Setup an SSTP SSL VPN in Windows Server 2012 R2

So here’s what’s awesome about Secure Socket Tunneling Protocol SSL VPNs: they give your connecting client an IP and make it a full-on part of the network. And this is all done over port 443, a commonly used port which is often enabled on firewalls. SSTP SSL VPNs are not like some fake “SSL VPNs” that just give users a webpage and some sort of RDP.

It’s also relatively easy setup. While there are a lot of tutorials that show how to setup SSTP SSL VPNs using AD CA generated certificates, I strongly suggest you forego that, and just use a globally recognized certificate. This prevents outside users from having to install your CA’s root cert. It also prevents them from having to make a registry change if your CRL is not published and available online. All around, a $5.99 cert that can be obtained in 12 steps is well-worth the time and money invested.

This tutorial will cover how to easily setup an SSTP SSL VPN in Windows 2012 R2 using a legit cert. If you want to use your own domain’s cert, there are other websites that provide step-by-steps. is my preferred tutorial.

Overall, there are four major steps to this:

  1. Install the appropriate certificate
  2. Setup Routing and Remote Access
  3. Configure NPS (Optional)
  4. Setup your client.

Install the SSL Certificate

Step 1

First, follow my tutorial for getting a legit $5.99 cert, down to creating the .pfx file.

Step 2

Import your PFX to the local machine’s Certificate store. To do this, certlm -> Personal -> Certificates -> Right-click, All Tasks -> Import -> Next -> Select your Cert -> Enter your password -> Next -> Finish.


Install and configure the RRAS role

Step 1

Add the Remote Access role. Server Manager -> Manage -> Add Roles and Features -> Remote Access.


Step 2

Click Next a couple times, then just click DirectAccess and VPN. DirectAccess seems cool, but it’s only intended for mobile domain-joined computers, which I’m not looking to support.


Step 3

Next a couple times. It will force you to install IIS, which is odd, because RRAS can work independently of IIS (you can even stop and disable IIS and RRAS will still work). I would think just the IIS Hostable Web Core would be enough, but whatever. It’s required. Go ahead and accept that it will be installed.


Step 4

Once the Role has been installed, click the flag thing at the top, and then Open the Getting Started Wizard.


Step 5

Select Deploy VPN Only.


Step 6

Once the new window pops up, right click your server name (mine is VPN (local)) then Configure and Enable Routing and Remote Access.


Step 7

We’re trying to keep our surface area as small as possible, so click on Custom Configuration.


Step 8

Next, only check VPN Access.


Step 9

The RRAS Sericve will configure itself, and start the service. You will then be returned to the RRAS config window. Right click your server name, then Properties.


Step 10

Check that your SSL Certificate binding is the newly installed certificate.


Step 11

Next, click on IPv4. Here, you can either do a DHCP forwarding or just give RRAS a few IP addresses to hand out. Click Apply then Okay. You’ll be returned again to the RRAS window.


At this point, your RRAS server is setup! But I recommend a few more steps.

If you don’t want to add any additional security (IP restrictions, Group Access to VPN), then you can skip the next section and jump to setting up the client. I find it super interesting, though. I’d give it at least a glance.

Setup Network Policy Server (Optional)

Step 1

Once you’ve returned to the RRAS window, *left-click* Remote Access Logging and Policies. Then right-click and Launch NPS.


Step 2

A new Network Policy Server window will pop-up. Here, we can set which users can access the VPN, set the type of authentication encryption, and restrict network access.


Step 3

We’ll start by creating a new Network Policy. Right click Network Policy and click New.


Step 4

Name your Policy, and select Remote Access Server (VPN/Dial-up).


Step 5

Leave this window for a moment, go into AD, create a Group and name it VPN Access or whatever you wish, and add some users. Come back, and add that Windows Group by clicking Add -> Windows Group.


Step 6

Confirm and click Next


Step 7

Grant this group access.


Step 8

Here, you can choose your Authentication Encryption. I disabled all the weaker ones, and only enabled the stronger Microsoft: Secured Password (EAP-MSCHAP v2).


Step 9

Here you can set some restrictions if you like. Click Next.


Step 10

Click on IP Filter.


Step 11

Specify a Filter. I set mine to only allow access to my lab’s subnet.


Step 12

Click OK, next, and you’re done setting up NPS!

There’s more, but I’ll likely cover that later. You can also configure the Network Policy Server which can lock down your network so that only clients with Firewalls enabled and AVs installed will be allowed to connect.


