locked
UAG Direct Access and SSLVPN(SSTP) RRS feed

  • Question

  • Hi,

    Does anybody know whether my UAG server can host a DirectAccess and a SSLVPN (SSTP) service simultaneously.

    This is because I first had DirectAccess working nicely but when I configured the SSLVPN,  the VPN failed because of certificate problems. I had to assign the right certificate to the http listener. I had to use a set og netsh http delete sslcert ipport=0.0.0.0:443 and netsh http add  sslcert ipport=0.0.0.0:443 commands to get the SSLVPN working, but as result the DirectAccess stopped working with IPHTTPS giving me a 0x103 "no usable certificates found" error message.

    Any Ideas?

     

    Friday, August 27, 2010 7:31 AM

Answers

  • Hi Kjell,

    The SSTP listener needs to use a third IP address, one that is not used by the IP-HTTPS or DirectAccess configuration.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Thursday, September 2, 2010 8:43 PM
    Monday, August 30, 2010 7:24 AM

All replies

  • Hi Kjell,

    The SSTP listener needs to use a third IP address, one that is not used by the IP-HTTPS or DirectAccess configuration.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Thursday, September 2, 2010 8:43 PM
    Monday, August 30, 2010 7:24 AM
  • hi thomas

    direct access and application publishing features (owa, sharepoint ...etc ) can be used simultaneously...


    Cüneyt E. ORHUN

    Thursday, April 12, 2012 7:46 AM
  • To clarify this for anyone that comes across this post, DO NOT try to run a UAG portal on the same primary IP address that DirectAccess is using. You will almost certainly break IP-HTTPS. Many times this is not noticed by companies, at least for a while, as most DA connections are Teredo. But eventually you will realize that when DA clients attempt to use IP-HTTPS they will get the 0x103.

    You can successfully run a UAG portal (with or without the SSTP VPN application inside it) on the SECONDARY IP address that DirectAccess uses. That seems to work just fine and I have never had a problem doing so. That being said, if you have 3 public IP addresses available, I do always recommend using all 3 and just letting DA use its own two IPs exclusively, it's always safer that way.

    Friday, April 13, 2012 6:48 PM