none
SSL Network Tunneling (SSTP) RRS feed

  • Question

  • Good afternoon, Would someone be able to help with what’s most likely a simple problem in UAG? I have configured the SSL Network Tunneling (SSTP) settings (Off the admin menu) and published it to my HTTPS trunk and as additional application. It is showing up when I logon to the trunk homepage as 'VPN Access'... all looks OK so far?!

    When I click on it I get the error 'The application cannot be opened because the identity of the site cannot be verified.' The title of the message box is SSL Application tunneling.
    I suspect this possibly something to do with the SSL certificate? As this is only a trial running in a test environment I have a trial 'Verisign' and have the certificate (along with the root certificate etc) installed on the server.

    Any ideas would be great! Thanks, Joe

    Wednesday, May 11, 2011 3:23 PM

Answers

  • Thanks for your help. After I updated the certificate for a 'real' one and left it for an hour or so its started to work OK so it must have been the trial certificate causing me problems.

    • Marked as answer by Joe_Hodkinson Thursday, May 12, 2011 8:08 PM
    Thursday, May 12, 2011 8:08 PM

All replies

  • What is the common name on the certificate?

    What is the public name on the SSTP configuratuion? Is this available in public DNS?

    You probably also need access to the Verisign CRL, which is likely not available from your test environment...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, May 11, 2011 3:52 PM
    Moderator
  • Thanks for the quick response. How would I test if I had access to the Verisign CRL?
    Wednesday, May 11, 2011 4:27 PM
  • In the details of the certificate you will see a website listed for the CRL. Simply browse to that website to find out whether or not you have access to it.
    Wednesday, May 11, 2011 5:24 PM
  • OK to rule out any any problem with using a trial certificate I have used a 'proper' one from GlobalSign and installed it into the trunk. There is no longer the red URL bar and the portal loads fine. However I'm still getting the same error ''The application cannot be opened because the identity of the site cannot be verified."

    I have also published the application 'File Access' but again this gives the same error. I have navigated to the CRL of our new 'proper' certificate and I can get there no problems.

    Would anyone have any other ideas?

    Thanks, Joe

    Wednesday, May 11, 2011 6:30 PM
  • So just to confirm, you can successfully hit the UAG portal login page, log in successfully, and get to the portal screen where it lists your applications without any prompts or messages, correct? And once you are this far, if you look at the certificate properties from the browser, does everything in it look good (no warnings)?

    If so, I would next try publishing a simple web application. If you have some kind of an internal website running that you could push through the portal, try setting up access to that as a "Other Web Application (portal hostname)" type application and choose as generic of options as you can when you set it up, let's see if it'll push something very basic through the portal successfully.

    Wednesday, May 11, 2011 6:38 PM
  • Also, open up the "Forefront UAG Web Monitor" from the start menu on your server and take a look for events that are being logged when you attempt to access these applications. Those logs may shed some more light.
    Wednesday, May 11, 2011 6:39 PM
  • You could also try publishing the in-built Web Monitor as a simple application...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, May 11, 2011 10:18 PM
    Moderator
  • Thanks for your help. After I updated the certificate for a 'real' one and left it for an hour or so its started to work OK so it must have been the trial certificate causing me problems.

    • Marked as answer by Joe_Hodkinson Thursday, May 12, 2011 8:08 PM
    Thursday, May 12, 2011 8:08 PM