The day started out like any other where I was working remotely and needed to get some files from my house. I had setup a TMG 2010 server as my internet gateway and front end firewall approximately 2 years ago. It was a build and swing from ISA 2006. The ISA 2006 server allowed L2TP VPN.
The only issue I had was many companies block that outbound – so I couldn’t VPN into my home network. Never, TMG 2010 is (was) here and it offered SSTP capability. Whoo hoo!
I set TMG 2010 up and configured it using my internal Microsoft CA and was off to the races. The only glitch I ran into was something called the NoCertRevocationCheck issue on the client. Enabling this allowed everything to work. Here’s the Microsoft link with the key name.
Fast forward to NOW. My 2 year internal certificate had expired and my VPN client could no longer login using SSTP. This is where the ‘fun’ starts.
I’ll start off by giving credit to the blogs/posts/webpages that helped me figure out how to fix this issue:
- Thanks to Amit Kumar, a software design engineer at Microsoft. This article was instrumental in getting me on the right track:
- Microsoft article “How to restrict SSTP connections to a specific IP address in Windows Server 2008”
- This article was the last piece of the puzzle I needed.
- Microsoft article “How an IIS Web server and a Secure Socket Tunneling Protocol (SSTP)-based Routing and Remote Access server can co-exist on a Windows Server 2008-based server”
- Although IIS had nothing to do with my issue, there were pieces of information here that helped me work through various scenarios of how SSL works on a VPN connection.
- Brian Reid had a nice post on the process what was tangentially related to my issue:
This blog process and resolution will be broken out into the following posts:
Post 1: This one – the lead up to the issue and credits
Post 2: Some background and the generation of the new certificate from the TMG 2010 server to the internal Microsoft CA.
Post 3: The configuration of TMG, the removal of the old cert and reg entries, the addition of the new certificate.
Post 4: Using the client to determine the SHA256 value since this isn’t “visible” within the certificate itself. Then the subsequent TMG configuration and the testing.
Please see part two to continue.