Microsoft Forefront UAG 2010 SP1 - remote network access (SSTP) mystery

Posted on 2011-09-26
Last Modified: 2012-07-01
I have an Forefront UAG https trunk working as a portal site, providing terminal server access.  But I can't get remote network access (VPN) to work on the same trunk/portal.

I am using Forefront UAG 2010 SP1
 - Private network consists of several segments: 172.16.x.0/24 (where x=1,2,or 3)
 - Astaro  firewall routes between private segments
 - router address on each segment is 172.16.x.1
 - UAG is dual homed on and with public address xx.xx.xx.xx
 - UAG private network is defined as --

Remote network access is enabled (both SSTP and SSL)
 - IP address pool for SSTP is --
 - IP address pool for SSL is --

The UAG server is a member of the domain.  Portal authentication using domain userid/password works just fine.  Network access is configured to use the same domain for authentication.  At first I had configured only selected domain groups to be allowed to use remote network access, but now I  have allowed all users to simplify.

When I try to launch remote network access (click on remote network access icon in UAG portal) the client application seems to launch just fine.  Shows as connected.  But nothing works.
 - Ping to any 172.16.x.x. address does not work
 - Ping to hostnames does not work
 - ROUTE PRINT on the client shows no entries for 172.* addreses
 - there is not new virtual adapter showing in IP config

Bascially, nothing seems to happen and I am a loss how to debug.
Question by:Carlo-Giuliani
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36817091
Change the private network to three x class C networks on separate lines in the gui. Both TMG and UAG have a view of the world at the Class C break point. - -

Save the TMG config and re-apply the UAG policy
LVL 12

Author Comment

ID: 36907654
Hmm...interesting idea.  I will give that a try when I can get back to it.
LVL 12

Author Comment

ID: 36957746

I have tried Keith's difference.

But I now realized by description of the symptoms was not correct.  It looks like the SSTP tunnel is beingn established...and the client is assigned an appropriate IP address.  But there is no communication with any devices on the private network.

Limited time offer using promo code EXPERTS25

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through August 31, 2017, Experts Exchange members get 25% off the US7220 on the ATEN USA eShop using promo code EXPERTS25.

LVL 51

Expert Comment

by:Keith Alabaster
ID: 36957937
Different ball game then entirely.
Open the TMG console rather than the UAG console - run up the reatime log viewer - what are you seeing when access is attempted?
LVL 12

Accepted Solution

Carlo-Giuliani earned 0 total points
ID: 38125743
I eventually gave up on UAG and replaced it with a Barracuda SSLVPN virtual appliance.  Cheaper, much easier to configure, and does everything we need.
LVL 12

Author Closing Comment

ID: 38142496
see last comment.

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question