locked
Remote Network connection working in XP, not in Win 7 RRS feed

  • Question

  • I have set up UAG RC0 and have started to publish some applications.  We are currently running IAG 2007 on celestix hardware, so I found that setting up the network connector equivalent of the SSL Network Tunneling was quite easy.  I am now also trying to set up the SSTP for Windows 7 clients.  I have stepped through the process found here:

    http://blogs.technet.com/edgeaccessblog/archive/2009/07/05/adding-the-sstp-magic-to-the-uag-charm.aspx

    I chose to use DHCP for assigning IP addresses to clients (does doing this require extra setup?)
    From reading, I should be able to have both versions of Tunneling running at the same time, and the client itself will determine which to utilize.
    On XP machines all works fine, however, on Win 7, the connection appears to start then almost immediately it disconnects. 

    If anyone could provide some insight or suggestions they would be greatly appreciated.

    Wednesday, December 2, 2009 2:26 PM

Answers

  • Kfyhr, a lot of changes had been made in SSTP from RC0 to RC1. I suggest you try installing RC1 and retry your scenario.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Tuesday, December 15, 2009 5:44 PM
    • Unmarked as answer by kfyhr Tuesday, December 15, 2009 6:51 PM
    • Marked as answer by kfyhr Monday, December 21, 2009 4:13 PM
    • Unmarked as answer by kfyhr Wednesday, January 6, 2010 4:07 PM
    • Marked as answer by kfyhr Monday, January 11, 2010 3:09 PM
    Tuesday, December 15, 2009 5:44 PM
  • What finally got it working for me was to join the UAG server to my internal domain.  We have two IAG appliances that sit in our DMZ and work fine while NOT joined to the domain.  So my initial attempts as setting up UAG were done with the same settings.

    I had read that if trying to use Direct Access I would have to domain join, but apparenlty it's also needed/helpful when using SSTP VPN.  By joining the domain I suspect that I got around the need for DHCP relay as I never had to enable that.

    • Marked as answer by kfyhr Wednesday, May 19, 2010 6:31 PM
    Friday, March 19, 2010 9:25 PM

All replies

  • I should add, that I tested this on both Windows 7 32 bit and 64 bit, same issue on either system.
    Wednesday, December 2, 2009 7:09 PM
  • Hi,

    Please take a look at the Event Viewer on your Win7 client for any events with a source of RasClient and let ue know what you find.

    -Ran
    Wednesday, December 2, 2009 7:29 PM
  • Found an entry under "RasSstp"

    CoId=(F0371D31-A928428D-9266-949401E37B10):The server has refused the Secure Socket Tunneling Protocol (SSTP) request.  Either a failure response code or no response code was recieved.  The data portion below contains the response code that was recieved from the server.  This is the HTTP status code present in the response.  It can be because the web proxy or the SSTP server might be rejecting the connection, the server might not be configured for SSTP or the server might not have a port available for connection.

    CoId (F0371D31-A928428D-9266-949401E37B10)
    HTTP Response 503
    Wednesday, December 2, 2009 7:52 PM
  • Are you running the SSTP on the first trunk you have configured?
    Thursday, December 3, 2009 5:35 AM
  • Yes, first and only configured trunk.
    Thursday, December 3, 2009 3:49 PM
  • Kfyhr, a lot of changes had been made in SSTP from RC0 to RC1. I suggest you try installing RC1 and retry your scenario.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Tuesday, December 15, 2009 5:44 PM
    • Unmarked as answer by kfyhr Tuesday, December 15, 2009 6:51 PM
    • Marked as answer by kfyhr Monday, December 21, 2009 4:13 PM
    • Unmarked as answer by kfyhr Wednesday, January 6, 2010 4:07 PM
    • Marked as answer by kfyhr Monday, January 11, 2010 3:09 PM
    Tuesday, December 15, 2009 5:44 PM
  • running server 2K8 R2 and the UAG 2010 eval version now.  still having problems with Win 7 VPN connection.

    Slightly different error is seen now on the client, looks like I'm getting farther, but still not quite there.

