Secure, remote access remains a top priority for organizations of all sizes. Combining SSTP (Secure Socket Tunneling Protocol) VPN with Windows Network Policy Server (NPS) yields a robust, centrally managed authentication solution that leverages existing Active Directory investments, strong certificate-based security, and the convenience of TCP/443 to traverse restrictive networks. This article walks through the architecture, detailed configuration steps, best practices, and troubleshooting tips for deploying SSTP VPN with Windows NPS in enterprise environments.

Why SSTP + NPS?

SSTP encapsulates VPN traffic over TLS/SSL and uses TCP port 443, making it highly likely to pass through firewalls and proxy environments that often block IPsec and UDP-based VPNs. Pairing SSTP with Windows NPS (Microsoft’s RADIUS implementation) enables centralized authentication, authorization, and accounting (AAA) using Active Directory groups, multifactor authentication, and granular access policies.

Key advantages include:

  • Firewall-friendly transport: SSTP uses TLS over TCP 443.
  • Centralized policy management: NPS enforces AD-based policies, conditional access, and logging.
  • Flexible authentication: Support for EAP-TLS (certificates), PEAP/EAP-MSCHAPv2 (AD password + optional MFA brokers), and RADIUS accounting.
  • Integration: Native Windows Server roles simplify management in AD domains.

High-Level Architecture

At a minimum, a production deployment contains:

  • An SSTP-capable VPN server (typically a Windows Server with RRAS/Remote Access role).
  • One or more NPS servers (can be the same server in small deployments, but ideally separate for redundancy).
  • An Active Directory domain for user identities and group membership.
  • A PKI (Certificate Authority) for issuing server and client certificates if using EAP-TLS.
  • Network components: firewalls, NAT, and routing supporting TCP/443 to the SSTP server and UDP 1812/1813 to the NPS server(s).

Prerequisites and Planning

Before you begin, verify the following:

  • Windows Server with RRAS/Remote Access capability (Windows Server 2016/2019/2022 recommended).
  • One or more NPS servers with the NPAS role installed.
  • Publicly-trusted or internally-trusted SSL certificate for the SSTP server; certificate must have the Server Authentication EKU and a subject name matching the public DNS name clients connect to.
  • RADIUS shared secret planned and stored securely for each RADIUS client (SSTP server).
  • Firewall rules: inbound TCP 443 to SSTP server; outbound UDP 1812/1813 from SSTP to NPS (or appropriate ports if customized).
  • Time synchronization across servers (Kerberos and certificate validation depend on accurate clock).

Step-by-Step Configuration

1. Install and Configure RRAS for SSTP

On the SSTP server (can be the same server as NPS in small setups):

  • Install Remote Access role and enable VPN (Routing and Remote Access Service – RRAS). Use Server Manager or PowerShell:
  • PowerShell example: Install-WindowsFeature RemoteAccess -IncludeManagementTools and Install-WindowsFeature Routing -IncludeManagementTools.
  • Configure RRAS for VPN access and enable SSTP as a VPN type. Assign an SSL certificate to SSTP: the certificate must be in the Local Computer > Personal store and match the fqdn clients use.
  • Bind the certificate in RRAS: RRAS console → right-click server → Properties → Security tab → select certificate for SSTP.

2. Configure NPS as RADIUS

On the NPS server:

  • Install the Network Policy and Access Services role: Install-WindowsFeature NPAS –IncludeManagementTools.
  • Register NPS in Active Directory (NPS console → Register server in Active Directory) so it can read user group membership.
  • Add the SSTP server as a RADIUS client: NPS Console → RADIUS Clients → New. Enter a friendly name, IP/DNS, and a strong shared secret (store securely).
  • Configure Network Policies to match incoming VPN requests. Use conditions like “Windows Groups” to permit only specific AD groups. Add constraints for EAP types if using certificate-based or PEAP authentication.
  • Optionally configure Connection Request Policies if you need to forward authentication to other RADIUS servers.

3. Choose Authentication Method

Two common options:

EAP-TLS (Certificate-based)

  • Strongest option: client certificates for mutual authentication. Requires a PKI to issue client certificates and policies to auto-enroll clients (via Group Policy and auto-enrollment).
  • On NPS, allow EAP-TLS in policy constraints. Configure the server to trust the client CA.
  • Ensure CRL distribution points are reachable; certificate revocation checks are enforced by default.