Setup a Client to Connect

Step 1

Log into a Windows machine. SSTP was introduced in Windows Vista, so the OS must be Vista or Greater (or Server 2008 and greater). Go to Network and Sharing Center. Click Setup New Connection or Network.

Step 2

Click Connect to a workplace.


Step 3

Click Use Internet Connection (VPN).


Step 4

Fill in your info, and click Don’t connect now; just setup so I can connect later.


Step 5

Enter your user information. Don’t forget that if you didn’t setup a Group to access the VPN using NAP, you’ll need to enable Dial-In access within Active Directory Users and Computers for that user.


Step 6

We still need to configure a couple more things. Click on your connection -> Properties.


Step 7

Click the Security Tab -> Change type of VPN to SSTP. By default, it detects the type of VPN automatically, but slightly slows down the process.

Also change your authentication as seen below. That’s all you need. Note that, by default, Windows VPNS will use the remote gateway. If you want to modify that, go to Properties -> Networking -> IPv4 -> Advanced -> Uncheck Use Default Gateway on Remote Network.


Step 8

Right-click -> Connect.


Step 9

Awesome. Poke around ipconfig if you’re interested in seeing your assigned IP, gateway and DNS servers.


Some final notes

Don’t forget that you have to expose your VPN’s port 443 at the router. To ensure that things are working, you can also try hitting your VPN server via a browser at https://yourvpn.server.ext. It should return a 404.

In addition, IIS is not necessary. You can actually stop it, disable the service, and you will still be able to connect to your VPN.


Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Security, Windows
63 comments on “Setup an SSTP SSL VPN in Windows Server 2012 R2
  1. Cory Silva says:

    This is a great write up, thank you for taking the time!

  2. Jeff Viola says:

    Great instructions!!! Very easy to follow and I was successful at setting up SSTP connections with a Network Policy! Thank you. I was wondering if you have an article or know how to connect using IKEv2?

  3. David Han says:

    The most easiest follow up (& comprehensive) article re setup sstp on the net, well done

  4. jan straatman says:

    Great article!

    Could I use this type of VPN also on a Windows server 2012 R2, that is in a workgroup instead of a domain? This server is used as a terminal server, and I want to give some users access to an appliciation on this server, from outside the company.

  5. Marco Lucido says:

    I am using adfs with a proxy exposed to the internet. The proxy has WAP installed. Would I make the proxy the server that is the VPN access point? It has a static external address (172.x.x.x) and an internal address.


  6. AlexA says:

    Can you setup an IKEv2 VPN in Windows Server 2012 R2.
    I am trying to connect my windows phone 8.1 VPN using IKEv2 (user name+password).
    I get an connection error: Verify that your network has the necessary ports open. Error code 809.
    I need help on PowerShell commands for IKEv2 inbound ports UDP Port Number=500, UDP Port Number=4500 and UDP Port Number=1701

  7. Drake says:

    is it possible to set up a VPN sstp WITHOUT a domain i mean i have a window server 2012 domain but i dont have the user/computer in the Activity directory cause he is running window 10 home edition and i dont want to upgrade to pro and add him to the domain so is their a way to set a up network poiley that let anyone connect to the vpn sstp or can i download a certicate to his computer etc ?? please reply back ASAP thank you have a great day

  8. Robert says:

    This is an exemplary write-up. It worked exactly as you described on Server 2012 R2. Thank you, Ms. LeMaire.

  9. Amanda saft says:

    Thank you for this. Very well explained.

  10. David Cobb says:

    Extraordinarily helpful, thank you.

  11. Chris Johnson says:

    great piece of information. The same tutorial on setup a SSTP VPN i read from PureVPN

  12. PacMAn says:

    and is there Client Certificate?

  13. Miss says:

    Thank you !!

  14. Douglas Cohn says:

    Ho w do you get the Certificates MMC windows without Local Root?

    Just with Certificates at the top?

    certlm -> Personal -> Certificates ->

  15. Douglas Cohn says:

    Never mind. Sorry. I misread what you wrote very clearly. CERTLM. I was trying CERTLIM in error.

    BEAUTIFULLY written article. Works like a charm. Thank you so much

  16. Kevin Lang says:

    Nice article. Thanks for writing it. One quick question – it is possible to complete this setup, without steps 1 and 2? Just to test before purchasing the cert? Thanks.

  17. Edwin says:

    Bought an SSL certificate this week and yesterday installed VPN on my server. Today I tried to connect from work and it works flawlessly.

  18. Robert M says:

    Hi Thanks for this great tutorial. I have my server up and accepting connections. It works great when I am just using User groups as a condition in the NPS policy. If I add a Machine Group to the policy the connection fails.

