Ryfujk

Is a ledger board required if the side of my house is wood?

Is it possible for SQL statements to execute concurrently within a single session in SQL Server?

How can I reduce the gap between left and right of cdot with a macro?

Most bit efficient text communication method?

What is the topology associated with the algebras for the ultrafilter monad?

Why is it faster to reheat something than it is to cook it?

Why weren't discrete x86 CPUs ever used in game hardware?

How to write the following sign?

Localisation of Category

How would a mousetrap for use in space work?

Is there a kind of relay only consumes power when switching?

How could we fake a moon landing now?

Chebyshev inequality in terms of RMS

Should I use a zero-interest credit card for a large one-time purchase?

How come Sam didn't become Lord of Horn Hill?

What do you call the main part of a joke?

What initially awakened the Balrog?

Project Euler #1 in C++

Is it fair for a professor to grade us on the possession of past papers?

Did Krishna say in Bhagavad Gita "I am in every living being"

What is a fractional matching?

What's the meaning of "fortified infraction restraint"?

Has negative voting ever been officially implemented in elections, or seriously proposed, or even studied?

Do wooden building fires get hotter than 600°C?

Setting up RRAS (SSTP) with public SSL certificate and public/private name mismatch (WS2012R2)

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

2

I have a domain joined WS2012R2 server I want to use for a VPN (SSTP). The machine itself is behind a NAT router (although it has a fixed IP and forwarding port 443 to it is straightforward).

I want to allow users to connect to it by connecting to the vpn vpn.mydomain.com, but the server is on a domain with a .local suffix (mydomain.local). I thought I would add a DNS record vpn.mydomain.com on the public website hosts control panel with the fixed IP address of the router, then just forward 443 to vpn.mydomain.local.

The issue that is confusing me is that the certificate name won't match the host (vpn.mydomain.com vs vpn.mydomain.local), so will this show as an invalid certificate? For the avoidance of doubt this will be a legit SSL cert from a mainstream provider, not a self-signed certificate. I'd kind of like to know the answer to this one before I spend the money. All of the guides for this I have seen use placeholders for the actual domain names and/or assume that the windows domain is not using the .local suffix.

If this is not possible, what is the solution in this situation? (hopefully without recreating the domain)

Obviously the name vpn.mydomain.local isn't publicly accessible, and I can't get an SSL cert for that. I am aware that the Microsoft guidance is to use a "proper" domain name for Windows domains nowadays and not use the ".local" suffix, but the domain already exists. I'm also not keen on setting up a PK infrastructure on the Windows domain to allow a couple of guys occasional vpn access.

vpn windows-server-2012-r2 rras sstp

share|improve this question

edited Oct 5 '16 at 20:20

ready-run-ready

asked Oct 5 '16 at 20:09

ready-run-readyready-run-ready

1113

bumped to the homepage by Community♦ 2 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

2

I have a domain joined WS2012R2 server I want to use for a VPN (SSTP). The machine itself is behind a NAT router (although it has a fixed IP and forwarding port 443 to it is straightforward).

I want to allow users to connect to it by connecting to the vpn vpn.mydomain.com, but the server is on a domain with a .local suffix (mydomain.local). I thought I would add a DNS record vpn.mydomain.com on the public website hosts control panel with the fixed IP address of the router, then just forward 443 to vpn.mydomain.local.

The issue that is confusing me is that the certificate name won't match the host (vpn.mydomain.com vs vpn.mydomain.local), so will this show as an invalid certificate? For the avoidance of doubt this will be a legit SSL cert from a mainstream provider, not a self-signed certificate. I'd kind of like to know the answer to this one before I spend the money. All of the guides for this I have seen use placeholders for the actual domain names and/or assume that the windows domain is not using the .local suffix.

If this is not possible, what is the solution in this situation? (hopefully without recreating the domain)

Obviously the name vpn.mydomain.local isn't publicly accessible, and I can't get an SSL cert for that. I am aware that the Microsoft guidance is to use a "proper" domain name for Windows domains nowadays and not use the ".local" suffix, but the domain already exists. I'm also not keen on setting up a PK infrastructure on the Windows domain to allow a couple of guys occasional vpn access.

vpn windows-server-2012-r2 rras sstp

share|improve this question

edited Oct 5 '16 at 20:20

ready-run-ready

asked Oct 5 '16 at 20:09

ready-run-readyready-run-ready

1113

bumped to the homepage by Community♦ 2 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

I have a domain joined WS2012R2 server I want to use for a VPN (SSTP). The machine itself is behind a NAT router (although it has a fixed IP and forwarding port 443 to it is straightforward).

I want to allow users to connect to it by connecting to the vpn vpn.mydomain.com, but the server is on a domain with a .local suffix (mydomain.local). I thought I would add a DNS record vpn.mydomain.com on the public website hosts control panel with the fixed IP address of the router, then just forward 443 to vpn.mydomain.local.

