none
UAG SSTP and NLB Array Support? RRS feed

  • Question

  • Hi,

    According to http://blogs.isaserver.org/shinder/2009/09/27/uag-rc0-and-sstp-and-arrays-wih/

    "When Forefront UAG is configured in an array, VPN client connections using SSL network tunneling (SSTP) are not supported."

    This refers to UAG RC0....I cannot find if this configuration is supported or not for UAG 2010 Update 1.

    When we SSTP VPN connect from Windows 7, to our NLB UAG Celestix Array, the client gets an IP, but Default Gateway is 0.0.0.0....and subsequently the client cannot access anything...no Internet or Intranet access whatsoever.

    Regards

     

    Thursday, May 20, 2010 12:30 PM

Answers

  • OK I am with you now. We could certainly do that ...however...since the SSTP VPN client does not have a Default Gateway....where will it send its requests to?

    Why I ask, well because we have multiple VLANs and routers...so we need to know on which router we must add the route to the new VPN network....


    The default gateway is the VPN gateway - which means that split tunneling is disabled (and you can't enable it)

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 24, 2010 6:08 PM
    Moderator

All replies

  • DA is supported with NLB and DA can be used with SSTP...hence I would surmise that SSTP is supported with NLB :) [Could be wrong though, it changes regularly!]

    Here is a screenshot of my IPCONFIG: http://cid-a2e64de91bfcad09.skydrive.live.com/self.aspx/.Public/uagsstp.png 

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 20, 2010 12:49 PM
    Moderator
  • OK, so I see that you also have a 0.0.0.0 default gateway. So how does the client know how to get to the internal network...does your routing table have any extra entries?

    Would this be relevant here (from Release Notes):

    "Endpoints running a Windows 7 32-bit operating system might not be able to access non-Web applications published via Forefront UAG as expected. As a workaround, for each non-Web application, explicitly specify that the Socket Forwarding component should be activated on client endpoints. To do this, on the Client Settings tab of the application properties, enable the required socket forwarding mode."

    Thursday, May 20, 2010 1:20 PM
  • If I try to add my VPN IP range to the Internal Network on TMG, it complains.

    If I run the Getting Started Wizard and try to add the VPN IP range, it also complains, saying its already on the internal definition.

    Thursday, May 20, 2010 1:31 PM
  • Hi,

    According to http://blogs.isaserver.org/shinder/2009/09/27/uag-rc0-and-sstp-and-arrays-wih/

    "When Forefront UAG is configured in an array, VPN client connections using SSL network tunneling (SSTP) are not supported."

    This refers to UAG RC0....I cannot find if this configuration is supported or not for UAG 2010 Update 1.

    When we SSTP VPN connect from Windows 7, to our NLB UAG Celestix Array, the client gets an IP, but Default Gateway is 0.0.0.0....and subsequently the client cannot access anything...no Internet or Intranet access whatsoever.

    Regards

     

    Hi S,

    That was true for the RC0 - that is not longer the case. Check out the current release notes:

    http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_VPN

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, May 20, 2010 2:35 PM
    Moderator
  • Hi S,

    Is your VPN network ID different from your on-subnet network ID?

    If so, the problem is likely related to the TMG concept for networks - you need to remove the addresses used by the VPN clients from the definition of the on-subnet network.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, May 20, 2010 2:37 PM
    Moderator
  • So if the default gateway is 0.0.0.0 how does the VPN client determine routes to internal & external resources? Cant find any valid entries in the routing table.
    Thursday, May 20, 2010 2:38 PM
  • Besides following this guide http://technet.microsoft.com/en-us/library/ee809077.aspx is there any additional configuration one must do to get the SSTP VPN working? Still cannot see how the client determines its routes.
    Friday, May 21, 2010 4:53 AM
  • Here is the setup:

    Internet - Firewall frontend (NATing) - UAG - Firewall backend- Intranet

    • the frontend firewall NATs a public Internet IP to 172.x.2.100 (UAG external IP)
    • UAG internal IP is 172.x.3.y
    • The SSTP VPN range is 172.x.50.1-172.x.50.254
    • Intranet is on 172.x.210.y

    So the client connects via VPN, gets an IP address on 172.x.50.y range...but then what? Surely it needs to get a routing table from somewhere in order to connect to the Intranet resources?

    How does UAG SSTP VPN assign it a routing table entry? Where can we configure this (besides the properties of the User in ADUC)

    Thanks

    Friday, May 21, 2010 7:34 AM
  • So do you have internal routing entires to return the SSTP VPN traffic back via UAG?

    If you use the TMG console and look at logging (rule=PublishingRule::IpVPNAccessRule) do you see traffic flow?

    Also check out the TMG alerts for potential config errors or IP spoofing entries...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 21, 2010 7:54 AM
    Moderator
  • Will test and monitor again...

