1. Run netstat on RRAS server to make sure it is listening on port 443
2. Run “netsh http show sslcert” command to check SSL bindings.
3. Confirm application ID {ba195980-cd49-458b-9e23-c84ee0adcd75}is in each of the bindings.
4. Confirm certificate hash match the certificate has of the valid SSL certificate.

When a SSTP VPN client connects it sends an HHTP “CONNECT” request with a custom HTTP header “SSTPVERSION” with value of “1.0” You can simply block the customer header via a web proxy or firewall that is capable of blocking http headers.

Error: The ip address and the subnet mask entered are not compatible. confirm that both values are correct before continuing

Solution: You will get this error message when you enter the wrong mask. for example if you are entering a host address, you must use 255.255.255.255 as the subnet. see screenshot below.

I asked myself today, How do I prevent a rogue dhcp server ?

In windows world, you have to authorize DHCP servers before they can come online. However, windows cannot detect Linux DHCP servers, SOHO dhcp routers, not even Windows DHCP servers when are not part of AD domain.

How to fix it: To prevent a rogue DHCP server from entering your network, you can enable DHCP snooping on your switch. This feature allows you to set trust and untrusted interfaces on your switch. You can find more information on your switch manual.