SSTP One Reason to Look Forward to Vista SP1

Sometimes building a VPN can be tedious work, especially when firewalls are involved. There are of course ways to build VPNs that can usually traverse a firewall without the need to configure new rules. One of the most common methods is to use a Secure Sockets Layer (SSL)-based VPN, which can be made to operate over standard HTTP ports.

Microsoft's new VPN technology, Secure Socket Tunneling Protocol (SSTP), does exactly that. SSTP is an SSL-based client-to-server VPN tunneling protocol designed to make connectivity much easier.

The biggest benefit of SSTP is that because it works over standard HTTP ports, SSTP traffic will be able to traverse a network to reach the end-point server even when the client is behind a Network Address Translation (NAT)-enabled network, Web proxy, or reasonably configured firewall that at least allows Web traffic. This will be very helpful, especially for mobile users who find themselves using networks at hotels and conference centers, which sometimes lock down their networks to the point of being unusable except for the most basic needs.

Microsoft has already released Windows Vista to businesses and is set to release the new OS to consumers this week. As you might expect, the company is busy working on Vista Service Pack 1 (SP1), and when that update is released, it will include SSTP. The company also plans to include SSTP in Windows Longhorn Server Beta 3, due sometime in the first half of this year.

Samir Jain, lead programmer for Microsoft's RRAS technology, said that SSTP integrates seamlessly into the OS so that it works through the typical RRAS interfaces. The integration means that you'll get the same types of functionality you're already accustomed to when using RRAS, such as support for Network Access Protection (NAP), support for IPv6, and support for various authentication mechanisms such as smart cards.

The way SSTP works is very similar to the way SSL works in a Web browser, with some added intricacies of course. A client computer connects to an SSTP-enabled server over TCP port 443--the standard SSL port. After the SSL session is built, the two systems then negotiate a Point-to-Point Protocol (PPP) session, including any required authentication. That's basically all there is to it.

Jain said that you will be able to deploy SSTP on the same server on which an existing L2TP VPN is deployed, and SSTP can share the same server certificate as the L2TP VPN. Because SSTP integrates tightly with RRAS, very little extra configuration will be necessary to implement SSTP.

There are of course downsides to using SSTP. For example, it won't work with Web proxies that require authentication. Another potential downside is that SSTP won't work for establishing site-to-site communication. This disadvantage is probably a minor one because site operators typically have the ability to manage firewalls on their networks, so they can use another method of connectivity. Microsoft could however expand SSTP to work for site-to-site communication in the future. Another downside might be that SSTP won't be supported on Windows XP, but we'll have to wait and see about that. As far as I know, the company hasn't said whether it will make SSTP available for XP systems.

Nevertheless, SSTP will ease the burden faced by many mobile users, and that's a plus. So there's your first reason to look forward to Vista SP1. I'm sure other reasons to look forward to SP1 will come to light as the year progresses.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.