locked
UAG SSTP VPN, keep getting connection ended - not certificate RRS feed

  • Question

  • Hi,

     

    I'm setting up UAG for my company and have the RDC stuff we use working fine.

    I now need to get SSL VPN working.

     

    Because we have Windows 7 64-bit clients, we need to use the SSTP network tunnelling.

    It appears to work to a certain extent because I can make the connection, but it then get the bubble message on the task bar stating that the connection was ended.

     

    I'm convince this is not certificate related, because I have tried changing the protocol to PPTP only which does not require a certificate.

     

    I can only think I have had a chair to keyboard interface error, so here are the settings I'm using.

    Someone please point out my stupidity and put me out of my misery... (some bits i've altered for security)

     

    SSL Network Tunelling Configuration:

    Enable remote client VPN access ticked.

    General tab, max VPN connection, 100

    Trunk, (our only trunk)

    Public host name, (the external dns address of the server - same as the certificate address)

    Protocols tab, SSTP only

    IP Address Assignment, (static IP range of 100 addresses in our internal IP range - yes I've excluded them from the internal adapter)

     

    SSL Protocol Setting

    Left as default,

    (168 triple des and 128 RC4, key exchange, both, protocols TLS ans SSLv3)

     

    Application properties (Remote Network Access)

    General tab, Inactivity period 90 mins

    Server settings tab, Server (internal server IP address) - Yellow exclamation mark next to it, but it accepts it

    Port 6003, again a yellow exclamation mark

    Executable and Arguments left as default

    Endpoint Policy Settings tab - left as default (Default non web application access

    Client setting tab, set as VPN, no restrictions

    Portal link tab, left as is. (Named SSL VPN)

    Authorization tab, Authorize all users unticked.

    2 groups addedd, 1st is the IT dept which includes me, and the second is a RAG for VPN users, which also includes me.

     

    When I log in to the UAG portal using a PC set up as a non-domain external home PC, I can access the Remote desktop applications that are set up, without issue, but when I try to run the SSL VPN link a window opens, and something runs and appears to connect, but I then get the dreaded buble message saying that the connection ended.

     

    As mentioned, I have ruled out the certificate problem possibility as I've tried changing the

    SSL Tunneling Protocol to PPTP only and it still does the same.

     

    What am I missing?

     

    Thanks for any help you can provide.


    Adrian

    Thursday, July 22, 2010 11:08 AM

Answers

  • Hi Adrian,

    Speaking for myself, I'm out of ideas.

    Can you open a case with Microsoft Support?

    Regards,

    -Ran

    • Marked as answer by Erez Benari Friday, July 30, 2010 6:23 PM
    Tuesday, July 27, 2010 7:13 AM

All replies

  • Hi Adrian,

    Do you really mean that on the App Properties window - Authorization tab you have unticked the "Authorize all users" checkbox? If that's what you did, then have you selected any specific users and/or groups which are allowed to access this app?

    Also, what error, if any, do you see in the Event Viewer on your client machine?

    -Ran

    Thursday, July 22, 2010 11:18 AM
  • Yeah, Hi.

    The option is unticked. There are 2 groups given access, both include me.

     

    The error in the application event log is:

    CoId={785BE258-B20D-43C3-84BE-24BCAB540AF4}: The user FGL-WIN-764-AC\admin dialed a connection named UAGSSTPVPN which has failed. The error code returned on failure is -2147023660.

     

    The error in the system log is:

    CoId={785BE258-B20D-43C3-84BE-24BCAB540AF4}:The server has refused the Secure Socket Tunneling Protocol (SSTP) request. Either a failure response code or no response code was received. The data portion below contains the response code that was received from the server. This is the HTTP status code present in the response. It can be because the web proxy or the SSTP server might be rejecting the connection, the server might not be configured for SSTP or the server might not have a port available for connection.

    Sorry, not really a lot to go on...

     

    Thursday, July 22, 2010 12:22 PM
  • Hi Adrian,

    If you convert the error code 2147023660  that you received to Hex, it translates to 800704D4. Then, according to this RRAS Team Blog article, you can find the description of this error, as follows:

    Error Code: 0x800704D4

    Error Description: 0x800704D4: The network connection was aborted by the local system

    Possible Cause: This error comes when the hostname of the VPN server is not resolved by the forward proxy in-front of the VPN client.

    Possible Solution: Check your proxy settings inside the Internet explorer. If the settings are correct, please ensure you are able to access other web sites (e.g. www.microsoft.com) using the browser. If that also works through, try accessing the URI which SSTP uses internally i.e. https://vpn_server_name/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/  -  please replace vpn_server_name with actual VPN server name. If you see error “the website cannot be found” inside your browser, that validates the hostname resolution failure. If you know the IP address of VPN server, try connecting with that. Else contact your network administrator (who is responsible for managing the web proxy – most probably your ISP) – giving them the details of the problem (i.e. hostname resolution is failing for that particular hostname).

     

     

    Thursday, July 22, 2010 2:26 PM
  • OK.

    The dns name is what I'm using to connect tot he server and so I'm guessing that is OK.

    There are no proxy settings for IE and the PC I'm using to test with is on a spare adsl line we use for testing and I can access other sites.

     

    When I try to use that url from within the network with the servername in there, (using the external dns name which has an internal dns entry pointing to the servers internal IP address), I get

    Internet Explorer cannot display the webpage

     

    If I try to use the internal IP and go to https://x.x.x.x I still get the same IE error. Should I be able to connect to the server internally?

     

     

    Thursday, July 22, 2010 2:43 PM
  • Hi Adrian,

    No, you should not necessarily be able to connect when the client machine is located on the internal network. I think you misunderstood the blog post which said “try accessing the URI which SSTP uses internally” – it does not mean that your client machine should be moved from UAG’s external network to the internal network. They just meant that this URI is used by SSTP “under-the –hood”.

    Regards,

    -Ran

    Thursday, July 22, 2010 3:09 PM
  • OK, so I use the external dns name of the server and can connect fine with my internet PC.

    I can use all the other items in there, but not SSL VPN.

    ie, https://externalFQDN works fine.

    https://externalFQDN/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ gives

    Service unavailable, HTTP Error 503. The service is unavailable.

     If I do the same again, but with IP, I get a cert error first, (I'm assuming because the cert is for a name, not the IP address), followed by the Service Unavailable message

    Any ideas?

    Thursday, July 22, 2010 3:15 PM
  • I've tried the following link, http://technet.microsoft.com/en-us/library/cc733844(WS.10).aspx and found that the 0.0.0.0:443 and [::]:443 sections both had location (null).

     

    I deleted them and readdedd them to MY location, but obviously can't restart RRAS, so I saved and activated the UAG config again instead.

    After checking after, they have changed from MY to null again.

    Could this be the problem?

    How can this be fixed?

    Thursday, July 22, 2010 3:38 PM
  • Anyone?
    Monday, July 26, 2010 7:34 AM
  • Hi Adrian,

    Speaking for myself, I'm out of ideas.

    Can you open a case with Microsoft Support?

    Regards,

    -Ran

    • Marked as answer by Erez Benari Friday, July 30, 2010 6:23 PM
    Tuesday, July 27, 2010 7:13 AM
  • The RRAS services was found to be disabled. After enabling it the SSTP VPN clients started working

     


    Bala Natarajan [MSFT]| Sr. Support Escalation Engineer | CSS Security
    • Proposed as answer by Ossey Tuesday, December 21, 2010 2:12 PM
    Tuesday, August 3, 2010 5:18 PM