locked
UAG 2010 - Client Configuration requirement for NC and SSTP RRS feed

  • Question

  • Dear Fellows,

    I am new to UAG 2010. I am planning to have UAG Server for NC/SSTP and have some queries to be helped with. 

    1. What steps to be performed on client (Windows XP, Vista and Windows 7) to connect to UAG using NC/SSTP? (Because i read on different articles that for accessing SSTP using Portal you need Windows 7)

    2. What are the public IP requirements for SSTP/NC?

    3. Will SSTP/NC work with non-domain joined computers?

    4. Both NC and SSTP require HTTPS access only to UAG Server, no other port right?

    Will be very much thankful for the help.

    Thanks.


    Junaid Ahmed

    Monday, November 5, 2012 5:29 AM

Answers

  • Hi Junaid,

    A1: Windows 7 will automatically use SSTP connection, older clients will use NC. SSTP will be configured on the fly by UAG as the client is installed by default on Windows 7. For NC, the SSL Network Tunelling component will need to be installed on the client device before you can use it. When you configure SSTP/NC you then publish a Remote Network Access application in the portal; this application will initiate SSTP or NC dependent on the client OS version.

    A2: None, you can use both successfully behind NAT. The only caveat here is the need to define the actual public IP address that will be used by clients in the Remote Network Access application configuration (so clients are handed the public IP, not the private IP of the UAG external interface).

    A3: Yes, although I wouldn't recommend it unless you can validate them to a high trust level.

    A4: Yes, correct.

    I would recommend you look at getting a book like this to help with your deployment: http://www.packtpub.com/microsoft-forefront-uag-2010-administrators-handbook-raw/book

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, November 5, 2012 11:16 AM
  • Dear Jones,

    When configuring 2-node DirectAccess Array, what is the minimum number of public IPs required? Is it 3 (1 DIP per node and 1 VIP) or 4 (1 DIP per node and 2 VIPs)?

    Will there be any situation when we would need to add more public IPs to same UAG Array?

    And if i am not wrong, these public IPs will be routed (not NAT'd) from the Organization Edge Firewall device. Right?

    Thanks.


    Junaid Ahmed



    You need a minimum of 4 (2 VIPs, 2 DIPs)...the only time to add VIPs would be if you also want to provide traditional UAG application publishing features and start creating trunks.

    Yep, you will need the edge firewall to route the connections; the external interfaces of UAG servers therefore need to be in a public addressed routable DMZ.


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, November 8, 2012 12:10 AM

All replies

  • Hi Junaid,

    A1: Windows 7 will automatically use SSTP connection, older clients will use NC. SSTP will be configured on the fly by UAG as the client is installed by default on Windows 7. For NC, the SSL Network Tunelling component will need to be installed on the client device before you can use it. When you configure SSTP/NC you then publish a Remote Network Access application in the portal; this application will initiate SSTP or NC dependent on the client OS version.

    A2: None, you can use both successfully behind NAT. The only caveat here is the need to define the actual public IP address that will be used by clients in the Remote Network Access application configuration (so clients are handed the public IP, not the private IP of the UAG external interface).

    A3: Yes, although I wouldn't recommend it unless you can validate them to a high trust level.

    A4: Yes, correct.

    I would recommend you look at getting a book like this to help with your deployment: http://www.packtpub.com/microsoft-forefront-uag-2010-administrators-handbook-raw/book

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, November 5, 2012 11:16 AM
  • Dear JJ,

    Thanks man, for the help and recommendation to read. Will surely go through it.

    One more query here regarding A1 is, you mentioned that "the SSL Network Tunelling component will need to be installed on the client device before you can use it". Does it mean that this component has to be installed even before accessing the portal? What is the procedure to install the component.

    Will surely bother you again if anymore question comes in mind ;)

    Thanks.


    Junaid Ahmed

    Monday, November 5, 2012 8:28 PM
  • Dear Jones,

    When configuring 2-node DirectAccess Array, what is the minimum number of public IPs required? Is it 3 (1 DIP per node and 1 VIP) or 4 (1 DIP per node and 2 VIPs)?

    Will there be any situation when we would need to add more public IPs to same UAG Array?

    And if i am not wrong, these public IPs will be routed (not NAT'd) from the Organization Edge Firewall device. Right?

    Thanks.


    Junaid Ahmed



    Tuesday, November 6, 2012 8:39 PM
  • Dear JJ,

    Thanks man, for the help and recommendation to read. Will surely go through it.

    One more query here regarding A1 is, you mentioned that "the SSL Network Tunelling component will need to be installed on the client device before you can use it". Does it mean that this component has to be installed even before accessing the portal? What is the procedure to install the component.

    Will surely bother you again if anymore question comes in mind ;)

    Thanks.


    Junaid Ahmed

    It will be installed automatically when running the application for the first time or you can deploy it as an MSI using some form of software deployment technology (SMS/SCCM etc.)


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, November 8, 2012 12:07 AM
  • Dear Jones,

    When configuring 2-node DirectAccess Array, what is the minimum number of public IPs required? Is it 3 (1 DIP per node and 1 VIP) or 4 (1 DIP per node and 2 VIPs)?

    Will there be any situation when we would need to add more public IPs to same UAG Array?

    And if i am not wrong, these public IPs will be routed (not NAT'd) from the Organization Edge Firewall device. Right?

    Thanks.


    Junaid Ahmed



    You need a minimum of 4 (2 VIPs, 2 DIPs)...the only time to add VIPs would be if you also want to provide traditional UAG application publishing features and start creating trunks.

    Yep, you will need the edge firewall to route the connections; the external interfaces of UAG servers therefore need to be in a public addressed routable DMZ.


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, November 8, 2012 12:10 AM
  • Thanks Jason.

    Stay blessed!!


    Junaid Ahmed

    Thursday, November 8, 2012 6:14 AM
  • Just a note because I see you also posted a question about DirectAccess+SSTP - if you are using a UAG box for DirectAccess that same box CAN be used for SSTP VPN, but CANNOT be used for Network Connector VPN. Just wanted to make sure you were aware of that.
    Wednesday, November 14, 2012 3:48 PM