Secure Socket Tunneling Protocol (SSTP) and Secure Remote Access (SRA) What is SSTP
Secure Socket Tunneling Protocol is a mechanism to transport Data Link Layer (L2) frames on a Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) connection. This enables users to access a private network using HTTPS protocol.
Many VPN services provide a way for mobile and home users to access the corporate network remotely using the Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol/Internet Protocol Security (L2TP/IPsec) protocols. However, with the popularization of firewalls and Web proxies, many service providers (for example, hotels) do not allow the PPTP and L2TP/IPsec traffic. This results in users not receiving ubiquitous connectivity to their corporate networks. For example, generic routing encapsulation (GRE) port blocking by many Internet service providers (ISPs) is a common problem when using PPTP. The use of HTTPS in SSTP enables traversal of most firewalls and Web proxies.
What’s New in SSTP
The currently supported VPN Protocols in Windows XP and Windows Server 2003 are Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPsec). These protocols have multiple problems which are all solved with SSTP.
PPTP traffic can have the following problems:
Firewalls must be configured to allow both the TCP connection and the GRE-encapsulated data. Although GRE is an Internet standard method of encapsulating IP packets, many Internet service providers (ISPs) drop GRE-encapsulated packets. Additionally, firewalls between your computer and the ISP, such as a firewall within a hotel or coffee shop, which are configured for common types of Internet traffic (Web traffic and e-mail) might not allow PPTP traffic.
If your computer is behind a NAT, the NAT must be able to translate the GRE traffic. If it cannot, you can establish the TCP connection but cannot send or receive any GRE-encapsulated data.
PPTP traffic cannot flow through a Web proxy.
L2TP/IPsec-based VPN traffic consists of Internet Key Exchange (IKE) traffic to negotiate the protection of the VPN traffic and IPsec Encapsulating Security Payload (ESP)-protected packets. L2TP/IPsec traffic can have the following problems:
Firewalls must be configured to allow both the IKE traffic and ESP-encapsulated data. Firewalls between your computer and the ISP that are configured for common types of Internet traffic might not allow IKE and ESP-encapsulated traffic.
If your computer is behind a NAT, both the VPN client and the VPN server must support IPsec NAT-Traversal (NAT-T).
L2TP/IPsec traffic cannot flow through a Web proxy.
SSTP solves these VPN connectivity problems by using traffic that can flow through commonly-configured firewalls, NATs, and proxy servers. SSTP uses the HyperText Transfer Protocol (HTTP) over Secure Sockets Layer (SSL) (also known as Transport Layer Security [TLS]). HTTP over SSL (TCP port 443) is commonly used for protected communications with Web sites, such as Internet commerce sites when collecting private user information like credit card numbers. Whenever you are connecting to a Web address that begins with “https://”, you are using HTTP over SSL.
Using HTTP over SSL solves many of the VPN protocol connectivity problems with the following:
Users expect to perform HTTP over SSL communications when connected to the Internet (either directly or indirectly), firewalls typically allow this type of traffic.
Since it is TCP traffic, it can flow across NATs.
Since it is HTTP traffic, it can traverse Web proxies.
Who Should Use SSTP?
People who want to access Private networks from home/hotel in situations when PPTP and L2TP are blocked in the firewall or web proxy.
Benefits of new features in SSTP
There are multiple benefits of using/deploying SSTP as VPN type. These are:
Ubiquitous Connectivity integrated in operating system
Works behind NAT, Firewall, Web Proxy
Integrated in Windows Vista SP1, Windows Server 2008
Secure
Works over industry standard HTTPS protocol
Multiple Authentication Methods using standard PPP Protocol
Password, User Certificate, Smart Card Certificate, One Time Password
Scalable Enterprise Solution
Integrated Win-Logon support
Integrated NAP support for client health check
Connection manager based VPN profile
Supports network load balancing (NLB)
Easy migration & deployment
Supports IPv6
VPN tunnel over IPv6 Internet
IPv6 over VPN tunnel
Single HTTPS session
Better Load Balancing
Network Utilization
Miscellaneous
No help desk calls related to connectivity issues: VPN that works everywhere
Increased user satisfaction and productivity: VPN that works everywhere
Inside Windows: No VPN client download hassles + VPN server
Better Load balancing: SSL load balancers available
No issues with server behind NAT: Port redirection works
Key Scenarios
This section tries to cover all the scenarios that SRA/SSTP is going to cover. This section also tries to walk-through the user experience that different class of users will see while using this feature.
