locked
UAG and Restricted Remote Network Subnet Access RRS feed

  • Question

  • Hi All,

    I can't seem to find any way of doing this via the standard UAG interface/logic. I have published Remote Network Access via configuring both the SSTP and Legacy Network adapter and by publishing the Remote Network Access Application in the Portal. This all works fine with our remote clients having full network access.

    I now need to publish a further Full Remote Access application that is restricted to just certain subnets. As far as I can tell this isn't possible via a UAG Access/Endpoint policy, nor is it possible by altering the configuration of the Full Remote Access application. As a work around, I decided to deploy a further trunk and publish another instance of the Remote Network Access application. Except this time I added the remote subnets that I want the Remote Network Access Application to have access to in the 'Limit applications to the following subnets box'. This doesn't seem to work either; once the user is logged into the portal, the Remote Access network application just doesn't load - I get a standard 'Page cannot be displayed' message. I assume that this is because the subnet restrictions prevent the Network Connector from starting. I've tried all different combinations of subnets to see if I can make it work but alas no joy.

    So do we know if it is possible to achieve this goal? I'm thinking that if it is (and I can't believe that MS have not provisioned a way of doing it) then it may be by creating a custom script, or altering the Remote Network access application command line? Both of these are beyond my scope of knowledge. I have also thought about somehow adding a further dedicated IP subnet and restricting that via a TMG policy. But again there appears to be no way of linking IP ranges to individual Portals/Published Remote Access application instances; the connector settings appear to be global. I’m also pretty certain that this wouldn’t be supported as it would require creating custom firewall rules in TMG directly!

    Any help would be greatly appreciated.

    Thanks in advance

    Gary

    Tuesday, July 26, 2011 7:36 PM

Answers

  • As I said, it only works with SSTP; which yes, means Windows 7 clients.

    I am not aware of the same feature using the Network Connector (SSL Network Tunnelling). Potentially you could edit the TMG rule that is created by UAG for Network Connector, but this will apply globally and cannot be done per user.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by GaryBurgess Wednesday, August 3, 2011 11:01 PM
    Wednesday, July 27, 2011 10:56 AM

All replies

  • Hi Gary,

    With UAG SP1 and SSTP, you can limit access to internal resources based upon username. These are system wide settings that will impact all SSTP access, but linking usernames to internal allowed internal resources may work for you...

    You can control this from: UAG console => Admin => Remote Network Access => SSL Network Tunelling (SSTP) => User Groups tab.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, July 26, 2011 11:03 PM
  • Hello,

              What Jason Jones said works like a charm...but it only works with Windows 7 clients, yes? What if the client is XP?

              If we configured (UAG console => Admin => Remote Network Access => SSL Network Tunelling) how can we do that?

    Thank you

    MS 

    Wednesday, July 27, 2011 10:05 AM
  • As I said, it only works with SSTP; which yes, means Windows 7 clients.

    I am not aware of the same feature using the Network Connector (SSL Network Tunnelling). Potentially you could edit the TMG rule that is created by UAG for Network Connector, but this will apply globally and cannot be done per user.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by GaryBurgess Wednesday, August 3, 2011 11:01 PM
    Wednesday, July 27, 2011 10:56 AM
  • Hi Jason,

    Thanks very much for pointing that setting out on SSTP. I didn't spot that before. At least I will be able to limit Windows 7 clients to certain subnets. It's a shame I can't do that with down-level clients though - I would have thought MS would have provisioned that functionality. Maybe they will write that functionality into a later release or Service Pack. I'm sure there are many people that need to do it.

    Thanks very much for your help on this one and I hope it helps other people in the future when they come up with the same question!

    Gary

     

    Wednesday, August 3, 2011 11:01 PM