Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Microsoft Forefront UAG 2010 SP1 - remote network access (SSTP) mystery

Posted on 2011-09-26
Medium Priority
Last Modified: 2012-07-01
I have an Forefront UAG https trunk working as a portal site, providing terminal server access.  But I can't get remote network access (VPN) to work on the same trunk/portal.

I am using Forefront UAG 2010 SP1
 - Private network consists of several segments: 172.16.x.0/24 (where x=1,2,or 3)
 - Astaro  firewall routes between private segments
 - router address on each segment is 172.16.x.1
 - UAG is dual homed on and with public address xx.xx.xx.xx
 - UAG private network is defined as --

Remote network access is enabled (both SSTP and SSL)
 - IP address pool for SSTP is --
 - IP address pool for SSL is --

The UAG server is a member of the domain.  Portal authentication using domain userid/password works just fine.  Network access is configured to use the same domain for authentication.  At first I had configured only selected domain groups to be allowed to use remote network access, but now I  have allowed all users to simplify.

When I try to launch remote network access (click on remote network access icon in UAG portal) the client application seems to launch just fine.  Shows as connected.  But nothing works.
 - Ping to any 172.16.x.x. address does not work
 - Ping to hostnames does not work
 - ROUTE PRINT on the client shows no entries for 172.* addreses
 - there is not new virtual adapter showing in IP config

Bascially, nothing seems to happen and I am a loss how to debug.
Question by:Carlo-Giuliani
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36817091
Change the private network to three x class C networks on separate lines in the gui. Both TMG and UAG have a view of the world at the Class C break point. - -

Save the TMG config and re-apply the UAG policy
LVL 12

Author Comment

ID: 36907654
Hmm...interesting idea.  I will give that a try when I can get back to it.
LVL 12

Author Comment

ID: 36957746

I have tried Keith's difference.

But I now realized by description of the symptoms was not correct.  It looks like the SSTP tunnel is beingn established...and the client is assigned an appropriate IP address.  But there is no communication with any devices on the private network.


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 51

Expert Comment

by:Keith Alabaster
ID: 36957937
Different ball game then entirely.
Open the TMG console rather than the UAG console - run up the reatime log viewer - what are you seeing when access is attempted?
LVL 12

Accepted Solution

Carlo-Giuliani earned 0 total points
ID: 38125743
I eventually gave up on UAG and replaced it with a Barracuda SSLVPN virtual appliance.  Cheaper, much easier to configure, and does everything we need.
LVL 12

Author Closing Comment

ID: 38142496
see last comment.

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question