locked
SSTP VPN terminates with "Connection Ended" RRS feed

  • General discussion

  • Hi,

    We have a Windows 7 client, trying to connect to the SSTP VPN on a UAG Portal (2 x UAG Celestix devices, running NLB).

    The moment we connect, the session terminates with "Connection Ended"

    Now I have read this post with a similar problem: http://forums.forefrontsecurity.org/default.aspx?g=posts&t=374 and it talks about "putting the site certificate in the local computers 'Trusted root certification authorities' store"

    We have an internal CA.

    So on the Win7 client we added the Issuing CA Cert and the actual site cert (as per above) to the Trusted Root Store.

    However, the "Connection ended" problem still persists.

    Any ideas?

    Thank you

    Wednesday, May 19, 2010 2:27 PM

All replies

  • Hi S,

    Have you published the CRL if using an internal CA?

    The Win7 client will need to trust CA servers from your infrastucture.

    What do you get if you point a browser to the SSTP address?

    I assume the Win7 client is not connected to the internal network anyhow? (wireless left on etc?)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, May 19, 2010 3:10 PM
  • I thought about that, but instead I configured IE to not check for Revocation...will that work?

    Secondly, looking at the logs I see this:

    "The user domain\user with source IP x.x.x.x was removed from session SessionID (Secure=1). Reason for removal: User Request."

    The user account has Dial-in permissions.

    Wednesday, May 19, 2010 3:13 PM
  • No, SSTP will just fail without a valid CRL.

    I would always recommend using a SSL cert from a public CA for SSTP, as this just removes the potential issues for CRLs and trust.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, May 19, 2010 3:30 PM
  • Thanks I now see the endless search engine results for SSTP & CRL...while waiting for a legit certificate, we thought we could get it to work with an internal one.

    Q1) So are you saying that if I disable CRL checking (in IE) SSTP will fail altogether?

    Q2) Will this work (temporary work around) on UAG?

    NoCertRevocationCheck

    Registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
    Registry entry: NoCertRevocationCheck
    Data type: REG_DWORD

    You can use this registry entry to enable or to disable the SSL certificate revocation check that the VPN client performs during the SSL negotiation phase. Certificate revocation check will be performed if the value is set to 0. If the value is set to 1, certificate revocation check will be skipped. Notice that you should set this value to 1 only for debugging. Do not set this value to 1 in your production environment. By default, certificate revocation check is performed.

    Q3) if the 2 options above do not work, what about this route then:

    http://www.carbonwind.net/blog/post/Quickly-establish-a-SSTP-VPN-connection-from-a-Windows-7-RC-VPN-client-without-a-published-CRL-distribution-point.aspx

     

    Regards

    Wednesday, May 19, 2010 6:22 PM
  • A1: I dont believe settings in IE have any relevance to SSTP.

    A2: Looks a good option, but not tried it.

    A3: Looks good too, Adrian has some good info as always ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, May 19, 2010 10:51 PM
  • Hey,

    Just tried Adrian's tweak (export & import CRLs) and the SSTP VPN connected.

    However, the VPN client gets a Default Gateway of 0.0.0.0 - looking at the SSTP configuration, there is the option to configure IP range, DNS, WINS, but no Default Gateway....

    Does it use routing tables instead? is 0.0.0.0 by design? Is that how it creates the Split-Tunnel?

    Also, I do not see options like Split-Tunneling, etc (like on the old NC configuration)

    Thursday, May 20, 2010 7:03 AM
  • No, you cannot split tunnel with SSTP :(
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 20, 2010 12:07 PM
  • Hmm,

    So if you look at the SSTP NC options, you got:

    • General...which trunk should have the VPN, max no of connections
    • Protocols...SSTP selected
    • IP address assignment only has IP range, DNS and WINS

    So when my Windows 7 client connects to the portal, and clicks the VPN, the VPN establishes but:

    • Default Gateway is 0.0.0.0
    • The client cannot connect to anything (no Internet, no internal access, nothing)

    Any ideas?

    How does the client actually know how to connect to Internet vs internal resources then? no routing table entries for anything pertaining to my internal network....???

     

    I think let's close this post, as the "Connection Ended" issue is sorted. I will post a new question for my next problem. Thank you.

    Thursday, May 20, 2010 12:15 PM
  • By default the Windows VPN will establish a default gateway for you.

    To disable this (or to enable "split tunneling"), go to the Properties -> Networking -> IPv4 -> Advanced and *disable* "Use default gateway on remote network".

    That will prevent the default gateway from being set when you connect to the network.

    However, now you have to manually add a gateway to the internal network, as required.

    See the 'route' command-line tool.

    Wednesday, June 30, 2010 6:00 PM