I have a Windows Server 2008 R2 machine that has the following configuration:
- It's a domain controller
- It runs IIS and serves the Default Website with HTTP bindings
0.0.0.0:80and[::]:80and with HTTPS bindings0.0.0.0:443and[::]:443. The HTTPS bindings use a widely trusted X.509 / SSL certificate from NameCheap formydomain.com. - It has the RAS service installed with
mydomain.comselected the certificate on the RAS Security property sheet. It does not have the NAP role service installed.
I cannot connect to the VPN using any Windows client. The Event Logs on the clients report receiving a HTTP 503 response from the SSTP server. I investigated by querying the SSTP endpoint directly and I received the generic (HTTP.SYS generated?) "Service is unavailable" error message. I get the same error when I access it locally.
The SSTP endpoint URI is https://mydomain.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
Best Answer
As I was writing this question I thought I'd take another look at the Event Logs on the server and I saw a number of
SchannelandRasSstpevents that I had previously overlooked.One Event had Event ID 36888: "The following fatal alert was generated: 10. The internal error state is 1203".
Apparently code 1203 means "This event is seen on windows 2008 R2 running IIS. If a user tries to access a web site using HTTP but specifies an SSL port in the URL then this event is logged. This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site".
This made me realise something I had done earlier: I set the
HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\ListenerPortto5000even though IIS (or rather, HTTP.SYS) was only configured for port 443.I reset the
ListenerPortvalue to0(so it uses the default value of 443) and also re-set the selected certificate in the RAS propertysheet. After restarting RRAS I'm now able to connect to my SSTP VPN.