Hello! First, I apologize if I chose a wrong section for this question. How secure is SSTP? Does it guarantee that the client has the proper certificate installed (not some fake)?

Hi, SSTP servers must be authenticated during the SSL phase. SSTP clients can optionally be authenticated during the SSL phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as EAP-TLS and MS-CHAP. So, it depends on the configuration of PPP authentication methods. Also please refer to the following article: SSTP FAQ - Part 1: Generic http://blogs.technet.com/b/rrasblog/archive/2007/01/10/sstp-faq-part-1-generic.aspx SSTP FAQ - Part 2: Client Specific http://blogs.technet.com/b/rrasblog/archive/2007/01/17/sstp-faq-part-2-client-specific.aspx "5) What kind of certificate is required on client and server side? On the server side a machine certificate is required in order for SSTP based connection to go through. The client gets this certificate as part of SSL hand-shake and validates the same. This certificate should be with EKU as server authentication. On the client side, a certificate is required inside the trusted root CA machine store which goes back to the certificate chain on the server certificate. This will be used to validate the server certificate in addition to certificate validity, certificate expiry, certificate EKU and certificate revocation check." Thanks. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you very much for your answer. Now I understand SSTP better. The link from one of your link was also very helpful: http://blogs.technet.com/b/rrasblog/archive/2007/01/10/how-sstp-based-vpn-connection-works.aspx If I understand well, client can be authenticated by its certificate on the server side. Any hint how to do it? At the present time, all I need to connect to my SSTP server is the server certificate, user name, password. Certificates can be easily exported and I don't want to rely on the user name and password only. Thank you!