What is SSTP?
The abbreviation SSTP stands for Secure Socket Tunneling Protocol. It is a proprietary VPN tunneling protocol developed by Microsoft for establishing secure connections over IP networks such as the Internet. The Secure Socket Tunneling Protocol dates back to 2007 and uses the standard port 443 for encrypted HTTP. SSTP largely eliminates the problems with firewalls, proxies, and NAT routers that are common in other tunneling protocols such as IPSec (Internet Protocol Security) or PPTP (Point-to-Point Tunneling Protocol).
The protocol is based on SSL (Secure Sockets Layer) and enables the establishment of client-to-site VPNs. It is rather unsuitable for site-to-site VPNs, which connect complete networks via secure tunnels. The Secure Socket Tunneling Protocol can be used in both IPv4 and IPv6 networks. The encryption methods of SSTP are the algorithms available for SSL such as AES, RC4, or 3DES.
On the client side, SSTP has been hard-coded into the Windows operating system since Windows Vista Service Pack 1. Separate SSTP clients exist for other operating systems such as Linux or MacOS. On the server side, Windows Server 2008 or higher is required in combination with routing function and Remote Access Service (RRAS). The Secure Socket Tunneling Protocol is not standardized by the IETF.
Data within a VPN tunnel is encrypted to ensure its confidentiality and integrity. If methods such as Network Address Translation are used on VPN connections, encrypted IP addresses are not accessible to the NAT routers or the packets lose their integrity due to changes in IP addresses and TCP ports. As a result, packets are discarded and the tunnel connection setup fails. Firewalls can also cause problems for VPN tunnels.
SSTP is designed to prevent the typical problems in this environment. The protocol uses HTTPS on the standard port 443 and allows clients to access networks behind firewalls, NAT routers, or proxies without the typical blocking problems.
Features of the Secure Socket Tunneling Protocol
The typical features of the Socket Tunneling Protocol are:
- Use of HTTPS and port 443 for a secure connection.
- Fixed integration of the client in the Windows operating system
- Anchoring in the Windows Server operating system and RRAS
- Suitable for client-to-site VPNs
- The proprietary protocol without standardization by the IETF
- Support for IPv4 and IPv6
- Establishes application-independent tunnel connections
- Eliminates the typical problems of other tunnel protocols like IPSec or PPTP
Establishing connections with SSTP
The Secure Socket Tunneling Protocol goes through several phases when establishing a connection. First, the client establishes a TCP connection via port 443. This is followed by an SSL/TLS handshake with the remote server, during which the client receives and verifies the X.509 server certificate. Once the SSL/TLS connection is established, the client establishes an HTTP session to the server. On this HTTP connection, the client and server exchange the SSTP control packets.
In a further step, the PPP connection is established via SSTP, including the authentication of the communication partners. Once the PPP connection is established, the two endpoints server and client receive private IP addresses. They can use these addresses to exchange their encrypted data via SSTP.