    A google search revealed others with same issue, but no solution. Any ideas?


  19. Jessie Pinkman says:

    Chrissy, these kind of “instructions” completely dismiss THE LEAST BASIC security.
    IF you create a _custom_ configuration and your RRAS server is not behind any firewall, you will be publishing your whole VPN server to internet meaning anybody from anywhere can for example RDP to your RRAS server just by guessing username and password.

    • Chrissy LeMaire says:

      I won’t waste telling visitors how to turn on a computer, and similarly, I won’t cover shit like “don’t expose your ports needlessly” and “put your server behind a fucking firewall.”

      If you have further instructions for me to post because I missed something, just say the shit and I’ll add it.

    • George says:

      no, it won’t. It opens 443 and 1743 (PPTP). RDP is an entirely different port, and enabling RRAS, won’t magically create a DMZ. lmao. Come on man, ridiculous.

  20. randomadmin says:

    “In addition, IIS is not necessary. You can actually stop it, disable the service, and you will still be able to connect to your VPN.”

    Very odd that there’s so few sites that mention this. I guess there’s a lot of admins that just go with whatever is installed. I set up VPN on Windows server for my company and noticed due to the mandatory install of IIS that there’s actually a full webserver being deployed. There’s even a live default webpage running after finishing the Routing and remote access wizard. I disabled the IIS server since I don’t want unnecessary crap running in my network and I did some testing if the VPN functionality was still up (which was the case) but I was still a bit worried if my VPN users weren’t experiencing issues because of IIS being disabled. Luckily this page gave me confirmation so thanks for that!

  21. Just used this, you are fantastic!

  22. newbie says:

    Excellent article.

    step 2: is this done on the server are the client computer?

    “Import your PFX to the local machine’s Certificate store. To do this, certlm -> Personal -> Certificates -> Right-click, All Tasks -> Import -> Next -> Select your Cert -> Enter your password -> Next -> Finish.”

  23. z0ner says:

    Ridiculously awesome step-by-step instructions. Thanks!

    I’m trying to find info on the “Use HTTP” checkbox on step 10. Does anyone know what it does?

    • Chrissy LeMaire says:

      Hey z0ner, Microsoft says it’s for reverse proxies — ‘With this UI, we also support configuration for SSTP in reverse proxy scenario. This can be done by having the check box “Use Http” checked. This configures SSTP to receive the plain HTTP packet as SSL is offloaded to proxy. In this case, user needs to manually configure the Certificate Hash in the registry manually, as done in Windows Server 2008’

  24. r2690698 says:


    Looks good, i’m using OpenVPN just now, and it’s horrible think i would prefer to your RRAS. however we build our infrastructure in AWS using auto scaling we need a fully scripted setup, do you have any examples say in powershell for this config ?

    • Chrissy LeMaire says:

      Ha, great question! Unfortunately, I didn’t have time to create one. If you end up doing it, let me know and I’ll shout it out from the roof tops. That’d be awesome!

  25. Dave says:

    I keep getting a certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

    I followed the steps to certutil and imported PFX to Personal Certificates… I read somewhere else it suggested to import CERT not PFX to Trusted Root Certification did that and still get same error. Any help would be appreciated.

  26. Charles says:

    How can I set a fixed IP address for the client, since there is no Physical Address?!

  27. david says:

    de cn-naam van het certifcaat komt niet overeen met de doorgeveen waarde

  28. Mario says:

    Thank you, created/modified/tested/secured/production.
    It works as expected.

  29. Fried says:

    It works perfectly without getting any issue. Each step on this post is perfectly worked for me. Thanks for sharing.

  30. Rudy Scott says:

    If you also have installed installed Remote Web Access and the Windows Essentials Experience role, you may find that the Wse wizard has already created a NPS policy for the VPN with a GUID for the name. Be sure to edit this policy or move your policy to a higher priority. It took me a bit to figure out why I couldn’t get EAP-MSChapv2 authentication to work until I found that my user was having this other (Wse generated) NPS policy applied to their connection instead of the one I thought was being applied.

  31. Nicolas says:

    Hello!!! Greetings from Argentina!
    Perfect guide!!!! Thks Chrissy!!!

    I need to limit only 1 connection per user.

    Someone can give some info to do this?

    Thks in advance.


  32. John says:

    Under step 10 SSL Certificate Binding, Do you have to use a certificate or can you use the “default” certificate that is already included in the drop down menu shown in your picture? So far I can only get PPTP to connect. I have 1701, 1723, UDP 500 and, 443 forwarded through the firewall. NPS policies are identical to yours. What am I missing?

