If you would like to read the other parts in this article series please go to
- Configuring TMG Beta 3 for SSTP VPN Connections (Part 1)
- Configuring TMG Beta 3 for SSTP VPN Connections – Part 2: Configuring the Firewall to Accept SSTP Connections
In the second part of our three part series on configuring the TMG firewall to accept SSTP VPN client connections, we discussed certificate related issues and then installed the Web site certificate onto the TMG firewall. We created a Web Publishing Rule to publish the CRL site of our private CA. Note that you do not need to go through this step if you are using a commercial CA. In this, the third and last part of this series we will go through the configuration steps for the VPN server component and then establish a VPN connection using SSTP. We will also see that we will need to fix the Web Publishing Rule for the CRL site, since our certificate lied to us about what URL would be used to access the CRL.
For this beta version of the TMG firewall, you will not be able to delete the SSTP Web Listener after you create it. This means that the IP address you use for the listener will be permanently assigned to the SSTP Listener and you will not be able to reuse it for an SSL Web Publishing Rule. While this will be fixed by the time the product goes RTM, you will need to add IP addresses for additional SSL Web Publishing Rules, or crater the machine to get rid of the SSTP listener.
Configure the VPN Configuration on the TMG Firewall
Let us now get to the heart of the matter – configuring the VPN configuration on the TMG firewall. While it would be nice to go into detail into all aspects of TMG VPN configuration, I am going to take a more narrow approach in this article and discuss only those aspects that affect our SSTP configuration. If you want to know more about TMG firewall VPN configuration in general, make sure to get our TMG book which is coming out in a few months from now.
Perform the following steps to start the VPN server configuration on the TMG firewall:
Open the TMG firewall console, and click the Remote Access Policy (VPN) node in the left pane of the console, as seen in the figure below.
On the Tasks Tab on the Task Pane, click the Enable VPN Client Access link.
Ha! You will see that an old bug that was part of the ISA firewall VPN configuration was carried over to the TMG firewall. Before you can enable VPN access, you have to configure address assignment first. Would have been nice to have the Task Pane make all VPN configuration option unavailable until you set address assignments for VPN clients. No problem. Click OK here and we will take care of this problem.
In the Tasks Tab in the Task Pane, click the Define Address Assignments link. You will see what appears in the figure below. Since I have a DHCP server installed on the domain controller, I am going to select the Dynamic Host Configuration Protocols (DHCP) option. If you decide to select the Static Address Pool option, make sure that the addresses that you put in the pool are not part of any other Network Definition – otherwise it is not going to work and you will see an error in the Alerts section of the TMG firewall console. Click OK.
Now click the Enable VPN Client Access link in the Task Tab of the Task Pane. The icon will change and it will appear as Disable VPN Client Access after you have it enabled.
Click the Configure VPN Client Access link in the Tasks Tab in the Task Pane. In the VPN Clients Properties dialog box, click the Protocols tab. The Enable PPTP option will be enabled by default. Put a checkmark in the Enable SSTP checkbox. Click the Configure button to start the process of creating a Web Listener for the SSTP connections.
In the Choose Web Listener for SSTP dialog box, you will see a list of potential Web Listeners that you can use for SSTP connections. Since there are no SSL enabled listeners on this TMG firewall yet, we will have to create one. Click the New button to get things started.
On the Welcome to the New Web Listener Wizard page, enter a name for the Web Listener in the Web listener name text box. In this example we will call it the SSTP Listener.
You will probably want to dedicate this Web Listener to the SSTP connections, because of the special configuration enabled on this listener. That means if you want to publish other SSL sites, you will need more IP addresses for those sites, as you would not be able to use the SSTP Web Listener for them.
On the Web Listener IP Addresses page, I am going to select the External option by putting a checkmark in its checkbox. I am doing that because there is only one IP address bound to the external interface of the TMG firewall. If I had more IP addresses bound to the external interface of the TMG firewall, I would click the Select IP Addresses button and select a specific IP address for the Listener to use.
This presents an interesting option that is typically not available for other types of VPN connections (PPTP, L2TP/IPsec) to the TMG firewall – that is to say, with the other VPN protocols, you can’t control the specific IP address (well, at least it’s not easy to do so) that connections are allowed on. With SSTP, you can limit what addresses are accepting SSTP connections by configuring the Web Listener to only allow connections on the IP addresses you select.
On the Listener SSL Certificates page, click the Select Certificate button.
In the Select Certificate dialog box, you will see the certificate I created for the SSTP connections and then installed in the TMG firewall’s machine certificate store. Note that I have an enterprise CA in the domain that the TMG firewall belongs to, so the CA certificate of the CA that created this Web site certificate is already installed on the TMG firewall. If you are using a commercial certificate, you would not have to worry about this step. As I noted in a previous article, there are a lot of ways you can request and obtain a certificate, so I did not go into the details of that configuration. What is important here is that you can install the certificate and have it show up in this dialog box as seen in the figure below. I am going to select the vpn.msfirewall.org certificate and click Select.
