none
Requiring RSA for SSTP RRS feed

  • Question

  • I have a customer who uses AD + RSA authentication for all connections thru UAG.   However I've found that if I manually create an RRAS dialup on my Vista 64-bit machine I can get an SSTP connection started with just AD crredentials; never having logged into the portal with AD + RSA.  IN fact from Vista 64-bit thats the only way in as hte portal menu link is greyed out from vosta 64-bit.   Anyone have any ideas how we can accomplish SSTP/NC access for the various OS types without ever opening up a backdoor that doesn't require RSA.

    Thanks,

    Mark

     

    Friday, May 21, 2010 7:26 PM

Answers

All replies

  • Hi Mark,

    Just want to point out that:

    a) SSTP is not supported by UAG when launched from Vista clients

    b) When manually configuring an RRAS dial-up connection using SSTP you are actually directly accessing TMG running on the UAG machine, and no UAG component is involved

    c) the fact that you can successfully connect using this SSTP dial-up connection leads me to believe that the account you are using to authenticate has its Network Access Permission setting in AD (user’s Properties window -> Dial-in tab) set to “Allow Access”. If this would be changed to “Deny Access” or to "Control access through NPS Network Policy", the manually configured dial-up SSTP connection would not be able to connect when not using the UAG portal (I know that this does not solve your need to have Vista 64-bit clients connect, but it would at least eliminate the “backdoor” you mentioned)

    Regards,

    -Ran

    Saturday, May 22, 2010 10:38 PM
  • This may be related to the RSA / UAG bug recently discovered where it was found that a UAG portal that is protected by AD+RSA can actually be be accessed *without* the RSA token at all. All you do is enter the AD password a second time when prompted for the RSA PRN.

    Hopefully a bug fix for this will be forthcoming...

    Peter

    Monday, May 24, 2010 8:38 AM
  • Hi Peter,

    Actually the issue you are referring to is not related in any way to Mark's issue in this thread. As I mentioned above,  the solution to block SSTP access in a scenario like the one described by Mark, is to correctly set up the user Network Access Permissions on the AD.

    Regards,

    -Ran

    Monday, May 24, 2010 8:51 AM
  • Hi Ran,

    Is there any news on the RSA issue I mentioned though? - we are presently deploying and RSA+AD protected UAG portal, and I was hoping for a bugfix to the authentication issue before we get too far into production usage.

    Peter

     

    Monday, May 24, 2010 9:45 AM
  • Hi Peter,

    Let's not hijack Mark's thread :). I am addressing your question in the original thread that discussed that issue: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/ce2123c0-5482-4705-8fd5-9d65a8f3ca10/#34e13ba7-8c27-4fee-99dc-ad586edf8b94

    Thank you,

    -Ran

    • Marked as answer by Erez Benari Friday, May 28, 2010 8:42 PM
    Monday, May 24, 2010 1:54 PM
  • Thanks Ran.   Appears if I go into TMG and do something like tell it to require Radius, tehn that breaks the config enough that the backdoor is closed.
    • Marked as answer by Erez Benari Friday, May 28, 2010 8:42 PM
    Tuesday, May 25, 2010 2:11 PM