How to configure Forefront UAG as an SSTP VPN Server

Let’s begin

Forefront UAG offers different VPN options for mobile users. DirectAccess for access anywhere as a permanent VPN connection for domain joined Windows 7 Ultimate and Enterprise clients, SSTP (Secure Socket Tunneling Protocol) for Windows Vista SP1 and higher clients, and the legacy SSL network Tunneling Server for older clients with Windows XP as the operating system.

To configure Forefront UAG as an SSTP Server, start the Forefront UAG management console and click AdminRemote Network AccessSSL Network Tunneling (SSTP).

Image
Figure 1: Enable SSTP

Enable remote client VPN access, specify the maximum number of VPN client connections and select the UAG trunk for which SSTP VPN access should be enabled.

Image
Figure 2: SSTP is enabled

On the IP address assignment tab specify how VPN clients should get IP addresses. It is possible to assign addresses from a static IP address pool or from an internal DHCP Server. If you use a static IP address pool, the IP address pool must be different from the IP address ranges assigned to the internal network object on the underlying Forefront TMG Server.

Attention:
In the case of static IP address ranges it is possible to exclude the IP range from the definition of your internal network.

Image
Figure 3: IP address range for SSTP clients

If you click the Advanced button it is possible to manually enter the IP address of DNS and WINS Servers used by the SSTP clients.

Image
Figure 4: Name resolution for SSTP clients

On the User groups tab it is possible to limit SSTP VPN client access to specific user and usergroups and to specific IP addresses or IP address ranges which clients should be able to access.

Image
Figure 5: Define remote VPN Client Authorization

The next step is to publish the SSTP VPN connection to the portal used by SSTP. Right click the Portal trunk and click Add Application and enter the radio button Client/server and legacy and select remote Network Access.

Image
Figure 6: Publish SSTP to the portal

Enter an application name, an Endpoint access policy and if necessary in Step 4 another port used by Forefront UAG and if the application should be automatically started at user logon to the portal.

Image
Figure 7: Configure Server settings

In Step 6 of the wizard it is possible to limit access to the SSTP application in the portal to specific users and user groups.

Image
Figure 8: Configure access to the SSTP application

If the wizard has been finished, save and activate the configuration.

During the activation process, Forefront UAG/TMG configures the Windows Server Routing and Remote Access component.

Image
Figure 9: RRAS configuration

The UAG activation process also enables SSTP access in the Forefront TMG console.

Image
Figure 10: SSTP in Forefront TMG

Don’t be confused that there is no Weblistener configured for SSTP access in the Forefront TMG Management console. Forefront UAG will do the work.

Now it is time to test an SSTP connection from a Windows client. Log on to the Forefront UAG portal and launch the SSTP application.

Image
Figure 11: Launch the SSTP connection

If you are using a certificate from your own Certificate Authority make sure that the Certificate Distribution Point (CDP) is accessable from the Internet, else, the SSTP VPN connection cannot be established, because SSTP requires a CRL check.

Image
Figure 12: SSTP certificate revocation check failed

For testing purposes only it is possible to disable the Certificate revocation check on the client.

On the Windows client computer, open Regedit and create a DWORD value NoCertRevocationCheck under HKLM\System\CurrentControlSet\Services\SSTPSVC\Parameters. Set the value = 1.

The client is now connected with Forefront UAG Remote Network Access.

Image
Figure 13: SSTP connection established

The SSTP connection installs a small application which allows users to get informed about the network connection status or to disconnect the SSTP connection.

Image
Figure 14: SSTP client application

The SSTP clients gets an IP address from the static IP address pool configured on the Forefront UAG Server.

Image
Figure 15: SSTP client IP address

The Forefront UAG Web Monitor allows you to monitor the SSTP connection

Image
Figure 16: Forefront UAG Web Monitor

Conclusion

In this article I showed you how easy it is to publish an SSTP VPN connection with Forefront UAG for Windows Vista SP1 clients and higher.

Related links

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top