RRAS on Win2k8 has bound to additional IP address 443 - how to stop?

Question

I have Apache 2.2 running Subversion on my Win2k8 box. This has been setup for a few years like this.

The server has 1x NIC, with 2x IP addresses assigned, eg:

192.168.1.50
192.168.1.51

The 192.168.1.50 address is the primary NIC address. The 192.168.1.51 address is/was reserved for just apache.

Anyhow - Apache will now not start. After a debug, I found that the RRAS service in windows is now bound to port 443 on this IP, as well as the primary IP.

Can anyone please guide me as to how to prevent Windows RRAS from binding to this secondary IP address? If I stop the RRAS service, start Apache - all AOK. However, when the server reboots, RRAS is started first, and so Apache wont load.

This is new behaviour. I am at a loss to explain why - I just need to get it fixed.

Answer 1

This is actually a common problem when you install RRAS and SSTP.

First run the following command to verify the RRAS is listening on all interfaces (0.0.0.0:443 or [::]:443) -
netsh http show sslcert
Note the certificate hash.

Next, remove the all bindings:
netsh http delete sslcert ipport=0.0.0.0:443
and
netsh http delete sslcert ipport=[::]:443

Then add the listener back on the correct interface (192.168.1.50):
netsh http add sslcert ipport=192.168.1.50:443 certhash=#HashFromAbove# appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

According to this article, you also have to insert the certificate hash in the SSTP service by editing the following registry key:
HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha256CertificateHash

Answer 2

I dont know whether my solution is right to this answer but I wanted to free up the 443 port to use it with Apache httpd and I just changed the ListenerPort registry key (select decimal first and then change) to 473. Now the RRAS binds to 473 on IPv4 and IPv6 both.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters
ListenerPort Value in decimal 473