    • I assume I have to change the Dial-In Properties of the user to Allow Access, and not use NPS Policies in ADUC?
    • The (rule=PublishingRule::IpVPNAccessRule) has the following settings:
    • From: VPN Clients
    • To: All Network and Locahost

    If I go to on TMG to Networking, Network, Internal and I try to add the SSTP VPN range is 172.x.50.1-172.x.50.254 to Internal, I get the following error message:

    "The VPN configuration static address pool for server DMZUAG01 already includes IP addresses in the range 172.x.50.1-172.x.50.254. New IP addresses cannot overlap existing ranges in the current static address pool"

     

    Friday, May 21, 2010 8:19 AM
  • You shouldn't need to mess with VPN config in TMG and I would recommend against it...

    From memory, a VPN static pool should be EXCLUDED from the Internal network object, not added to it.

    Have you tried re-running the Network Interfaces option since configuring the static IP pool to see if this will configure networking correctly?

    I have mainly used SSTP with non-array UAG machines, hence DHCP is possible.

    Cheers

    JJ 


     

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, May 21, 2010 8:45 AM
    Moderator
  • Do you want to allow full VPN access to the internal corporate network?─If you allow client endpoints full VPN access to the internal network using SSTP, or the legacy Forefront UAG Network Connector, you can allocate IP addresses to endpoints from a static pool. You should plan this static pool range and ensure that its addresses are not included in the internal network address range.

    Source: http://technet.microsoft.com/en-us/library/ee844246.aspx


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 21, 2010 8:54 AM
    Moderator
  • Well, at this stage I am just trying to get this thing to work, we'll deal with locking it down later.

    In addition to above details, here is something else I found:

    • PublishingRule::NcComputerSet has the old style NC ip addresses in it, but has no SSTP VPN IP addresses in it....its as if UAG did not add them automatically to this Rule.

    I assume that all VPN IP address ranges should reside in the PublishingRule::NcComputerSet ?

     

    Also there are 2 rules...

    • PublishingRule::IpVPNAccessRule
    • PublishingRule::SslNetworkTunnelingAccessRule

    Which one is used for what?

    Friday, May 21, 2010 11:02 AM
  • Hmmm...that WAS about getting it working, not locking it down :S

    IPVPN is for SSTP and SSLNetworkTunnelling is for Network Connector.

    What is shown in the address range of Internal network object, is the VPN static IP pool range excluded as mentioned above?

    Is UAG the default gateway for outbound connections? If not, how do you expect replies to the VPN subnet to get back to UAG?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 21, 2010 12:06 PM
    Moderator
  • This is exactly my issue with SSTP that you just mentioned: "Is UAG the default gateway for outbound connections? If not, how do you expect replies to the VPN subnet to get back to UAG?"

    How does one stipulate a Default Gateway for the SSTP VPN? I cannot find the config for this anywhere !!

    Confirmed the 'Internal' range does not contain any VPN IP address ranges.

    Friday, May 21, 2010 12:56 PM
  • Create a static route for the VPN subnet that uses the UAG server as the gateway.

    For testing, you can add this to a single host first:

    route add <VPN Subnet> mask <VPN subnet mask> <UAG IPv4 Address on Internal Interface>

    Once this is done, try accessing this host from the SSTP VPN client.

    If that works, you can add the static route to one of your LAN routers or another firewall that is the current default gateway.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 21, 2010 1:21 PM
    Moderator
  • Yes, adding static routes on the VPN client does indeed work.

    The VPN client now can communicate with a different VLAN.

    How do we auto-assign this new routing table entry to new SSTP VPN connections?

    I know I can do it from AD Users and Computers, on a per User basis...so this is a bit messy.

    One would think that UAG SSTP would have an option for a Default Gateway....like when configuring the old style Network Connector.

     

    Again as we have both confirmed the SSTP VPN client DG = 0.0.0.0

    Friday, May 21, 2010 1:44 PM
  • Eh?

    I think you misunderstood; I meant to add the static route to an INTERNAL host to ensure return traffic is sent back to UAG, not add a route on the VPN client itself...

    Confused :S

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 21, 2010 2:40 PM
    Moderator
  • OK I am with you now. We could certainly do that ...however...since the SSTP VPN client does not have a Default Gateway....where will it send its requests to?

    Why I ask, well because we have multiple VLANs and routers...so we need to know on which router we must add the route to the new VPN network....

    Friday, May 21, 2010 2:44 PM
  • It will send all requests via UAG, it is not like a standard IP client.

    Not sure how your network is designed, but you need to make sure that return packets to <VPN Subnet> are sent back to UAG and not to your usual Internet gateway. Maybe try something on the same VLAN as the UAG internal interface?

    Can you ping the internal IP adderss of the UAG internal interface?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 21, 2010 2:49 PM
    Moderator
  • I think you may have just answered the big dilemna in my mind: "It will send all requests via UAG, it is not like a standard IP client."

    Willl chat to the firewall & routing dudes.

    Friday, May 21, 2010 3:03 PM
  • Cool - keep us updated ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 21, 2010 9:58 PM
    Moderator
  • OK I am with you now. We could certainly do that ...however...since the SSTP VPN client does not have a Default Gateway....where will it send its requests to?

    Why I ask, well because we have multiple VLANs and routers...so we need to know on which router we must add the route to the new VPN network....


    The default gateway is the VPN gateway - which means that split tunneling is disabled (and you can't enable it)

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 24, 2010 6:08 PM
    Moderator