PERSONAS
The following personas are referred to in this section: -
Persona Name
|
Description
|
Relevance to the feature
|
ChipDesign Inc
|
An electronics design company that designs ICs
|
CorpNet providing remote access capability to its employees and has deployed LH based SRA server.
|
SemiFab Inc
|
A semiconductor manufacturing company (fab) – manufacturing Ics for ChipDesign Inc
|
CorpNet providing remote access capability to its employees as well as partners. It has deployed a Windows Server 2008-based SRA server.
|
Ram Kumar
|
A Product Manager at ChipDesign Inc. He uses VPN feature to log into his corpnet as well as his suppliers network (SemiFab Inc).
|
Remote access user
|
Joseph Tran
|
A VLSI design manager at ChipDesign Inc. He uses VPN feature to log into his corpnet.
|
Remote access user
|
Nancy Blake
|
IT manager responsible for remote access server at ChipDesign Inc
|
SRA server admin
|
Remote Access User
This section walks through the various scenarios of a remote access user.
CorpNet VPN Access Scenario
 Note
In the following scenario, the “restricted access” to some resources and “no access to other resources” will be enabled using Access Restrictor.
Setup: Joseph is given a laptop (managed computer) by his employer that has an Ethernet as well as Wireless interface. He also has a desktop computer at his home (unmanaged computer) that is connected to a broadband connection He frequently goes to his parents home and uses his dad’s computer (unmanaged computer) to access Internet as well as his corporate network. All the computers are assumed to be running Windows Vista SP1 in this scenario.
Inside Corp (single user, managed computer, secured environment)
Joseph comes to his office and connects his laptop to the Ethernet port. He gets connectivity to corporate network via Ethernet (he may have wireless connectivity too, but uses Ethernet only – i.e. default route over Ethernet has priority over wireless). He launches Outlook and accesses his mails from his Exchange server (there is no VPN in the picture at this moment). In parallel, he keeps working on various bugs/issues using Rational Clearcase (a bug tracking and source repository software).
Outside Corp – at home (single-user, managed computer, unsecured environment)
Joseph opens his laptop, connects to his DSL modem at home and gets Internet connectivity. After that he uses the CM connectoid to connect to the SSTP VPN Server using the Smart- Card Authentication. A secure SSTP VPN connection is established from his laptop to the SSTP VPN server. Now he can access all his Corpnet resources. He can open Outlook and his outlook traffic gets diverted onto the VPN connection.
He double clicks on an intranet URL (like http://team/sites) embedded in one of his e-mails and he is able to see the intranet site.
He opens Windows Explorer and tries to access the file share in his corporate network. He opens a Word document from the file share and tries to print onto a network printer attached on his home LAN and prints the document on his home printer.
Value: It enables access to the corporate resources from anywhere (i.e. home, hotel, visiting a customer site, etc). The only requirement in this scenario is Internet connectivity and a way to browse (HTTP, HTTPS) the internet.
Outside Corp – at home (multi-user, unmanaged computer, unsecured environment)
VPN Provisioning on his home computer (unmanaged computer), Joseph buys a new desktop for his family. He creates different user accounts (for himself as well as his wife/kids). He logs into his home computer under his home user account. Then he goes to https://sra.chipdesign.com (a Web site published by Nancy to provision the VPN connection), enters his corporate credentials and downloads the VPN connection profile (can be a simple CM profile download/setup). Now his home computer is configured to access the corporate network from his home computer.
After that he uses the CM connectoid to connect to the SSTP VPN Server using the Smart- Card Authentication. A secure SSTP VPN connection is established from his laptop to the SSTP VPN server. Now he can access all his Corpnet resources. He can open Outlook and his outlook traffic gets diverted onto the VPN connection.
Value: Limited access to the corporate network is possible from the unmanaged computers. The network administrator can govern which applications can be accessed by the user in which environment.
Known Issues for scenarios
None.
| 