Microsoft developing new secure VPN tunneling protocol

Secure Socket Tunneling Protocol to reduce help desk support calls associated with IPSec VPNs getting blocked by firewalls or routers

Microsoft is working on a remote access tunneling protocol for Vista and Longhorn Server that lets client devices securely access networks via a VPN from anywhere on the Internet without concern for typical port blocking issues.

The Secure Socket Tunneling Protocol (SSTP) creates a VPN tunnel that travels over Secure-HTTP, eliminating issues associated VPN connections based on the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) that can be blocked by some Web proxies, firewalls and Network Address Translation (NAT) routers that sit between clients and servers.

The protocol, however, is only for remote access and will not support site-to-site VPN tunnels.

Microsoft hopes SSTP will help reduced help desk support calls associated with IPSec VPNs when those connections get blocked by firewalls or routers. In addition, SSTP won't foster retraining issues because it does not change the end-user VPN controls. The SSTP based VPN tunnel plugs directly into current interfaces for Microsoft VPN client and server software.

Microsoft plans to ship SSTP support in Vista Service Pack 1 and in Longhorn Server. The ship date for Vista SP1 has not been set, but Longhorn is expected to ship in the second half of this year. SSTP will be included in Longhorn Server Beta 3, which is set to ship in the first half of 2007.

Microsoft officials also say they are working with partners -- the company declined to name -- on adding SSTP to other client devices besides Vista.

SSTP will be part of Microsoft's Routing and Remote Access Server (RRAS) in Longhorn Server. The protocol is based on Secure Socket Layer (SSL) instead of PPTP or IPSec, and all SSTP traffic will use TCP Port 443.

Despite incorporating the SSL 3.0 and HTTP 1.1 with 64 bit content length encoding standards, Microsoft does not plan to seek standardization of SSTP, according to company officials.

Microsoft says that because SSTP is only a tunneling protocol it cannot be directly compared to SSL VPNs.

"However, since SSTP provides full-network VPN access over SSL, RRAS can provide customers with a baseline SSL VPN solution or be a building block in a more comprehensive SSL VPN solution by providing a generic SSL tunnel," says Samir Jain, lead program manager for RRAS at Microsoft. "SSTP also provides support in the server to block specific IPs and subnets."

On his blog , Jain has laid out a step-by-step description of how SSTP works , and how to configure it on the client side. In general, he says SSTP creates a thin layer to "allow Point-to-Point Protocol (PPP) traffic, which is datagram oriented to be encapsulated over an SSL session, which is stream oriented -- hence giving firewall traversal. The encryption is done over SSL and user authentication is done using PPP."

With SSTP, Microsoft will offer full support for IPv6 so an SSTP tunnel can be run across IPv6 networks. In addition, IPv6 and PPPv6 can be sent over an SSTP tunnel.

Jain says SSTP is not application specific and will support tunneling for any application or protocol. Microsoft today uses a similar connection over Secure-HTTP to route remote procedure calls from Outlook clients seeking to access Exchange, but that technology is specific to Exchange.

Microsoft also plans to integrate SSTP with its forthcoming Network Access Protection (NAP) technology, which provides health checks on clients before they are permitted to access the network.

"SSTP is a connection protocol within RRAS, which can act as a policy enforcement point in the network for NAP," Jain says. He says one set of policies will cover SSTP, PPTP and L2TP tunnels.

Jain says SSTP will run over a single Secure-HTTP channel from client to server to improve network utilization and will support strong authentication technology such as smart cards and RSA securID tokens. SSTP also supports current RAS features such as remote access policies and generating profiles using the Connection Manager Administration Kit.

Join the newsletter!

Error: Please check your email address.

More about Access ServerACTHISIPSMicrosoftRSASocketVIA

Show Comments

Market Place