Break SSTP's Secret.

Microsoft is currently developing a remote Access tunneling protocol for Vista and Longhorn server. This protocol will enable user devices to securely access the network from any location on the internet via a VPN without worrying about common port blocking issues.

Advantages of SSTP

In the 14th issue of the technical features of the internet world, the reporter introduced Microsoft's latest SSTP (Secure Sockets Tunneling Protocol) protocol. In fact, SSTP can create a VPN tunnel that is routed over HTTPS, eliminating many of the problems associated with a PPTP (Point-to-Point Tunneling Protocol) or L2TP (2nd-Tier Tunneling Protocol) VPN connection. These protocols may be blocked by some Web proxy, firewall, and network address translation (NAT) routers that are located between the client and the server.

However, this SSTP only applies to remote access and does not support VPN tunnels between sites and sites. Microsoft hopes that when IPSec VPN connections are blocked by firewalls or routers, SSTP can help customers reduce problems associated with IPSec VPN. In addition, SSTP does not create a reservation problem because it does not change the end user's VPN control. VPN tunneling based SSTP can be directly plugged into the interface of the current Microsoft VPN client and server software.

Microsoft plans to officially release support for SSTP in Windows Vista Service Pack 1 and Longhorn Server. So far, the release date of Vista SP1 has not been confirmed, but Longhorn is expected to be officially listed in the second half of this year. SSTP will be included in Longhorn Server Beta 3 and released in the first half of 2007.

Microsoft officials said they wanted to work with partners to add SSTP to other client devices beyond Vista, but Microsoft did not disclose the names of the partners.

Become part of RRAS

It is reported that SSTP will be part of the Microsoft Longhorn Server Routing and Remote Access servers (RRAS). This protocol has been developed based on SSL (Secure Sockets Layer) protocol, and all SSTP traffic will use TCP's 443 port.

Microsoft is not prepared to push SSTP standardization, although it has incorporated SSL 3.0 and HTTP 1.1 with 64-bit content-length coding standards in SSTP, according to Microsoft. Microsoft believes that because SSTP is only a tunneling protocol, it cannot be compared directly with SSL VPN.

"Because SSTP can provide full network VPN access through SSL, RRAS can provide customers with a basic SSL VPN solution or become an integral part of a more complex SSL VPN solution," said Samir Jain, director of project management at the Microsoft RRAS. and provides a generic SSL tunnel to it. SSTP can also provide support in the server to block specific IP addresses and subnets. ”

Jain's view is that SSTP allows Point-to-Point Protocol (PPP) traffic, which is the datagram that is intended to be encapsulated on a stream-oriented SSL session. This makes it easy to penetrate the firewall. The encryption process is done on SSL and PPP is used when the user authenticates.

So using SSTP, Microsoft can provide complete IPV6 support, so that SSTP tunnel can run on IPV6 network. In addition, IPV6 and PPPV6 can also be sent through the SSTP tunnel.

Jain that SSTP is not for a specific application, it can support arbitrary application or protocol of tunnel transmission. Microsoft currently uses a similar connection at HTTPS to route remote procedure calls from the Outlook client that wants to access exchange, but this technique is only available for Exchange. This article is published in http://bianceng.cn

Microsoft also plans to integrate SSTP with upcoming network Access Protection (NAP) technologies, which can provide health checks to clients, and only clients who pass the check can get permission to access the network.

Jain said: "SSTP is a connection protocol within RRAS, and RRAS can act as a nap policy execution point on the network." He believes that only one policy set is needed to cover the SSTP, PPTP, and L2TP tunnels.

Jain points out that SSTP can be run on a single HTTPS channel from client to server to improve network utilization, and it can also support authentication technologies such as smart cards and RSA SecurID tokens. SSTP also supports current RAS features, such as remote access policies and generating configuration files using the Connection Manager Management Suite (Connection Manager Administration Kit).