Instructions how to enable SSTP VPN s…

Instructions how to enable SSTP VPN server in Windows 2008 simplified

In this brief 10 minutes procedure below you’ll learn how to create VPN connection using SSTP (SSL tunnel) to your work/home location from anywhere where HTTPS is allowed.

Guide below assumes you don’t want to use your VPN server as Internet Router and you have some other devices doing routing. Steps below will allow you to VPN in your remote location and route everything (including Internet traffic) through that VPN connection. 

Difference from other guides on Internet:

  • Don’t need domain controller or certificate services for this to work
  • Don’t need 2 network adapters on your server to work
  • Don’t need to publish SSL CRL (certificate revocation list)

What is needed:

  • Server SSL certificate (self-signed)
  • Windows 2008 on your local network (single NIC)
  • Vista SP1 or later


  1. Create self-signed certificate and import it into certificate store on client and server

    • Create self-signed certificate with domain name which you’ll be using for your VPN server. I used this excellent utility ( What you want to do is to put CN name as external name which you’ll be using for your VPN server (like and choose to export as PFX file. This will create PFX file with your certificate and designated location. In steps below it would be imported into client and server as Trusted CA.

      • Import certificate on client computer by following this steps: Launch MMC and choose Add Snap-in, choose “Certificates”, on next screen choose “Local Computer” and then choose “Trusted Root Certification Authorities” and import your certificate into that store.
      • Import certificate on server computer exactly the same ways it was done on client.

  2. Enabled RRAS role on Windows 2008 and configure SSTP.

    • Install RRAS service on your server

      • Add Server Role called “Network Policy and Access Services”. Choose only “Remote Access Service” for service since we don’t need routing. Go through installation process.
      • Once server is setup, launch Routing and Remote Access MMC and choose to “Configure Routing and Remote Access server”.
      • Choose “Custom Configuration” and choose “VPN access”.
      • For your user go to user property pages. Choose “Dial-in” tab and choose “Allow access” under “Network Access Permission”.

    • Configure your external router to port forward TCP 443 to your internal IP of your VPN server.

  3. Configure your Vista VPN client.

    • Go to Network And Sharing Center/Setup Connection or network/Connect to a workplace. Choose “Use Internet Connection”, put your hostname for connection and go through the rest of the steps. Use “skip” since connection will probably fail since we need to configure connection to use SSTP. Once connection is created, go to properties of connection/Networking and choose as type of VPN – SSTP, uncheck IpV6 since you don’t need at this point.


At this point you shall be able to VPN into your remote home/office.


6 thoughts on “Instructions how to enable SSTP VPN s…

  1. Hi. With my iPad/Touch I can get thru PPTP and get a correctly assigned IP address (192.168.2.XX when my home network range is 192.168.0.XXX). But I can't get any pages to open in Safari or any mail. What should I do about this?



  2. I like the idea of a self-signed certificate because it is essentially a two factor authentication (something you know + something you have), and only users who have the self-signed certificate installed would be able to access the VPN.

    Followed the instructions.
    I try to connect, it goes thru the login screen, and then when it's going to register the computer on the network I get the message saying:
    “Error 619: A connection to the remote computer could not be established, so the port used for this connection was closed.”

    Any ideas?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s