UAG remote network access with SSTP and Network Connector - Pool question RRS feed

  • Question

    • 1 UAG server in a multizone DMZ.  Joined to DMZAD domain.  This domain has a 2way trust with the internal CORPAD domain
    • External NIC in external DMZ zone: - Natd behind FW. 
    • Internal NIC in private DMZ zone:  - FW between this zone and Corp Internal Network.
    • Corp internal network is

    Requirement to setup both SSTP and Network Connector to support VPN for XP to Win7 users that belong to CORPAD.  I need some guidance on what to choose with the Pool for both and what FW rules or gateway routes I may need to put in place.  I get confused when reading about the Network Connector needing to choose Private or Corporate IPs and the gateway requirements for them.  Also not sure if that same pool can be used for the SSTP pool or not.  Based on the config above, what would anyone recommend?


    Wednesday, November 30, 2011 7:31 AM

All replies

  • Hi Chad,

    With SSTP, you need to consider if the chosen IP pool is contained within the existing address range defined for the Internal Network object in UAG/TMG (like 10.0.X.X). If it is, you need to amend the address range to exclude your chosen pool IP address ranges for SSTP. For NC, this would be a corporate IP.

    If you choose an IP pool range that include addresses from a completely different network (like you will also need to ensure that routers (or servers) on your network know how to route this network back via the UAG server. For NC, this would be a private IP.

    More info: and here:




    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: and
    Wednesday, November 30, 2011 11:56 AM
  • I'd like to choose for both pools to use.  This range isn't used yet internally either, but I want to make sure I setup UAG properly.

    • Exclude this range from UAG internal networks
    • SSTP IP Address Assignment =; Advanced = DNS,
    • NC - Network Segment = Private, Always override existing network config of this server = DNS & 12, Suffix = domain.local, GW =
    • NC - IP Provisioning =
    • NC - Access Control = Non-split tunnel

    Now since my UAG server's internal NIC doesnt sit on the internal corp network, I want to make sure when it assigns these pool addresses to the clients that everything is good to go as far as networking, routing, and firewalls are concerned.  I'm assuming as long as the vlan is setup and routable prior then everything should work.  However does this 52.0/22 range need firewall rules enabled in order to talk back to the UAG internal NIC in the DMZ (

    Please advise if the above config looks OK....thanks for the help!


    Wednesday, November 30, 2011 5:11 PM
  • I get an error: Wrong SSL Network Tunneling paremeters, invalid complementary gateway.  This happens when I set NC - Network Segment = Private, Always override existing network config of this server = DNS & 12, Suffix = domain.local, GW =

    If I select "Only if Network Configuration is Missing" then it will use the private NIC DNS which isn't our internal DNS CORPAD server, but rather the DMZ DNS server.  I'm thinking this would cause issues for VPN clients to access internal resources.

    Wednesday, November 30, 2011 11:28 PM
  • For your scenario, I don't believe you need to define the gateway in that section, just define the custom DNS servers and suffix...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: and
    Thursday, December 1, 2011 5:02 PM
  • I must be missing something...I get this popup no matter what I try: Wrong SSL Network Tunneling paremeters, invalid complementary gateway.   Here are screenshots from my lab which is the same setup as the corp network (two DMZ zones (public DMZ (Private DMZ -, Corp network (

    I try setting it to private IP, Corp IP, Only if network config is missing, no gateways and just DNS, no settings at all, etc...  Network segment is always set to use Private however....i didnt try public as that wasn't even a recommended setting.

    Private or Corp give the same error pop up






    Thursday, December 1, 2011 5:30 PM