Integrate SSTP VPN with Windows Network Policy Server: A Quick, Secure Setup Guide

Setting up a secure remote access solution is essential for businesses that need encrypted connectivity and centralized access control. SSTP (Secure Socket Tunneling Protocol) is a robust choice for Windows-based VPN servers because it tunnels PPP traffic over HTTPS (TCP 443), providing strong firewall traversal and native client support in Windows. When combined with Windows Network Policy Server (NPS) acting as a RADIUS server, administrators gain granular authentication, authorization, and accounting (AAA) capabilities. This guide covers the technical steps and best practices to integrate an SSTP VPN server with Windows NPS for a secure, manageable deployment.

Why choose SSTP and NPS together?

SSTP leverages TLS over TCP port 443, which reduces blocking by enterprise firewalls and proxies and benefits from TLS security features. It is built into modern Windows clients (Vista and later), simplifying client configuration without third-party software. NPS centralizes AAA policies, supports multiple authentication methods (EAP, MS-CHAPv2), and integrates with Active Directory for user and group-based policies. Together they provide:

Encrypted transport with TLS 1.2/1.3 and certificate-based server identity.
Centralized policy enforcement based on AD groups, user attributes, time-of-day, and multi-factor conditions.
Accounting and logging for auditability and troubleshooting.
Scalability via multiple RADIUS clients and NPS proxies.

Prerequisites and planning

Before starting, prepare the following:

A Windows Server instance configured as the SSTP host. This is typically a server running Routing and Remote Access Service (RRAS) role on Windows Server 2016/2019/2022.
A dedicated public IP or NAT-ed address with TCP 443 forwarded to the SSTP server.
A valid server certificate bound to the SSTP service. Certificates from a trusted CA (public CA or internal AD CS) are recommended.
An NPS server joined to the same Active Directory domain (can be the same server for small deployments, but separation of duties is recommended).
Firewall rules to allow TCP 443 (SSTP) to the VPN server and UDP/TCP ports required by RADIUS between SSTP and NPS (default RADIUS: UDP 1812/1813; legacy UDP 1645/1646 sometimes used).
Administrative access to configure RRAS, NPS policies, and Group Policy (if pushing client settings).

Step 1 — Install and configure RRAS for SSTP

On the Windows server that will host SSTP:

Install the “Remote Access” role with the “DirectAccess and VPN (RAS)” service from Server Manager.
Open the Routing and Remote Access console and run the setup wizard: select “Custom configuration” and enable “VPN access”.
Right-click the server, choose “Properties” → “Security” tab → configure authentication provider: select “RADIUS Authentication” and add your NPS server(s) as RADIUS clients. Use a strong shared secret (at least 22 characters, mix of types).
On the “Security” tab, ensure SSTP is enabled. RRAS will automatically listen on TCP 443 if SSTP is configured and a certificate is present.
Bind the server certificate: In RRAS, right-click server → Properties → Security → “Select Certificate” and choose the certificate whose Subject name or SAN matches the public DNS name clients will use to connect. Certificate must have “Server Authentication” EKU.
Configure IP addressing: define a static pool or enable DHCP for VPN clients. Consider using a separate subnet for VPN clients and set up appropriate routing and split-tunneling policies.

Certificate details

Certificate considerations:

Use a certificate issued by a trusted CA. For public clients, use a public CA-signed cert with SANs that include the VPN FQDN.
Certificate must contain the server’s DNS name in Common Name or SAN and include the Server Authentication OID.
Set key length to at least 2048 bits; prefer ECDSA or RSA-2048/3072. Ensure TLS versions disabled are legacy (disable SSLv3, TLS 1.0/1.1).

Step 2 — Prepare NPS as the RADIUS server

On your NPS server:

Install the Network Policy and Access Services role if not already present.
Register the NPS server in Active Directory: open NPS console → right-click “NPS (Local)” → “Register server in Active Directory”. This allows NPS to query AD for user authentication.
Configure RADIUS clients: in the NPS console, add the SSTP/RRAS server as a RADIUS client. Use the same shared secret you specified on the RRAS server. Identify by IP address or FQDN.
Create Connection Request Policies and Network Policies to define how RADIUS requests are handled and what conditions grant access.

Network Policy design

When creating Network Policies in NPS, include:

Conditions: specify Windows Groups (e.g., “VPN Users”), user IP ranges, NAS Port Types (VPN), or Certificate Issuer for client certificates.
Constraints: select authentication methods. For SSTP you can use EAP (e.g., EAP-MSCHAPv2 with PEAP) for username/password with server certificate validation, or EAP-TLS for client certificate authentication.
Settings: assign IP filters, session timeout, encryption strengths (require MS-CHAP v2 or stronger), and VLAN assignment if using RADIUS attributes for dynamic VLANs.
Accounting: enable RADIUS accounting if you need usage logs; configure SQL or local log review.

