Was this page helpful?
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

Note: Some of the information in this section is subject to change because it applies to a preliminary product version, and thus may differ from the final version of the software when released. All behavior notes that pertain to the preliminary product version contain specific references to it as an aid to the reader.

  • Windows Vista operating system with Service Pack 1 (SP1)

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 Technical Preview operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 2.1: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview do not support HTTPS client authentication. Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview support client authentication by using MS-CHAPv2 [RFC2759], EAP-TLS [RFC2716], PEAP-MSCHAPv2, and PEAP-TLS. See [MS-PEAP] for details on how to use PEAP with inner methods such as MS-CHAPv2 and EAP-TLS.

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016 Technical Preview also support client authentication by using Password Authentication Protocol (PAP), as referenced in [RFC1334], and CHAP [RFC1994], but do not recommend their use for security reasons.

<2> Section 2.2.8: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview allow a retry count of 3.

<3> Section 2.2.13: Windows implementations always send a Status Info attribute in a Call Abort message.

<4> Section 2.2.14: Windows implementations always send a Status Info attribute in a Call Disconnect message.

<5> Section 3.2.1: The Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview implementations support bypass of PPP authentication. On the client side, this protocol exposes APIs to the management layer to indicate ClientBypassHLAuth and ClientHTTPCookie. On the server side, this protocol exposes Routing and Remote Access Server APIs to indicate Accept New Connection along with the cookie to the management layer. However, the Windows implementation of this protocol does not generate the cookie, nor does it validate one on the server side. It relies totally on the management layer to do the same in its own implementation-specific way.

<6> Section 3.2.2.1: The Windows-based client starts a timer with a value of 60 seconds after sending a Call Connected message and starts a timer with a value of 60 seconds after receiving a Call Connected message.

<7> Section 3.2.4.1:  Windows Server 2008 R2 operating system, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview do not support the HTTPS termination proxy.,

<8> Section 3.2.5.3.3: In Windows Vista SP1, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only the Encapsulation Protocol ID is sent by the SSTP client in the SSTP_MSG_CALL_CONNECT_REQUEST (section 2.2.9) message, and a negative SSTP_MSG_CALL_CONNECT_NAK (section 2.2.12) will be received by the client only if the SSTP server does not support transport of PPP frames over SSTP. The Windows client retries 3 times.

<9> Section 3.3.1: The Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview implementations support bypass of PPP authentication. On the client side, SSTP exposes APIs to the management layer to indicate ClientBypassHLAuth and ClientHTTPCookie. On the server side, SSTP exposes Routing and Remote Access Server APIs to indicate Accept New Connection along with the cookie to the management layer. However, the Windows implementation of SSTP does not generate the cookie, nor does it validate one on the server side. It relies totally on the management layer to do the same in its own implementation-specific way.

<10> Section 3.3.2.1: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview wait 60 seconds for the Call Connected message and 60 seconds for the Call Connect Request message.

<11> Section 3.3.3: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview the Routing and Remote Access Service is used as the SSTP management layer on the server side. The SSTP server state is initialized when the Routing and Remote Access Service is started or when SSTP ports are configured within the service.

<12> Section 3.3.3: By default, Windows uses the URI: /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/.

<13> Section 3.3.4: Windows implementations of the management layer support administrator-determined disconnection of the SSTP connection. Windows also supports disconnections based on idle timeout and maximum connection lifetime. These values are retrieved by the management layer from Remote Authentication Dial-in User Service (RADIUS) attributes, if they are available:

  • Maximum connection lifetime is retrieved from the Session-Timeout attribute ([RFC2865] section 5.27).

  • Idle timeout is retrieved from the Idle-Timeout attribute ([RFC2865] section 5.28).

Otherwise, disconnections based on the idle timeout or maximum connection lifetime are not applied by the management layer.

<14> Section 3.3.5.2.2: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview allow a retry count of 3.

<15> Section 3.3.5.2.3: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview start allowing PPP control frames from the client and request the PPP layer to start the FSM. However, neither operating system will allow any data frames until the PPP negotiation is completed.

<16> Section 3.3.7.3: The Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview implementations support bypass of PPP authentication. On the client side, this protocol exposes APIs to the management layer to indicate ClientBypassHLAuth and ClientHTTPCookie. On the server side, this protocol exposes Routing and Remote Access Server APIs to indicate Accept New Connection along with the cookie to the management layer. However, the Windows implementation of this protocol does not generate the cookie, nor does it validate one on the server side. It relies totally on the management layer to do the same in its own implementation-specific way.

<17> Section 4.1: By default, the Windows implementation supports only HTTPS traffic. HTTP can be enabled via a registry key.

Show:
© 2016 Microsoft