On Saturday, April 7, 2018, Mick <michaelkintz...@gmail.com> wrote:
> On Friday, 6 April 2018 18:55:18 BST gevisz wrote:
>> 2018-04-06 2:10 GMT+03:00 Grant Taylor <gtay...@gentoo.tnetconsulting.net
>:
>
>> > I'd encourage your friend to check out the VPN capabilities built into
>> > Windows. He may need to install / configure (R)RAS to enable the
>> > features.
>>
>> Thank you for your advice. He is currently trying to set up RAS with SSTP
>> but RAS client so far cannot log into the server, while a third party VPN
>> just works (until the remote computer hangs for so far unknown reason
that
>> even may not be connected with the VPN server).
>>
>> We will continue to experiment to find the reason.
>
> Typical problems incurred with SSTP are relating to username
authentication
> and TLS certificate selection/configuration.
>
> SSTP authenticates OS users, not devices/PCs. So use the *same* username
and
> passwd on all the OS login, SSTP VPN & RRAS wizards.
>
> The TLS server certificate has to contain a DN which will resolve to the
IP of
> the server in question, or better use the IP address both in the CN and
the
> X509v3 Subject Alternative Name fields.
>
> In addition, the SSTP certificate binding has to use the same TLS
certificate
> with that selected for RRAS and this is not always obvious (for SSTP at
> least). You can use MSWindow's 'netsh ras show sstp-ssl-cert' command to
show
> the TLS certificate in use by SSTP and compare this with the RRAS
certificate
> selection.
>
> It is a bit of a faff, but that's what you get with SSTP. The benefit of
it
> is that it is integrated with MSWindows authentication mechanisms and
network
> stack, allowing easy enterprise wide configuration and management. For
your
> friend's one off VPN set up, OpenVPN, or SoftEther VPN is probably a
better
> MSWindows based option:
>
Companies which need user management tend to just set up an intranet and
provide VPN access to it which is likely not going to be a Microsoft
technology. There is no benefit to integrating OS authentication with your
transport security. If you contacted a Windows-focused business for your
administration they may set such a system up, but only because they don't
know any better.
Evaluating Microsoft software should be done extremely carefully. It is
very easy to waste time, ignoring other concerns. You may get something
working but it will not be easy to administrate or scale.
Microsoft's current revenue may be largely from customers using the sunk
cost fallacy.
Cheers,
R0b0t1
