Been working on RRAS via Server 2008 R2 in a test lab used a variety off different guides to do so. Okay configured PPTP using rras, and NPS and connected from windows 7 client to test network works like a breeze using the windows 7 VPN client to connect. Connection status displays connected to my internal test network. PPTP is good to go no problems. Okay Microsoft Security Gurus here is my trouble with RRAS but to be more precise it is with the online responder and Cert Services. Followed guides to configure SSTP etc etc etc on RRAS and anyone who knows the RRAS and microsoft VPN solution well will know that you are going too eventually encounter the dreaded "cant connect as the certificate revocation server is offline" error when connecting using the win 7 client. Then i set up my environment too use the online responder service on the VPN server that also has the CA setup on. Followed every step to configure OCSP and AIA certificate entry and online responder configuration. Exported my VPN server certificate, used certutil too test out URL of AIA http://myserver.com/ocsp and within my private network received verified status from AIA check via certutil. Setup the client certificates and configured the VPN client for SSTP connection but first exported and imported the VPN server cert to the windows 7 client C: drive too test out URL retrieval for AIA from the cert. Continually receiving errors when attempting too contact the online responder via a mockup internet connection checked out the log using certutil -verify function for the VPN cert and it states a timeout error using the AIA http://myvpnserver.com/ocsp address. Tried a number off times too reinstall Cert services reissue CA root cert and reconfigure the online responder too only have this pop up time and time again. Ive followed all the steps in the guide and can only come too this conclusion -Microsoft VPN solution okay if YOU STAY AWAY FROM SSTP!!!!!!!!!!! it is bad business sense too spend 25 hours trying too get SSTP working when it should work after your first configuration. Ive abandoned Microsoft VPN solution and will try out OPENVPN and hope too have a lot better luck at having a secure VPN solution working for my clients.

Just to be clear, the problem is not the SSTP VPN, the problem is that you have not configured your PKI correctly. A properly designed PKI will ensure that all revocation checking servers are both internally and externally accessible using the same URL. In your cases, you have not correctly published the OCSP responder's URL (cannot access it from the external network). In addition, you have not set up your HTTP publication points as internally and externally accessible, as the windows 7 client would automatically fall back to CDP validation of the CRLs if the OCSP responder were not accessible. You need to read this http://www.microsoft.com/download/en/details.aspx?id=5493 And make the appropriate changes to your PKI You must be able to run certutil -url certificate.cer (where certificate.cer is your SSL VPN certificate) from both the internal and external networks and successfully validate to all AIA, CDP, and OCSP extensions. Then, bump it up and run certutil -urlfetch -verify certificate.cer (where certificate.cer is your SSL VPN certificate) from both internal and external networks. Trust me, moving to another VPN solution will only work if it does not use certificates (or if it chooses not to validate certificates). Your PKI is the problem in this case, not the SSTP server. Brian

Wow my apologies about my last post I have now sorted out SSTP and the configuration of the Online Responder. First about OPENVPN didnt know a thing about setting this up it is different from microsofts VPN solution so 1.tried it once 2.tinkered around 3.didnt like it because it required another learning curve to configure and install 4.Then decided against it due to the extra time required too learn and install. Okay back too the drawing board with Microsoft VPN which involves 1.RRAS 2.OCSP 3.Cert Services 4.Advanced Firewall Configuration 5.NPS 6.IIS7 7.Windows 7 Ult VPN client In my learning environment i rely on ebooks, online guides, and forum posts too configure and setup my labs the lab for Microsoft VPN was no exception. I dont have access too a network or VPN guru so everything is learn by mistakes then move forward (which can be frustrating). I also work fulltime as a storesperson too pay the bills and dedicate my spare time doing the labs in the hope that one day i can break into IT. So this is something i have to manage (frustrations) and as I have learnt from an excellent source who wrote "Windows Server 2000 Bible" the following applied too my VPN lab setup of SSTP VPN. The author stated that he as worked on thousands off different installations and configurations of windows server 2000. He had experienced 1.Nearly every problem imaginable with installation of the OS "Server 2000". 2.Tore down and rebuilt installations time and time again too track down errors or fix errors. There was another important lesson learnt from a multi million dollar Health ICT fiasco here in brisbane where afterwards a respected IT manager was asked too comment on a failed project "Health Industry Based". He stated "You can never build a successful IT project from the remnants of a failed project". So after reflecting on this there were certain things that had gone astray when i setup the VPN lab making the old installation unproductive. I had too tear down the old VPN server and remove all references too it in Active Directory and reinstall the lab again and document the errors and steps so i would pinpoint the exact nature of each problem that prevented me from setting up VPN. My problems with the first lab setup discovered during my successful rollout of the secound VPN lab were 1. I had run the SCW (Security configuration wizard) unknowingly blocking network access too the required services for VPN and remote desktop. 2.I had not bound the correct Hostname too 131.107.0.3 ip address in IIS7 this allows the client to resolve the DNS name of the external VPN server and connect from outside the domain to the OCSP web proxy. 3.As I had reinstalled RRAS and the online responder a number of times on the VPN server maybe somewhere an installation sequence was missed which meant that the Online Responder wasnt installed properly (a critical component wasnt installed.) 4.Used my first guide "setting up vpn access using RRAS" from microsoft which didnt include the all important section on Installing and configuring the Online responder which you need to avoid getting the "Online Responder Server is offline" error this was one off my main errors preventing VPN setup encountered many times. In my next post ill give the installation details further detailing the successful setup of SSTP.