The certificate now appears on the Listener SSL Certificates page. Click Next.
Click Finish on the Completing the New Web Listener Wizard page.
On the Choose Web Listener for SSTP dialog box you can now see the details of the Web listener. Click OK.
Click OK in the VPN Clients Properties dialog box.
When you click on the Firewall Policy node in the left pane of the console, and click the Toolbox Tab in the Task Pane and then click Network Objects and then click Web Listeners, you will see the SSTP Listener in the list of Web listeners.
Another interesting change can be found in the System Policy. If you expose the System Policy in the Firewall Policy node of the console, you will see that the SSTP Publishing System Policy Rule has been automatically enabled.
Click Apply to save the changes and update the configuration. Click Apply in the Configuration Change Descriptions dialog box. Click OK in the Saving Configuration Changes dialog box.
Export the CA Certificate
The clients need to trust the certificate that the SSTP listener presents to them. If you are using a commercial certificate, this is not going to be a problem, as it is likely that they already trust the certificate authority that you purchased the certificate from. If you are using a private CA like we were using in this article, then you need to make sure that the clients trust the CA that signed the SSTP Web site certificate.
If the clients are domain members and you are using an enterprise CA, then you would not have any problems since the CA certificate will be automatically placed in the clients Trusted Root Certification Authorities machine certificate store. However, if you have clients that are not domain members or if you are not using an enterprise CA, then you need to import the certificate. In that case, you need to obtain the CA certificate. In the figure below you see the Web site certificate used by the SSTP listener in the Certificates MMC console.
Double click on the certificate and click on the Certificate Path tab. You will see the CA that issued the Web site certificate on the top of the list. Double click on that CA. Then you will see a Certificate dialog box for the CA certificate. Click on the Details tab. On the Details tab for the CA certificate, click the Copy to File button.
The wizard will guide you through the steps in order to export the CA certificate. Once you get the certificate exported, copy it to the client that you want to test from.
Import the CA Certificate into the VPN Client’s Machine Certificate Store
Let us focus our attention on the Windows 7 VPN client. Open the Certificates MMC and expand the Trusted Root Certificate Authorities node in the left pane of the console. Right click the Certificates node just under that and point to All Tasks and then click Import.
Remember – you are importing this into the machine certificate store. You are not importing it into the user or service certificate store.
Move through the wizard. When you get to the File to Import page, make sure you select the CA certificate that you exported earlier. Click Next.
When you complete the wizard, you will see the certificate appear in the Trusted Root Certification Authorities\Certificates node. Double click on the certificate and you can see the details of the CA certificate.
Make the VPN Connection and Confirm an SSTP Link
We are ready to have some fun now. On the Windows 7 client, open the Network and Sharing window. Click the Set up a new connection or network link on this page.
On the Set Up a Connection or Network page, click the Connect to a workplace link and click Next.
On the How do you want to connect? page, select the Use my Internet connection (VPN) option.
On the Type the Internet address to connect to page, enter the FQDN of the SSTP VPN server. Note that since we are using SSL and a Web Listener, you will need to connect to a FQDN and not an IP address. This FQDN needs to be the same as the common or subject name on the SSTP Web site certificate. Also enter a name so that you recognize the connectoid by name. Click Next.
Enter the user name and password to authenticate with the TMG VPN firewall. Make sure your domain policy is configured to enable dial in access for user accounts based on policy.
Click Connect to establish the link.
Wow! We are now connected! That was too easy. Yep, that was too easy.
If you check the details of the VPN connection, you will get a little sad. What we thought was an SSTP connection is actually a PPTP connection. What’s up with that?
What is up with what appears in the figure below. Here you can see a line indicating that the SSTP client is trying to access the CRL.
What’s up with that? That is not the CRL addresses listed on the certificate! OK, if things made sense there would be no reason for me to write these articles. What we need to do is add this path to our CRL Web Publishing Rule.
Go to the Web Publishing Rule you created for the CRL earlier and add a new path. This path is /CertEnroll/DC+.crl. Check the figure below for where to do this.
Remember to save the changes to the configuration.
When you disconnect the client computer and restart the connection, you will notice that it will connect using PPTP again. The easiest way to fix this problem is to force the VPN client to use SSTP, as shown in the figure below. You could also recycle the firewall service if you like, but forcing the VPN client to use SSTP is a bit less disruptive.
Start the VPN connection again. This time after you connect, check the properties of the connection. Here you will be happily surprised since it actually established an SSTP connection. Sweet!
If you check the TMG firewall’s logs, you will see that the CRL check it successful due to the fact that we added the new path, as seen in the figure below.
Of course, just because we are able to connect to the VPN does not mean we have any access to the corporate network. You will need to create firewall rules to control what VPN clients can access on the network after they connect. There are no default rules, so at this point the VPN client is connected over SSTP, but it unable to access any resources. Once you create firewall rules that allow the VPN clients Network access to resources on the corporate network, then they will be able to connect to those resources.
If you would like to read the other parts in this article series please go to