none
UAG remote network access with SSTP and Network Connector - Pool question RRS feed

  • Question

    • 1 UAG server in a multizone DMZ.  Joined to DMZAD domain.  This domain has a 2way trust with the internal CORPAD domain
    • External NIC in external DMZ zone: 172.25.110.5 - Natd behind FW. 
    • Internal NIC in private DMZ zone: 172.25.100.5.  - FW between this zone and Corp Internal Network.
    • Corp internal network is 10.0.0.0/16.

    Requirement to setup both SSTP and Network Connector to support VPN for XP to Win7 users that belong to CORPAD.  I need some guidance on what to choose with the Pool for both and what FW rules or gateway routes I may need to put in place.  I get confused when reading about the Network Connector needing to choose Private or Corporate IPs and the gateway requirements for them.  Also not sure if that same pool can be used for the SSTP pool or not.  Based on the config above, what would anyone recommend?

     


    -Chad
    Wednesday, November 30, 2011 7:31 AM

All replies

  • Hi Chad,

    With SSTP, you need to consider if the chosen IP pool is contained within the existing address range defined for the Internal Network object in UAG/TMG (like 10.0.X.X). If it is, you need to amend the address range to exclude your chosen pool IP address ranges for SSTP. For NC, this would be a corporate IP.

    If you choose an IP pool range that include addresses from a completely different network (like 192.168.0.0) you will also need to ensure that routers (or servers) on your network know how to route this network back via the UAG server. For NC, this would be a private IP.

    More info: http://technet.microsoft.com/en-us/library/ee809077.aspx and here: http://technet.microsoft.com/en-us/library/ee809096.aspx

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, November 30, 2011 11:56 AM
    Moderator
  • I'd like to choose 10.0.52.0/22 for both pools to use.  This range isn't used yet internally either, but I want to make sure I setup UAG properly.

    • Exclude this range from UAG internal networks
    • SSTP IP Address Assignment = 10.0.52.10-10.0.55.254; Advanced = DNS 10.0.20.11, 10.0.20.12
    • NC - Network Segment = Private, Always override existing network config of this server = DNS 10.0.20.11 & 12, Suffix = domain.local, GW = 10.0.52.1
    • NC - IP Provisioning = 10.0.52.10-10.0.55.254
    • NC - Access Control = Non-split tunnel

    Now since my UAG server's internal NIC doesnt sit on the internal corp network, I want to make sure when it assigns these pool addresses to the clients that everything is good to go as far as networking, routing, and firewalls are concerned.  I'm assuming as long as the 10.0.52.0/22 vlan is setup and routable prior then everything should work.  However does this 52.0/22 range need firewall rules enabled in order to talk back to the UAG internal NIC in the DMZ (172.25.100.5)?

    Please advise if the above config looks OK....thanks for the help!

     


    -Chad
    Wednesday, November 30, 2011 5:11 PM
  • I get an error: Wrong SSL Network Tunneling paremeters, invalid complementary gateway.  This happens when I set NC - Network Segment = Private, Always override existing network config of this server = DNS 10.0.20.11 & 12, Suffix = domain.local, GW = 10.0.52.1

    If I select "Only if Network Configuration is Missing" then it will use the private NIC DNS which isn't our internal DNS CORPAD server, but rather the DMZ DNS server.  I'm thinking this would cause issues for VPN clients to access internal resources.


    -Chad
    Wednesday, November 30, 2011 11:28 PM
  • For your scenario, I don't believe you need to define the gateway in that section, just define the custom DNS servers and suffix...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, December 1, 2011 5:02 PM
    Moderator
  • I must be missing something...I get this popup no matter what I try: Wrong SSL Network Tunneling paremeters, invalid complementary gateway.   Here are screenshots from my lab which is the same setup as the corp network (two DMZ zones (public DMZ 192.168.0.0/24) (Private DMZ - 172.25.101.0/24), Corp network (10.10.10.0/24))

    I try setting it to private IP, Corp IP, Only if network config is missing, no gateways and just DNS, no settings at all, etc...  Network segment is always set to use Private however....i didnt try public as that wasn't even a recommended setting.

    Private or Corp give the same error pop up

     

     

     

     

     


    -Chad
    Thursday, December 1, 2011 5:30 PM