Solved

Microsoft Forefront UAG 2010 SP1 - remote network access (SSTP) mystery

Posted on 2011-09-26
6
840 Views
Last Modified: 2012-07-01
I have an Forefront UAG https trunk working as a portal site, providing terminal server access.  But I can't get remote network access (VPN) to work on the same trunk/portal.


I am using Forefront UAG 2010 SP1
 - Private network consists of several segments: 172.16.x.0/24 (where x=1,2,or 3)
 - Astaro  firewall routes between private segments
 - router address on each segment is 172.16.x.1
 - UAG is dual homed on 172.16.1.11 and with public address xx.xx.xx.xx
 - UAG private network is defined as 172.16.1.1 -- 172.16.255.255

Remote network access is enabled (both SSTP and SSL)
 - IP address pool for SSTP is 172.17.1.2 -- 172.17.1.253
 - IP address pool for SSL is 172.18.1.2 -- 172.17.2.253

The UAG server is a member of the domain.  Portal authentication using domain userid/password works just fine.  Network access is configured to use the same domain for authentication.  At first I had configured only selected domain groups to be allowed to use remote network access, but now I  have allowed all users to simplify.


When I try to launch remote network access (click on remote network access icon in UAG portal) the client application seems to launch just fine.  Shows as connected.  But nothing works.
 - Ping to any 172.16.x.x. address does not work
 - Ping to hostnames does not work
 - ROUTE PRINT on the client shows no entries for 172.* addreses
 - there is not new virtual adapter showing in IP config

Bascially, nothing seems to happen and I am a loss how to debug.
0
Comment
Question by:Carlo-Giuliani
  • 4
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36817091
Change the private network to three x class C networks on separate lines in the gui. Both TMG and UAG have a view of the world at the Class C break point.

172.16.1.0 - 172.16.1.255
172.16.2.0 - 172.16.2.255
etc

Save the TMG config and re-apply the UAG policy
0
 
LVL 12

Author Comment

by:Carlo-Giuliani
ID: 36907654
Hmm...interesting idea.  I will give that a try when I can get back to it.
 
0
 
LVL 12

Author Comment

by:Carlo-Giuliani
ID: 36957746

I have tried Keith's suggestion...no difference.

But I now realized by description of the symptoms was not correct.  It looks like the SSTP tunnel is beingn established...and the client is assigned an appropriate IP address.  But there is no communication with any devices on the private network.

 
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36957937
Different ball game then entirely.
Open the TMG console rather than the UAG console - run up the reatime log viewer - what are you seeing when access is attempted?
0
 
LVL 12

Accepted Solution

by:
Carlo-Giuliani earned 0 total points
ID: 38125743
I eventually gave up on UAG and replaced it with a Barracuda SSLVPN virtual appliance.  Cheaper, much easier to configure, and does everything we need.
0
 
LVL 12

Author Closing Comment

by:Carlo-Giuliani
ID: 38142496
see last comment.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 800 Internet Uptime 3 105
Static route question 6 43
what kind of tasks do I need to conduct in order to configure ip-sec in AWS 1 37
ASA configuration 2 28
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now