The issue that is confusing me is that the certificate name won't match the host (vpn.mydomain.com vs vpn.mydomain.local), so will this show as an invalid certificate? For the avoidance of doubt this will be a legit SSL cert from a mainstream provider, not a self-signed certificate. I'd kind of like to know the answer to this one before I spend the money. All of the guides for this I have seen use placeholders for the actual domain names and/or assume that the windows domain is not using the .local suffix.

If this is not possible, what is the solution in this situation? (hopefully without recreating the domain)

Obviously the name vpn.mydomain.local isn't publicly accessible, and I can't get an SSL cert for that. I am aware that the Microsoft guidance is to use a "proper" domain name for Windows domains nowadays and not use the ".local" suffix, but the domain already exists. I'm also not keen on setting up a PK infrastructure on the Windows domain to allow a couple of guys occasional vpn access.

vpn windows-server-2012-r2 rras sstp

share|improve this question

edited Oct 5 '16 at 20:20

ready-run-ready

asked Oct 5 '16 at 20:09

ready-run-readyready-run-ready

1113

share|improve this question

edited Oct 5 '16 at 20:20

ready-run-ready

asked Oct 5 '16 at 20:09

ready-run-readyready-run-ready

1113

share|improve this question

edited Oct 5 '16 at 20:20

ready-run-ready

asked Oct 5 '16 at 20:09

ready-run-readyready-run-ready

1113

asked Oct 5 '16 at 20:09

ready-run-readyready-run-ready

1113

asked Oct 5 '16 at 20:09

ready-run-readyready-run-ready

1113

1 Answer
1

active

oldest

votes

0

This solution should do what you want Windows Server 2012 SSTP VPN

However, you have to edit the registry on the client to prevent revocation check on the certificate.


However, I've setup to two SSTP VPNs and I've purchased the SSL certificates. You can get a SSL Cert from Namecheap for £7/year.

share|improve this answer

answered Oct 6 '16 at 10:12

DeatonDeaton

42

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks, that's useful. So as someone who has done this, the name mismatch between the local name of the server and the name the clients use to connect won't cause a certificate issue?
  
  – ready-run-ready
  Oct 7 '16 at 20:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi, it doesn't matter what your server is called. Just make sure you put the value "vpn.mydomain.com" in the certificate properties when you request the new certificate. When I do it, for my client to connect to my server called detest.local, the client needs the Domain certificate installed. I think on A Domain, this gets automatically installed on the clients.
  
  – Deaton
  Oct 10 '16 at 8:07
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f807347%2fsetting-up-rras-sstp-with-public-ssl-certificate-and-public-private-name-misma%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

This solution should do what you want Windows Server 2012 SSTP VPN

However, you have to edit the registry on the client to prevent revocation check on the certificate.


However, I've setup to two SSTP VPNs and I've purchased the SSL certificates. You can get a SSL Cert from Namecheap for £7/year.

share|improve this answer

answered Oct 6 '16 at 10:12

DeatonDeaton

42

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks, that's useful. So as someone who has done this, the name mismatch between the local name of the server and the name the clients use to connect won't cause a certificate issue?
  
  – ready-run-ready
  Oct 7 '16 at 20:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi, it doesn't matter what your server is called. Just make sure you put the value "vpn.mydomain.com" in the certificate properties when you request the new certificate. When I do it, for my client to connect to my server called detest.local, the client needs the Domain certificate installed. I think on A Domain, this gets automatically installed on the clients.
  
  – Deaton
  Oct 10 '16 at 8:07
  

  
  
  
  

add a comment | 

0

This solution should do what you want Windows Server 2012 SSTP VPN

However, you have to edit the registry on the client to prevent revocation check on the certificate.


However, I've setup to two SSTP VPNs and I've purchased the SSL certificates. You can get a SSL Cert from Namecheap for £7/year.

share|improve this answer

answered Oct 6 '16 at 10:12

DeatonDeaton

42

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks, that's useful. So as someone who has done this, the name mismatch between the local name of the server and the name the clients use to connect won't cause a certificate issue?
  
  – ready-run-ready
  Oct 7 '16 at 20:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi, it doesn't matter what your server is called. Just make sure you put the value "vpn.mydomain.com" in the certificate properties when you request the new certificate. When I do it, for my client to connect to my server called detest.local, the client needs the Domain certificate installed. I think on A Domain, this gets automatically installed on the clients.
  
  – Deaton
  Oct 10 '16 at 8:07
  

  
  
  
  

add a comment | 

This solution should do what you want Windows Server 2012 SSTP VPN

However, you have to edit the registry on the client to prevent revocation check on the certificate.


However, I've setup to two SSTP VPNs and I've purchased the SSL certificates. You can get a SSL Cert from Namecheap for £7/year.

share|improve this answer

answered Oct 6 '16 at 10:12

DeatonDeaton

42

share|improve this answer

answered Oct 6 '16 at 10:12

DeatonDeaton

42

answered Oct 6 '16 at 10:12

DeatonDeaton

42

answered Oct 6 '16 at 10:12

DeatonDeaton

42