TMG Beta 3 Introduces SSTP Remote Access VPN
Yuri Diogenes reminds us that SSTP is now available with the Beta 3 version of the TMG firewall in his blog post over at http://blogs.technet.com/yuridiogenes/archive/2009/06/16/tmg-beta-3-brings-sstp-capability.aspx
SSTP (Secure Socket Tunnel Protocol) is a great addition to the TMG firewall’s suite of VPN protocols. The TMG firewall now supports three VPN protocols for remote access client VPN connections. These are:
- PPTP (Point to Point Tunneling Protocol)
- L2TP/IPsec (Layer 2 Tunneling Protocol over IPsec)
- SSTP (Secure Socket Tunneling Protocol)
SSTP is essentially PPP over an SSL encrypted HTTP connection. This allows your users to be behind virtually any firewall or Web proxy and connect to your TMG firewall’s remote access client VPN server. This is going to significantly reduce the number of help desk calls from your users.
Even more importantly, you can graciously dump your very expensive Cisco, Check Point or Juniper SSL VPN solution and take advantage of the security and reliability of SSTP while paying commodity prices. You won’t have to take out a second mortgage to pay Cisco, and the money you save might be the money needed to keep your job in these tough economic times.
SSTP is flexible reliable and cost-effective, but it’s also a tricky little guy. You need to be on your toes when planning and configuring SSTP. Here are some things you need to keep in mind when configuring your TMG firewall to support SSTP:
- You need to publish your CRL if you’re going to use a private CA to generate your machine certificates. SSTP requires that you create a Web Listener and bind a Web site certificate to the Listener. If you used an internal CA, you need to make sure that the client can reach that CA or the URL included in the AIA on the certificate
- If you use a commercial certificate (not likely in most cases, since your VPN is a private connection, not something that should be accessible from the general public), then you don’t need to publish your CRL, as it will be available on the Internet
- SSTP uses a Web Listener to accept the incoming SSL connections. This Web Listener must not pre-authenticate and cannot use a form. While the SSTP server is only listening for a single path when using this listener, the configuration of the Listener virtually guarantees that you won’t be using it for any Web Publishing Rule. The end result is that you’ll need to dedicate an IP address for your SSTP connection.
TMG has done a lot to make SSTP easier to configure, but it would have been a lot better if they would have integrated a CRL publishing wizard. Maybe in the next version of TMG?
For more information on SSTP troubleshooting, check out:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer