As described in section 1, SSTP supports two deployment modes and requires a machine certificate in order to establish HTTPS negotiation in both modes. In the first deployment mode, where the SSTP server directly accepts HTTPS connections, the server administrator MUST install a server certificate in the machine certificate store on the SSTP server and MUST configure the HTTPS listener on the SSTP server with the same certificate. In the second deployment mode, where the SSTP server is located behind an SSL load balancer, the server administrator MUST install a server certificate on the SSL load balancer. In both deployment modes, the server administrator MUST populate the certificate hash of the machine certificate in the ServerCertificateHash state variable on the SSTP server.
The server administrator initializes the list of possible hash protocols that the SSTP server supports in the ServerHashProtocolSupported state variable (described in 3.3.1).
The server administrator sets the ServerBypassHLAuthConfigured variable to TRUE if higher-layer authentication needs to be bypassed.
The server is initialized with the version of the SSTP protocol specified in the ServerVersion state variable (described in 3.3.1).
Server initialization MAY<10> be performed when the SSTP server software is started or when the administrator configures the SSTP server software. When the server is initialized, it MUST start a listener to listen for HTTPS requests on a predefined URI that will be used by the client,<11> and the server state machine waits for an incoming HTTPS connection, as shown in the figure, "Server call establishment", in section 220.127.116.11.1.