Deploy an SSTP VPN with certificate-based authentication via group policy


Remote users need a reliable and easy-to-use VPN link to the company network, using 100% Microsoft software.  The environment is Server 2012 R2 and Windows 7/8.


  • Server Manager: install "Network Policy and Access Services" and "Remote Access".
  • Launch the "Getting Started Wizard" on the installation results screen.  
  • Choose "Deploy VPN Only" - the RRAS console appears.
  • Right-click the server, choose "Configure and enable..."...Custom Configuration...VPN Only.
  • Right-click the server, Properties, security tab, assign a certificate from a public certificate authority (because for SSTP, the client must be able to access the associated CRL).  I used the IIS Manager to create a certificate request and filled it at www.namecheap.com for $11.

  • Left-click, then right-click on "Remote Access Logging..." to launch a simplified view of the Network Policy Server.

  • Create a network connection policy.  Here's an example:

  • Forward port 443 in your firewall to your VPN server.
I assume that your users are auto-enrolling for a "user certificate", so now you're ready to automatically deploy a SSTP VPN connection to your workstations.  Use the CMAK - "Connection Manager Administration Kit" - it's installed along with the "Remote Access" role.

Here's a tutorial I made to help you with the CMAK options:

Video was made with ActivePresenter.