locked
How to allow access to internal netwok through UAG SSTP tunnel? RRS feed

  • Question

  • HI,

    I have configure SSTP tunnel and able to connect from remote location. The Internet Network Ip of UAG is from 172.16.1.x network and IP assign to user from SSTP tunnel is from 172.16.2.x due to the fact that we cannot assign IP from same subnet as from 172.16.1.x network. Once the tunnel is established user get an IP from 172.16.2.x pool but he cannot access any server in 172.16.1.x network. Is there any rule to be modified in TMG?

    Regards,

    Monday, June 7, 2010 10:21 AM

Answers

  • No, I assume you must have a router between UAG and the servers if they exist on different subnets? This is where the static route is required...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Proposed as answer by ZarkoC Tuesday, June 15, 2010 6:09 AM
    • Marked as answer by Erez Benari Wednesday, June 16, 2010 11:43 PM
    Friday, June 11, 2010 11:50 PM
  • Hi Anakhtar,

    u can do NAT with TMG, am not sure now but i think thats the default behavior when u add VPN to UAG, all the IP addresses assigned to your clients are NATed through UAGs internall NIC. U can check your settings in TMG, and Network Setting>Network Rules, u should have a rule for VPN (set to do NAT or not to do).

    Also as Jason said, if your not doing NATing, u should check your router conifguration, as if u add a 172.16.2.x subnet for yours users and the router and switch only know how to route packets from 172.16.1.x u should add a rout for that subnet also.

    All the best

    • Proposed as answer by ZarkoC Tuesday, June 15, 2010 6:09 AM
    • Marked as answer by Erez Benari Wednesday, June 16, 2010 11:43 PM
    Sunday, June 13, 2010 6:26 AM

All replies

  • You may need to change static Routes in TMG to get this too work.

    Can you supply a print screen of your routing table??

    • Proposed as answer by braden Voigt Sunday, June 13, 2010 12:08 AM
    Wednesday, June 9, 2010 5:01 AM
  • Hi anakhtar,

    Have you checked this article http://technet.microsoft.com/en-us/library/ee809077.aspx ?

    Furthermore, how are u trying to connect to the server in 172.16.1.x network (rdp?), have u added DNS servers in the confirguration so that the users will use ther names, or are u trying with their IP address? Is pingging the servers that u are trying to access working. 

    When u use VPN over UAG u can connect to the servers that the UAG machine it self can connect to. So if u cant connect to the server in 172.16.1.x directly form the UAG server, u wont be able to do that from the SSTP VPN connection.   

     

     

    Wednesday, June 9, 2010 8:47 AM
  • Hi,

    @ Braden;

    Here you find the routing table of TMG server.

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.150    276
           10.100.0.0      255.255.0.0       172.16.1.1      172.16.1.65     21
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
           172.16.1.0    255.255.255.0         On-link       172.16.1.65    276
          172.16.1.65  255.255.255.255         On-link       172.16.1.65    276
         172.16.1.255  255.255.255.255         On-link       172.16.1.65    276
         172.16.2.230  255.255.255.255         On-link      172.16.2.230    306
         172.16.2.236  255.255.255.252      172.16.1.66      172.16.1.65     20
         172.16.2.240  255.255.255.255      172.16.1.66      172.16.1.65     20
          192.168.1.0    255.255.255.0         On-link     192.168.1.150    276
        192.168.1.150  255.255.255.255         On-link     192.168.1.150    276
        192.168.1.255  255.255.255.255         On-link     192.168.1.150    276
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       172.16.1.65    276
            224.0.0.0        240.0.0.0         On-link     192.168.1.150    276
            224.0.0.0        240.0.0.0         On-link      172.16.2.230    306
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       172.16.1.65    276
      255.255.255.255  255.255.255.255         On-link     192.168.1.150    276
      255.255.255.255  255.255.255.255         On-link      172.16.2.230    306
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
           10.100.0.0      255.255.0.0       172.16.1.1       1
              0.0.0.0          0.0.0.0      192.168.1.1  Default
    ===========================================================================

    @ Zarko;

    I can RDP other server from UA server directly. When I create the SSTP VPN I can RDP UAG but other servers in same subnet as well as trusted Network in internal network setting are not accessible.

    Regards,

     

    Wednesday, June 9, 2010 2:53 PM
  • Anakhtar,

    u got to nic cards, are they both of them in the private network, or is one in the public network? I cant realy say if your routing table is correct (are u using the 192.168.x.x subnet in you company or is it just for show puprose here on the forum).

     Are u setting SSL Network tunneing SSTP, or just SSL Nwtwork tuneling in the UAG console Admin>RemoteNetworkAccess ?

    Friday, June 11, 2010 1:24 PM
  • Hi Anakhtar,

    I assume you have an internal router?

    If so, add a static route for 172.16.2.0/24 using the TMG/UAG internal interface IP address as the gateway...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, June 11, 2010 1:51 PM
  • Hi ,

    Zarko I have two subnets, internal as 172.16.1.x and External as 192.168.1.x. I am using private IP on both interface and using a 1 to 1 NAT for external interface. I am using SSL as SSTP.

    Jason you means to say add a route in my firewall ( which is in between UAG and External users accessing the UAG for SSL tunnel).

    Regards,

    Friday, June 11, 2010 8:59 PM
  • No, I assume you must have a router between UAG and the servers if they exist on different subnets? This is where the static route is required...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Proposed as answer by ZarkoC Tuesday, June 15, 2010 6:09 AM
    • Marked as answer by Erez Benari Wednesday, June 16, 2010 11:43 PM
    Friday, June 11, 2010 11:50 PM
  • Hi Anakhtar,

    u can do NAT with TMG, am not sure now but i think thats the default behavior when u add VPN to UAG, all the IP addresses assigned to your clients are NATed through UAGs internall NIC. U can check your settings in TMG, and Network Setting>Network Rules, u should have a rule for VPN (set to do NAT or not to do).

    Also as Jason said, if your not doing NATing, u should check your router conifguration, as if u add a 172.16.2.x subnet for yours users and the router and switch only know how to route packets from 172.16.1.x u should add a rout for that subnet also.

    All the best

    • Proposed as answer by ZarkoC Tuesday, June 15, 2010 6:09 AM
    • Marked as answer by Erez Benari Wednesday, June 16, 2010 11:43 PM
    Sunday, June 13, 2010 6:26 AM