure SNI and certificate handling is correct.
  • TCP ephemeral ports outbound for server responses (handled by stateful firewalls automatically).
  • ICMP (restricted): permit essential ICMP types for MTU discovery—specifically type 3 (Destination Unreachable) codes that allow Path MTU Discovery to function.

Additional protocol considerations

Unlike GRE-based tunneling (e.g., PPTP), SSTP does not require protocol-level passthrough beyond TCP. However, when you use SSTP with internal routing and NAT, consider these:

  • NAT traversal: ensure connection tracking tables are sized appropriately to handle concurrent sessions.
  • MTU/MSS clamping: set MSS limits on TCP SYN to avoid fragmentation issues across multiple layers of encapsulation.
  • UDP-based services: SSTP carries IP traffic inside TCP; applications sensitive to additional latency may benefit from QoS policies to prioritize SSTP flows.

Firewall configuration examples

Below are practical examples across common firewall platforms. Adapt IPs, interface names, and object names to your environment.

Linux (iptables/netfilter) example

Basic rules to allow SSTP and protect the host:

  • Allow established/related:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

  • Allow inbound SSTP (TCP 443) to VPN server:

iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -m comment --comment "SSTP in" -j ACCEPT

  • Drop unknown or suspicious TLS-based connections by default, then allow known client subnets or IPs.

Windows Server (RRAS) and Windows Firewall

  • Use Windows Firewall with Advanced Security: create inbound rule for TCP 443 bound to the RRAS service and the host IP.
  • Enable “Allow unsolicited incoming messages from these IP addresses” only for trusted management networks.
  • Tune TCP keepalive and session timeout policies in RRAS to support long-lived client sessions.

Cloud environments (AWS, Azure)

  • AWS Security Groups: allow TCP 443 inbound to the instance or ELB; restrict source ranges to known client IPs or corporate egress IPs.
  • AWS Network ACLs: configure stateless rules consistent with SGs—remember NACLs are evaluated per subnet and are stateless.
  • Azure NSGs: allow inbound 443 on the VM or service endpoint; use Application Gateway or Azure Firewall for TLS inspection only when you control certificates.

TLS and certificate handling

Because SSTP runs over TLS, certificate management is critical:

  • Use certificates issued by a reputable CA and maintain strong key sizes (2048-bit RSA or 256-bit ECC and above).
  • Consider certificate pinning on managed clients to prevent man-in-the-middle attacks if TLS interception is unavoidable in the enterprise.
  • Don’t deploy TLS interception appliances in front of SSTP servers unless you have a well-defined trust model and you re-encrypt to the backend with appropriate certificates—interception often breaks the VPN handshake.

Deep packet inspection and DPI risks

DPI devices (including corporate proxies and advanced firewalls) can inspect TLS handshakes or block based on payload patterns. For SSTP:

  • Disable DPI for traffic to and from known SSTP server IPs, or configure DPI to allow passthrough for TLS flows that match expected server certificates.
  • When DPI is used for policy compliance, ensure it’s capable of supporting SSL/TLS re-encryption and that certificate trust chains are deployed to clients to avoid connection failures.

Performance and reliability tuning

Operational reliability often depends on tuning both firewall and network stack parameters:

  • Connection tracking table size: increase netfilter conntrack limits to accommodate peak SSTP sessions and avoid unexpected drops.
  • TCP timeouts: extend TCP ESTABLISHED timeout for long-lived VPN sessions to reduce re-authentication churn.
  • MSS clamping: set MSS to around 1360–1400 bytes when multiple encapsulations are present to avoid fragmentation.
  • Load balancers: if terminating TLS at LB, enable session affinity (sticky sessions) or use TCP-level pass-through to ensure tunnel persistence.

Logging, alerts, and monitoring

Visibility is essential for both security and troubleshooting:

  • Log all inbound SSTP attempts, including source IP, TLS client hello details (SNI when available), cipher suites, and certificate common name (CN).
  • Set up alerts for repeated failed handshakes, certificate expiry, or sudden spikes in concurrent connections.
  • Correlate VPN logs with authentication systems (RADIUS/AD) to detect brute force or credential stuffing attacks.

Access control and authentication integration

Combine firewall rules with strong authentication to reduce attack surface:

  • Restrict inbound access to SSTP endpoints by source IP ranges where possible—this reduces brute force exposure.
  • Enforce multi-factor authentication (MFA) at the VPN gateway or through the authentication backend.
  • Use role-based network segmentation post-authentication to control resource access within the tunnel.

High availability and failover

Design firewall and network rules to handle HA scenarios:

  • Synchronize firewall rules and connection tracking state where supported (e.g., state sync in clustered firewalls) to minimize session drops during failover.
  • For active-passive SSTP servers behind a virtual IP, ensure ARP and NAT rules are consistent across nodes and health checks are non-intrusive (don’t force TCP resets).
  • When using DNS-based failover, set appropriate TTLs and use health checks that reflect the actual VPN service state (TLS handshake success, not just ICMP).

Troubleshooting checklist

When clients have issues connecting, work through this checklist:

  • Confirm TCP connectivity to the SSTP server: e.g., use telnet or TCP connect to port 443.
  • Verify TLS handshake: check certificate validity, correct CN/SAN, and compatible cipher suites.
  • Check firewall logs for dropped packets or blocked connections and inspect connection tracking tables.
  • Validate MTU issues by testing with different MTU/MSS settings and enabling ICMP where safe.
  • Ensure no TLS/SSL interception or reverse proxy is modifying the handshake unexpectedly.

Implementing effective firewall rules for SSTP requires a balance of openness for legitimate clients and restrictions to minimize abuse. Focus on precise allowlisting, robust TLS certificate practices, adjusted timeouts and conntrack sizing, and carefully configured DPI and load balancer behavior to maintain both security and a reliable user experience. Regularly review logs, test failover, and keep certificates and server software updated.

For more in-depth guides, configuration snippets, and managed VPS options that support robust SSTP deployments, visit Dedicated-IP-VPN.