none
UAG SSTP via portal and Windows dialup RRS feed

  • Question

  • Hi,

    I configured SSTP in UAG to to be used via portal. Still it seems that SSTP connection is usable with Windows dialup client from Windows. Anyway this would be ok exept UAG portal needs SecurID authentication and Windows dialup client can authenticate using AD credentials. In TMG configuration i could change for example it to use radius but every time I active UAG it rewrites TMG VPN configuration.

    There is a way to disable Windows dialup connection from user by modifying user's AD object Dial-In tab. There is a Network Access Setting which can be set to Deny Access. This affects only Windows dial up users and not users who are starting SSTP from UAG portal.

    Have anyone else noticed this and came up with other solution?

    Br.
    -Teemu Kirjavainen
    Monday, July 26, 2010 12:16 PM

Answers

  • Hi Teemu,

    Setting the users' properties in AD (Dial-in tab -> Network Access Permission) to Deny access *is* indeed the solution to limit access so that external users can only connect by first authenticating to the UAG portal trunk, and not by launching the VPN Connection in the Windows Dial-up and VPN window. Actually, I assume that setting the Network Access Permission to Control access through NPS Network Policy would also achieve the same result.

    -Ran

    • Proposed as answer by Ran [MSFT] Wednesday, July 28, 2010 2:37 PM
    • Marked as answer by Erez Benari Friday, July 30, 2010 6:20 PM
    Monday, July 26, 2010 7:05 PM

All replies

  • Hi Teemu,

    Setting the users' properties in AD (Dial-in tab -> Network Access Permission) to Deny access *is* indeed the solution to limit access so that external users can only connect by first authenticating to the UAG portal trunk, and not by launching the VPN Connection in the Windows Dial-up and VPN window. Actually, I assume that setting the Network Access Permission to Control access through NPS Network Policy would also achieve the same result.

    -Ran

    • Proposed as answer by Ran [MSFT] Wednesday, July 28, 2010 2:37 PM
    • Marked as answer by Erez Benari Friday, July 30, 2010 6:20 PM
    Monday, July 26, 2010 7:05 PM
  • Nice!
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, July 28, 2010 11:05 AM
    Moderator
  • Ok, that is how i tested it figure that it might be so.

    Thank you for your reply.

     

    -Teemu Kirjavainen

    Thursday, August 5, 2010 12:33 PM
  • You're most welcome, Teemu.

    -Ran

    Thursday, August 5, 2010 2:00 PM