none
Automatic SSTP client connection RRS feed

  • Question

  • We are looking to deploy UAG to do the following, and I'd like to confirm that the following functionality is available.  We manage a large number of public/remote clients.  Clients are Win7 domain members:

    1. (primary goal) deploy group policy updates to remote clients
    2. publish access to applications

    We currently use a non-UAG sstp nlb cluster to provide vpn access.  We'd like clients to seamlessly connect to the new UAG sstp vpn (no manual intervention).  Is this possible via publishing SSTP via UAG.  Again, we do not want users to have to manually initiate a sstp vpn connection; the sstp vpn should be automatically initiated if connectivity to UAG/DA is connected (i.e. internet access).

    Thanks in advance!

    Thursday, May 24, 2012 3:01 AM

Answers

  • Hi,

    Why don't you look at DirectAccess for the windows 7 clients as it is an always on connection.

    Have a look at the following blog that gives a high level overview.

    http://directaccess.richardhicks.com/2012/05/08/microsoft-windows-directaccess-overview/


    Regards, Rmknight

    • Marked as answer by ChrisC7 Friday, May 25, 2012 1:09 AM
    Thursday, May 24, 2012 9:05 AM
  • Agreed, it sounds like DirectAccess (provided by UAG) is exactly what you are looking for. You also mentioned "UAG/DA" in your post, do you already have DA running? If so, I'm not sure why you would also want SSTP?

    The SSTP function in UAG can only be launched from inside a UAG portal, the users would have to launch and log into the UAG portal.

    • Marked as answer by ChrisC7 Friday, May 25, 2012 1:09 AM
    Thursday, May 24, 2012 3:18 PM
  • No problem, always glad to meet someone new to the wonderful world of DA! :)

    DirectAccess is really more of "extending the network to your users", so yes it is normal for clients to have access to everything assigned in the internal network definition list. Every DA connection comprises of 2 IPsec tunnels. The primary tunnel is your infrastructure tunnel and only has access to the servers listed in the Management Servers screen of Step 3 in the wizards. Then once the user authenticates and gets their Kerberos ticket, a second IPsec tunnel is established which carries traffic to all other routable servers.

    • Marked as answer by ChrisC7 Friday, June 1, 2012 2:07 AM
    Friday, May 25, 2012 2:10 AM

All replies

  • Hi,

    Why don't you look at DirectAccess for the windows 7 clients as it is an always on connection.

    Have a look at the following blog that gives a high level overview.

    http://directaccess.richardhicks.com/2012/05/08/microsoft-windows-directaccess-overview/


    Regards, Rmknight

    • Marked as answer by ChrisC7 Friday, May 25, 2012 1:09 AM
    Thursday, May 24, 2012 9:05 AM
  • Agreed, it sounds like DirectAccess (provided by UAG) is exactly what you are looking for. You also mentioned "UAG/DA" in your post, do you already have DA running? If so, I'm not sure why you would also want SSTP?

    The SSTP function in UAG can only be launched from inside a UAG portal, the users would have to launch and log into the UAG portal.

    • Marked as answer by ChrisC7 Friday, May 25, 2012 1:09 AM
    Thursday, May 24, 2012 3:18 PM
  • Thanks to both of you for the replies!  New to the product, hence the lack of understanding.  FYI, UAG w/ DA is implemented.  I had asked about SSTP because we were running into issues and group policy updates were not working.  Everything is now working as expected (i.e. gpupdate from a client works), so I now see that SSTP is not required.

    One last question.  It appears that all private/internal resources are available from the client.  Is this a result of defining our entire internal subnet in the Network Configuration Wizard -> Define Internal Network IP Address Range step?  Seems odd considering I only defined my DC's when specifying Infrastructure Servers in the DA setup steps.  Guessing this is publishing those resources in the portal?

    Thanks for taking the time to help out a newbie!

    Friday, May 25, 2012 1:25 AM
  • No problem, always glad to meet someone new to the wonderful world of DA! :)

    DirectAccess is really more of "extending the network to your users", so yes it is normal for clients to have access to everything assigned in the internal network definition list. Every DA connection comprises of 2 IPsec tunnels. The primary tunnel is your infrastructure tunnel and only has access to the servers listed in the Management Servers screen of Step 3 in the wizards. Then once the user authenticates and gets their Kerberos ticket, a second IPsec tunnel is established which carries traffic to all other routable servers.

    • Marked as answer by ChrisC7 Friday, June 1, 2012 2:07 AM
    Friday, May 25, 2012 2:10 AM