PEAP (EAP-MSCHAPv2)

  • Clients authenticate with AD credentials over an encrypted TLS tunnel. Simpler to deploy because clients don’t need certificates for user authentication (server certificate still required).
  • Can be combined with MFA (e.g., Azure MFA via NPS extension or third-party RADIUS proxies).
  • On NPS, configure PEAP and select MSCHAPv2 inner method; map attributes as needed.

4. Configure RADIUS Accounting and Logging

Enable accounting on NPS to capture connection events and usage. NPS supports logging to text files, SQL servers, or Windows Event Log:

  • Configure logging in NPS console under Accounting to maintain connection records for auditing and troubleshooting.
  • Set up centralized log collection (SIEM) for large deployments.

5. Firewall and NAT Considerations

Ensure the following network rules are present:

  • Inbound TCP 443 to the SSTP server (from client networks/internet).
  • Outbound UDP 1812/1813 (RADIUS auth/accounting) from SSTP to NPS servers. If you use a custom RADIUS port, open it.
  • If SSTP server is behind NAT, ensure port forwarding is configured and server certificate subject matches the public name clients use.

RADIUS Attributes and Policy Fine-Tuning

NPS allows you to set and condition on RADIUS attributes. Useful examples:

  • Filter by NAS-Port-Type to allow only VPN connections.
  • Return vendor-specific attributes or framed routes to enforce per-user routing.
  • Use Filter-Id or Class attributes to apply VLAN assignment or dynamic access control lists (in integrated network equipment).

Map policies to AD groups using the “Windows Groups” condition and configure constraints (EAP types, time-of-day, idle timeout). Use “Access-Denied” or “Access-Accept” settings to dictate behavior and send tunnel-specific attributes where applicable.

Best Practices

  • Use EAP-TLS where possible: client certificates provide higher assurance and mitigate credential theft risks.
  • Harden NPS: apply least privilege, keep servers patched, restrict administrative access, and enable auditing.
  • High availability: deploy multiple NPS servers and load-balance or use DNS round-robin; configure SSTP/RRAS to point to multiple RADIUS destinations.
  • Monitor and alert: collect NPS logs centrally and alert on abnormal access patterns.
  • Certificate lifecycle: plan certificate expiry and renewal processes (server cert, client certs, CA cert validity).
  • Split tunneling and DNS: decide whether to route all traffic through the VPN or only internal resources. Configure DNS suffix and internal DNS servers via NPS or Group Policy.

Troubleshooting Tips

Common failure modes and how to diagnose them:

Certificate Errors

  • Clients may reject the server certificate if the subject name doesn’t match the FQDN. Verify names and certificate chain using certutil or the Certificates MMC.
  • CRL or OCSP availability: ensure the client and server can reach CDP/OCSP endpoints. Use certutil -urlfetch -verify cert.cer to test.

Authentication Failures

  • Check NPS event logs: Event IDs indicate reasons (e.g., 6278 – authentication failed, 6273 – connection attempt failed).
  • Use Wireshark or network captures between SSTP and NPS to inspect RADIUS traffic. Look for wrong shared secret errors or malformed requests.
  • Verify time skew: Kerberos authentication and certificates fail with significant clock drift.

Connection Drops / Performance

  • SSTP encapsulates over TCP which can suffer from TCP-over-TCP issues. Tune TCP MSS/MTU and consider using keepalives or IKEv2 where possible for better performance.
  • Adjust RRAS timeout and fragmentation settings. Monitor for retransmits and congestion on the WAN link.

Advanced Topics

Multi-factor Authentication

Integrate MFA by using the NPS extension for Azure MFA, third-party RADIUS proxies, or by chaining RADIUS servers. For PEAP, the NPS server validates credentials while Azure MFA or a third-party system can prompt for second-factor verification.

Dynamic Policies and Conditional Access

NPS allows policy conditions based on client IP, device group membership, and connection type. For more advanced conditional access (device compliance, location, risk signals), consider combining NPS with cloud-based conditional access solutions (e.g., Azure AD Conditional Access in hybrid setups).

Summary

Deploying SSTP VPN with Windows NPS provides a practical, firewall-friendly VPN solution with centralized authentication and policy control. By following best practices—using proper certificates, securing and scaling NPS, and configuring appropriate policies—organizations can deliver secure remote access to users while maintaining centralized visibility and control. Carefully plan authentication methods (EAP-TLS vs PEAP), ensure reliable CRL/OCSP availability, and instrument logging for quick troubleshooting and audit compliance.

For more deployment guides, configuration snippets, and downloadable checklists, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.