Okay found a complete guide too installing Online responder on Microsoft "Installing and configuring the online responder" Took me around 40 min too read but gave the complete insight on the installation configuration and setup of the online responder (OCSP). If i remember right in the part where you install the online responder role service in server manager there is a section on IIS7 which hosts the online responder proxy service. The proxy service is what collects and responds too Revocation requests from clients. When i checked my installation I estimate some of the required features werent installed starting fresh and reinstalling according to the indepth guide fixed this problem. Pay attention too the IIS7 section when installing the online responder as you need all the required services installed correctly for the responder proxy too work. After successfully installing the online responder and reconfiguring RRAS Advanced Firewall NPS SSL cert bindings Online responder configuration VPN client on win 7 Successfully connected too my vpn server in a simulated internet connection VPN server address external:131.107.0.3 mask 255.255.0.0 VPNserver hostname:2008vpnserver.corp.testserver.com VPN tunnel types tested successfully PPTP and SSTP. Using ipconfig \all reveals DHCP lease for my private domain on the client. Because revocation was setup properly revocation status for the domain is checked via revocation provider configured in the online responder. Once the VPN connection is made was able too browse the server share i setup and open files. Checking on the VPN server in RRAS i could see in client connections 1 entry for Wan mini port SSTP confirming a SSTP connection too the domain. Then setup Group policy too disable command prompt and control panel access for the required OU and applied GPupdate at the console of my client. This further confirms connection too the VPN server and private domain as the GP settings affected my Win-7 client. One thing i have noted is that when I power off the VPN server and reboot two things happen in the server OS. 1.The web-proxy for online responder reports an error stale revocation data, restarting IIS7 seems too fix this and clear the error. 2.The SSL cert binding for RRAS disappears using netsh http show ssl shows no bindings. I have too rebind the correct certificate again before i can connect too the vpn server again from my client hmmmmmmmmm. All in all this has been a highly satisfying lab due too the fact that you touch on so many fundamental networking concepts which will prove highly regarded when i work on real networks and solving customers VPN dilemmas.

Here are some important points i gleamed from my Lab Notes may prove useful to someone. 1.You need too install an enterprise CA in order to issue the signing certificate used in the revocation configuration wizard. A standalone CA cant issue templates. 2.The Netsh command is invaluable for binding the correct machine certificate to SSL on your VPN server. 3.The SSL certificate you bind in IIS7 too access the CA web interface https://mydomain/certsrv will conflict with VPN server SSL binding and has too be removed before the VPN server certificate is bound to port 443. (i wonder if there is a way around this) one i can think of is too install the CA on its own machine in my setup its installed on the VPN server. 4.You cant rename a server once the CA is installed. 5.If you restart your fully provisioned VPN server next day one of the first problems you may find is with your signing certificate, you just have too reissue it and reconfigure the revocation configuration wizard too fix this. 6.For some reason after restart of VPN server the VPN machine certificate is no longer bound too SSL and the VPN client will report an error. Removing the existing cert and rebinding the certificate on the VPN server will fix this (using netsh). 6.After around twenty minutes into the VPN server restarting the PKI infrstructure and online responder will complete loading the necessary settings and configuration. You can now successfully connect. Im sure the revocation data needs too be flushed and reprovisioned correctly.