Charming UAG Fans with SSTP

I wish I could take credit for the title of this post, but I was inspired by an article on Forefront Unified Access Gateway blog titled Adding the SSTP Magic to the UAG Charm, which you can find at http://blogs.technet.com/edgeaccessblog/archive/2009/07/05/adding-the-sstp-magic-to-the-uag-charm.aspx

Some observations about this blog post that you might want to consider before reading it:

  • Certificate validation issues are a major bone of contention for SSTP. I don’t know anyone who’s “played” with SSTP and not torn their collective hair out because of CRL check issues. You need to make sure that both the VPN client and the UAG server itself is able to connect to the CRL site before implementing the solution
  • For CRL check reasons, the UAG team has informally recommended that you use public (commercial) certificates
  • If you don’t want to use a commercial certificate or deal with CRL check issues, you can disable CRL checking. Check out http://technet.microsoft.com/en-us/library/dd458982.aspx for more information.
  • For UAG, are there any certificate installation requirements that are different than with TMG? I haven’t tested this scenario yet, but since TMG uses a Web Listener and UAG uses “trunks” there are going to be different procedures for binding the certificate. Also, will you be able to select which certificate to use? Is that in the UAG interface or do we need to go into the Windows Server 2008 R2 RRAS console to select the certificate? I strongly suspect the former, since UAG is controlling the HTTPS listener
  • In reading UAG documentation, I’ve been curious about comments made about the Network Connector as an option for clients before Windows 7. I wondered about this, since Vista SP1 and above fully support SSTP. The problem with UAG is that only Windows 7 is supported for the RRAS admin plug-in that handles authentication for SSTP clients who log on via the portal. Check Asaf Kariv’s blog post for me details on this issue

SSTP is a great addition to the UAG remote access toolbox and goes a long way at making the UAG the remote access gateway for Microsoft networks. I’m looking forward to testing out the SSTP functionality in the near future, even if I have to test it with a client operating system that is still in beta 😉

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

image
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top