I am seeing a problem with SSTP VPN on Windows Server. In particular I’m using Windows Server 2016 Essentials but I think this would also apply to Windows Server 2016/2019.
The CTW client works well, and renews the certificate without issues. It also binds it correctly within IIS.
However - and this may be a limitation in Windows Server - the problem is that the SSTP VPN server in Windows Server 2016 (probably other versions) records the current certificate thumbprint expected by the SSTP listener in the registry, and drops the VPN connection if it doesn’t match. Since CTW doesn’t update the SSTP listener with the new thumbprint, it no longer matches IIS.
The solution is to manually update the registry key at HKLM > System > CurrentControlSet > Services > Sstpsvc > Parameters > Sha1CertificateHash.
Could the CTW renewal process also update this registry key and restart IIS (with the appropriate agreement from the administrator)? Otherwise, at every renewal, the SSTP VPN breaks.
NOTE: This doesn’t affect AnywhereAccess. It’s just the SSTP VPN.