Elastic Cloud Gate

AWS Blog

How to setup RRAS SSTP VPN on AWS VPC with Active Directory Authentication – Step by Step – Part 8

In this article we will explain step by step how to setup Windows RRAS SSTP VPN on AWS VPC with Active Directory Authentication.

Part 1 – Setup VPC
Part 2 – Launch EC2 Instance for Active Directory Server and RRAS Server
Part 3 – Setup Active Directory / Domain Controller
Part 4 – Setup RRAS
Part 5 – Configure Active Directory Certificate Service
Part 6 – Configure RRAS
Part 7 – Adjust VPC Configuration
Part 8 – User Computer Configuration

Part 8 – User Computer Configuration

1. Copy the CA certificate to user computer
2. On the user computer open MMC
3. From File menu select Add/Remove Snap-in
4. Select Certificate, click Add
5. Select Computer account, click Next
6. Select Local computer, click Finish, Click OK
7. Expend Trusted Root Certification Authority, right click on Certificates and select All Tasks->Import

VPN Client

8. Click Browse and select CA certificate, Click Next, Next, Finish
9. After that you should see your CA cert on the list

VPN Client

The next steps are necessary to handle self-sign certificate by VPN connection

10. Open registry editor – from run enter regedit
11. Navigate to: HKLM->Systme->CurrentControlSet->Services->SstpSvc->Parameters
12. Right click and select New->DWORD (32-bit) Value

VPN Client

13. Set name to NoCertRevocationCheck and value to 1

VPN Client

14. Close registry editor
15. Open the Network and Sharing Center

VPN Client

16. Click on Set up a new connection or network

VPN Client

17. Select Connect to a workplace; Click Next

VPN Client

18. Select Use my Internet connection (VPN)

VPN Client

19. Enter The Internet Address of RRAS server – the on for which you create certificate – in our example vpn.mycompany.com; Click Create

VPN Client

20. Go back to Network and Sharing Center and click Change adapter settings

VPN Client

21. Right click on the new created VPN and select propertiesHow to setup RRAS SSTP VPN to AWS VPC with Active Directory Authentication

VPN Client

22. Go to Security tab and make fallowing changes:
a. Type of VPN => Secure Socket Tunneling Protocol (SSTP)
b. Data encryption=> Require encryption (disconnect if server decline)
c. Allow these protocols => check
i. CHAP
ii. MS-CHAP v2

VPN Client

This steps are only required if after establish VPN you want to be able to go to Internet using your default gateway

23. Go to Networking tab, select Internet Protocol Version 4 and click Properties

VPN Client

24. Click Advanced

VPN Client

25. Uncheck “Use default gateway on remote network”, click OK, OK, OK

VPN Client

26. Right click on the VPN and select Connect/Disconnect

VPN Client

27. Enter you domain credentials and click Connect

Now you should be connected to your AWS VPN.
To verify connection you can try to ping your DC server – in our example 10.20.2.10

VPN Client

, ,

Leave a Reply