I have a domain joined WS2012R2 server I want to use for a VPN (SSTP). The machine itself is behind a NAT router (although it has a fixed IP and forwarding port 443 to it is straightforward).
I want to allow users to connect to it by connecting to the vpn vpn.mydomain.com, but the server is on a domain with a .local suffix (mydomain.local). I thought I would add a DNS record vpn.mydomain.com on the public website hosts control panel with the fixed IP address of the router, then just forward 443 to vpn.mydomain.local.
The issue that is confusing me is that the certificate name won't match the host (vpn.mydomain.com vs vpn.mydomain.local), so will this show as an invalid certificate? For the avoidance of doubt this will be a legit SSL cert from a mainstream provider, not a self-signed certificate. I'd kind of like to know the answer to this one before I spend the money. All of the guides for this I have seen use placeholders for the actual domain names and/or assume that the windows domain is not using the .local suffix.
If this is not possible, what is the solution in this situation? (hopefully without recreating the domain)
Obviously the name vpn.mydomain.local isn't publicly accessible, and I can't get an SSL cert for that. I am aware that the Microsoft guidance is to use a "proper" domain name for Windows domains nowadays and not use the ".local" suffix, but the domain already exists. I'm also not keen on setting up a PK infrastructure on the Windows domain to allow a couple of guys occasional vpn access.
This solution should do what you want Windows Server 2012 SSTP VPN
However, you have to edit the registry on the client to prevent revocation check on the certificate.
However, I've setup to two SSTP VPNs and I've purchased the SSL certificates. You can get a SSL Cert from Namecheap for £7/year.