  33. Steve says:

    Great doco. Really helped me,, and I call myself an IT pro :ô)

  34. Bev says:

    Thank you for this very helpful document. I have a question about licensing. Do we need separate remote access CALs for the VPN or does that fall under the regular User CALs? Thank you.

  35. Helio Perlman says:

    On server setup Step 11
    “Next, click on IPv4. Here, you can either do a DHCP forwarding or just give RRAS a few IP addresses to hand out. Click Apply then Okay. You’ll be returned again to the RRAS window.”
    I only can connect to the VPN if I setup static address pool.
    The client lost Internet access while on the VPN.
    How to solve that?

  36. Shadycat says:

    Hi Chrissy,

    I have just set this up with server 2016. Is it safe to expose this to the internet or should it be used with a reverse proxy etc.

    Many thanks

  37. Erikgj says:

    Does this set up require a 2 nic server? I have seen conflicting information. If two are required what is the recommended set up?

    • Chrissy LeMaire says:

      This does not require 2 nics. Two nics may be required for advanced dmz setups or something but not for this setup.

  38. Roy Barnes says:


    Thanks for the guide!
    I am getting the Certificate CN does not match the passed value when clients are trying to connect.

    Any advice would be welcome

  39. al moore says:

    Solid instructions. Thanks for taking the time to post this!

  40. Mark says:

    Make sure you have SSTP ports open in your RAS server, mine was set to zero. If you do not, you are going to see 503 errors, An existing connection was forcibly closed by the remote host or the local host closed the connection….

  41. Douglas Cohn says:

    Hi There,

    Great writeup. I must have found this 3 years ago and it was a lifesaver. But now that I need to renew the cert I am lost.

    I open the certificate manager STEP 2, and I go to the existing Cert but it will not allow me to create a CSR. I am logged in as an Admin user on the domain.

    It gives me an error that its not the Certificate server. I am using the 5.99 cert lead you supplied as well. I had purchased a 3 year and I am trying to renew.

    Would greatly appreciate any advice.

    • Chrissy LeMaire says:

      I would recommend PowerShell plus letsencrypt. I need to update this article. Letsencrypt is totally free

      • Douglas Cohn says:

        Thank you so much for the response. Very kind of you indeed.

        Is there any way you can supply a little more detail on how we would perform the update using PowerShell and letsencrypt.

        You follow me that when we attempt to create a CSR it tells me there is no CA Template yet we see the default template showing up yet it has a list of all the possible user rights and says the DOMAIN Admin does not have rights to create template.

        So confusing they make it. I called Microsoft as we are a small partner and buy their Action Pack to use Visual Studio as its $499 a year and we get 3 users. I saw that it includes 10 hours of support as well. So I call and they tel me they no longer support 2012 R2 and they want $500 for support.

        Do you offer your services possibly. Or can you give me a little more info and how that will get us past this issue.

        I want to repeat the very big Thank YOU for the original Post which I used 3 years ago as it worked perfectly including using the Network Policy Server.

        Again Thank you whatever you are able to do from here. It is appreciated and I know you can only do so much.



      • Douglas Cohn says:

        Hi Again Chrissy,

        I am sorry to be such a pain. I went through LetsEncrypt but it cannot validate the domain as it is looking for a WEBSITE and there is no website just VPN services.

        I tried CERTIFY also which is a GUI front end I believe for Letsencrypt. The renew feature did not work since there were no other Letsencrypt domains.

        I manually entered the domain and of course it did not show up. If I made it a website there would be no access as the ports are closed on the firewall. I missed the part about upgrading Comodo SSLs to letsencrypt.

        Can they remove the current cert and just request a new one though how do I get around the no website issue.

        Again I apologize for my multiple posts and promise I will not post again (unless you reply then I must thank you). If not Thank you for the original instructions which had me running for three years.

  42. Pedro Lopes says:

    I’m having problem in step 10. I was able to import the certificate as instructed, but when I get to step 10 the only certificate to choose is the default one.
    I’m using a certificate from our third email provider, since they offer a AlphaSSL WildCard certificate to our domain. I exported the crt and key from cpanel, merge in PFX and imported the PFX. I also add an entry in our dns to associate the public ip of our office, with the same domain of the certificate.
    What I’m doing wrong? Can some one help?


    Pedro Lopes

  43. Matt says:

    Thank you for this great step by step write up!

    I recently took over a network that was using rras pptp behind a firewall.

    I am going to setup rras sstp. Should I remove the rras pptp setup and start from scratch or add the sstp and remove the pptp config?


Leave a Reply