Recommended: Use PEAP (EAP-MSCHAPv2) with strong passwords and enforce MFA where possible. For higher assurance, use EAP-TLS (client certificates).

Step 3 — Firewall, ports, and network routing

Ensure connectivity between clients, the SSTP server, and the NPS/RADIUS server:

Open TCP 443 to the SSTP server from the Internet. This is the only port remote clients need to reach.
Allow RADIUS traffic between SSTP and NPS: typically UDP 1812 (authentication) and UDP 1813 (accounting). If you have legacy devices, verify whether UDP 1645/1646 are used.
Between VPN clients and internal resources, configure routing rules and firewall policies. If you use split tunneling, ensure policies allow internal subnet access while restricting Internet traffic per security policy.
Harden the SSTP host: apply host-based firewall rules, limit management interfaces, and enable logging/IDS as appropriate.

Step 4 — Client configuration and deployment

Windows clients (built-in SSTP support):

Open Network & Internet settings → VPN → Add a VPN connection.
VPN provider: “Windows (built-in)”; Connection name: friendly name; Server name or address: the public FQDN pointing to your SSTP server.
VPN type: “Secure Socket Tunneling Protocol (SSTP)”.
Type of sign-in info: username and password (or smart card/certificate if EAP-TLS).
Optionally configure “Remember my sign-in info” for easier reconnections. For domain-joined machines, you can deploy settings by Group Policy (VPN profiles via Windows VPNv2 CSP or older Rasphone.pbk).

For automated provisioning:

Use Group Policy preferences or Microsoft Intune to push VPN profiles and trusted certificate authorities.
Ensure the server certificate is trusted by all clients; distribute the CA certificate if using an internal CA.

Testing and verification

Test the deployment in phases:

From an external client, attempt to connect and verify the TLS handshake: use network capture (Wireshark) to ensure SSTP negotiation succeeds and TLS cert matches the expected CN/SAN.
On the NPS server, review the Security logs (Event Viewer → Custom Views → Server Roles → Network Policy and Access Services) for accepted/rejected authentication events.
Use the RRAS logs and Windows Event Viewer on the SSTP host to identify session establishment and errors.
Verify routing and resource access: ping internal resources, check DNS resolution, and validate split-tunnel behavior if configured.

Troubleshooting common issues

Common problems and how to address them:

Certificate mismatch or untrusted certificate: Ensure the certificate’s CN/SAN matches the VPN FQDN and that clients trust the issuing CA. Check certificate expiration and EKU.
RADIUS authentication failures: Verify shared secret, RADIUS client IP settings, and that NPS is registered in AD. Check NPS logs for policy evaluation details.
SSTP handshake failures: Confirm TCP 443 is open and not being intercepted by a proxy performing TLS inspection. If TLS inspection is present, allow bypass for the SSTP FQDN or use certificate pinning approaches.
Firewall or NAT issues: If RRAS is behind NAT, ensure appropriate NAT rules and that the SSTP server’s perceived external IP is forwarded correctly. SSTP over HTTPS mitigates NAT traversal issues but requires proper TCP forwarding.
Client-side authentication prompts: Check that NPS policies match client credentials (EAP type). If using PEAP, ensure server cert is trusted to prevent repeated prompts.

Security hardening and best practices

To maintain a secure SSTP + NPS deployment:

Enforce strong authentication: prefer EAP-TLS or PEAP with MFA. Use conditional access or certificate-based client validation where feasible.
Limit user privileges and use AD groups to restrict VPN access. Apply least-privilege principles and segregate admin access.
Harden the servers: keep Windows patched, limit exposed services, enable host-based firewalls, and use endpoint protection.
Monitor logs and enable RADIUS accounting to track connections, durations, and unusual patterns. Integrate logs into a SIEM for correlation and alerting.
Rotate shared secrets and certificates periodically. Automate certificate renewal where possible (e.g., with AD CS auto-enrollment).

Scaling and high availability

For larger deployments consider:

Deploying multiple SSTP servers behind a load balancer that supports SSL pass-through or terminates TLS and re-encrypts, depending on your trust model.
Using NPS Load Balancing via RADIUS proxies or NPS clusters to distribute authentication across multiple NPS servers.
Centralizing logs and using redundancy for DHCP/IPAM to ensure client addressing and routing remain available.

Integrating SSTP VPN with Windows NPS provides a secure, standards-based remote access solution well-suited for Windows-centric environments. By following certificate best practices, designing robust NPS policies, and enforcing strong authentication, you can achieve a balance of usability and security suitable for enterprise use. For additional resources and detailed command examples for RRAS and NPS configuration, consult Microsoft’s official documentation or your internal IT standards.

Published by Dedicated-IP-VPN