Hi,

I've followed the directions at http://www.isaserver.org/articles-tutorials/configuration-general/Configuring-TMG-Beta-3-SSTP-VPN-Connections-Part1.html for setting up an SSTP VPN connection and I everything works but I had a question about the configuration as seen from the RRAS manager. If I bring up the RRAS manager and go to the properties dialog and the Security tab, for SSL certificate binding the "Use HTTP" checkbox is checked, and no certificate is selected. 

Is this correct?  I would think that I should have the same certificate I specified for the HTTPS listener I created in TMG used here also.

Thanks in advance,

Nick

Hi,

The Use Http configures SSTP to receive the plain HTTP packet as SSL is offloaded to proxy.

RRAS is automatically activated and configured through Forefront TMG. So this should be fine as everything works.

Best Regards,

Joyce

Hi Joyce,

Thanks for the information. I won't worry about this setting then.

I do have another related question.  I need to change the certificate used by the SSTP VPN because the one I originally used didn't have a valid CRL which I've subsequently taken care of.  I've read the instructions on how to update the certificate used by SSTP VPN since it seems like changing it is a non trivial process. I've read the following links:

http://support.microsoft.com/kb/947027

http://kingofbytes.wordpress.com/2014/01/05/nightmare-on-vpn-street-with-tmg-and-sstp-part-1-of-4/

Which seem pretty straight forward. My only concern is that when I do the "netsh http show ssl" command on my TMG/SSTP server I get back this:

SSL Certificate bindings:
-------------------------

    IP:port                 : 0.0.0.0:443
    Certificate Hash        : aa8903a20156be71f9a7e3047433013574b08c70
    Application ID          : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
    Certificate Store Name  : (null)
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : (null)
    Ctl Store Name          : (null)
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

    IP:port                 : [::]:443
    Certificate Hash        : aa8903a20156be71f9a7e3047433013574b08c70
    Application ID          : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
    Certificate Store Name  : (null)
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : (null)
    Ctl Store Name          : (null)
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

And what I'm concerned about is the Application ID reported here is {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e} while the two links say it should be {ba195980-cd49-458b-9e23-c84ee0adcd75} which is the App ID for the SSTP server.  The only thing I can think of is that my SSTP server and certificate are bound to a different IP address than the default HTTP listener.  If I look up the aa8903a20156be71f9a7e3047433013574b08c70 hash in the list of certs it is an old expired machine certificate for the TMG server.  It seems since that this certificate is expired that removing it is ok, but I'm not sure about the other commands that update the SSL certs like "netsh http add sslcert" for example.  Do I have to tell that command to use a different IP address?

Thanks

Nick