    Anytime I try a connection I get 6 application logs on the client they are as follows

    1)
    The user domain\user has started dialing a VPN connection using a per-user connection profile named UAGSSTPVPN.  The connection settings are:
    Dial-in User =
    VpnStrategy = SSTP
    DataEncryption = Requested
    PrerequisiteEntry =
    AutoLogon = No
    UseRasCredentials = Yes
    Authenticaition Type = MS-CHAPv2
    Ipv4DefaultGateway = Yes
    Ipv4AddressAssignment = By Server
    Ipv4DNSServerAssignment = By Server
    Ipv6DefaultGateway = Yes
    Ipv6AddressAssignment = By Server
    Ipv6DNSServerAssignment = By Server
    IpDnsFlags =
    IpNBTEnabled = Yes
    UseFlags = Private Connection
    ConnectOnWinlogon = No.

    2)
    The user domain\user is trying to establish a link to the Remote Access Server for the connection named UASSSTPVPN using the following device:
    Server address/Phone Number = trunk.domain.com
    Device = WAN Miniport (SSTP)
    Port = VPN0-1
    MediaType = VPN.

    3)
    The user domain\user has successfully6 established a link to the Remote Access Server using the following device:
    Server address/Phone Number = trunk.domain.com
    Device = WAN Miniport (SSTP)
    Port = VPN0-1
    MediaType = VPN.

    4)
    The link to the Remote Access Server has been established by user domain\user

    5)
    The user domain\user has dialed a connection named UAGSSTPVPN to the Remote Access Server which has successfully connected. The connection parameters are:
    TunnelIpAddress = 10.40.4.196
    TunnelIpv6Address = fe80::
    Dial-in User = .

    6)
    The user domain\user dailed a connection named UAGSSTPVPN which has terminated.  The reason code returned on termination is 829.


    All 6 of these log entries occur within a 2 second window.  So even though it appears that connection is established it is momentary at best.  I googled the termination code 829 and found that it deals with link failure, I have connected from multiple PC's running windows 7 (both professional, one 32 bit one 64 bit) from different network locaitons, both wired and wireless, and get the same errors every time.  I'm convinced it has to be something in the configuration, but can't determine what it could be.  I've done the set up through the UAG configuration console, and have looked at logs on the client and server and found only the ones listed above that appeared signifigant.  I also looked at the TMG firewall, but didn't make any changes due to the fact that rules should be published by UAG when changes are made and activated.

    I'm pretty much stumped at this point, so if anyone could be of assistance it would be greatly appreciated.  Thanks!
    Wednesday, January 6, 2010 4:34 PM
  • I was running into the same issue with my UAG deployment, but then starting thinking about basic VPN configuration.
    If I change the IP address configuration to static, I was able to connect without the 829 error. Suddenly it clicked!!
    The problem is that the DHCP relay agent is not automatically configured on the UAG server when you implement a DCHP-assigned address pool for the network connections.
    I followed the steps in Tom's old, but still highly relevant post, on using DHCP with ISA/VPN Server Clients
    http://www.isaserver.org/tutorials/dhcpoptions.html

    Now, in my network, the UAG box is virtualized, hence the need for the relay agent.
    HTH,
    Brian
    Monday, February 8, 2010 4:55 AM
  • I am having the exact same problem as kfyhr (including client log entries). The UAG RTM installation is not virtualized, so DHCP relay agents should not be an issue. For completeness I enabled it anyway with no success.
    Suggestions would be appreciated.

    Thanks
    Thursday, March 18, 2010 7:55 PM
  • What finally got it working for me was to join the UAG server to my internal domain.  We have two IAG appliances that sit in our DMZ and work fine while NOT joined to the domain.  So my initial attempts as setting up UAG were done with the same settings.

    I had read that if trying to use Direct Access I would have to domain join, but apparenlty it's also needed/helpful when using SSTP VPN.  By joining the domain I suspect that I got around the need for DHCP relay as I never had to enable that.

    • Marked as answer by kfyhr Wednesday, May 19, 2010 6:31 PM
    Friday, March 19, 2010 9:25 PM
  • Hi,

    I'm getting the same six message apear in the application log of the Windows 7 client.

    We are using UAG 2010 SP1 installed with the SP1 image, also have configured staic address pools.

    Internally we have two domains in different forests; there are two one-wat trusts between the domsins (DomainA and DomainB)

    UAG Servers member of DomainA

    User accounts used to authentiate UAG portal in DomainB

    We are also using ADFS 2.0 an an Authentication and Authorisation server in UAG to authenication to the portal

    I have verfied DNS name resolution of all DC's in both domains.

    I think UAG tries to register the VPN session / Client in AD, not by adding a machine Object but by comminucating with AD.

    Any Information of points to troubleshoot this would be very appreciated

    Thanks

    Tuesday, November 27, 2012 7:46 PM