?
Solved

Microsoft Forefront UAG 2010 SP1 - remote network access (SSTP) mystery

Posted on 2011-09-26
6
Medium Priority
?
878 Views
Last Modified: 2012-07-01
I have an Forefront UAG https trunk working as a portal site, providing terminal server access.  But I can't get remote network access (VPN) to work on the same trunk/portal.


I am using Forefront UAG 2010 SP1
 - Private network consists of several segments: 172.16.x.0/24 (where x=1,2,or 3)
 - Astaro  firewall routes between private segments
 - router address on each segment is 172.16.x.1
 - UAG is dual homed on 172.16.1.11 and with public address xx.xx.xx.xx
 - UAG private network is defined as 172.16.1.1 -- 172.16.255.255

Remote network access is enabled (both SSTP and SSL)
 - IP address pool for SSTP is 172.17.1.2 -- 172.17.1.253
 - IP address pool for SSL is 172.18.1.2 -- 172.17.2.253

The UAG server is a member of the domain.  Portal authentication using domain userid/password works just fine.  Network access is configured to use the same domain for authentication.  At first I had configured only selected domain groups to be allowed to use remote network access, but now I  have allowed all users to simplify.


When I try to launch remote network access (click on remote network access icon in UAG portal) the client application seems to launch just fine.  Shows as connected.  But nothing works.
 - Ping to any 172.16.x.x. address does not work
 - Ping to hostnames does not work
 - ROUTE PRINT on the client shows no entries for 172.* addreses
 - there is not new virtual adapter showing in IP config

Bascially, nothing seems to happen and I am a loss how to debug.
0
Comment
Question by:Carlo-Giuliani
  • 4
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36817091
Change the private network to three x class C networks on separate lines in the gui. Both TMG and UAG have a view of the world at the Class C break point.

172.16.1.0 - 172.16.1.255
172.16.2.0 - 172.16.2.255
etc

Save the TMG config and re-apply the UAG policy
0
 
LVL 12

Author Comment

by:Carlo-Giuliani
ID: 36907654
Hmm...interesting idea.  I will give that a try when I can get back to it.
 
0
 
LVL 12

Author Comment

by:Carlo-Giuliani
ID: 36957746

I have tried Keith's suggestion...no difference.

But I now realized by description of the symptoms was not correct.  It looks like the SSTP tunnel is beingn established...and the client is assigned an appropriate IP address.  But there is no communication with any devices on the private network.

 
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36957937
Different ball game then entirely.
Open the TMG console rather than the UAG console - run up the reatime log viewer - what are you seeing when access is attempted?
0
 
LVL 12

Accepted Solution

by:
Carlo-Giuliani earned 0 total points
ID: 38125743
I eventually gave up on UAG and replaced it with a Barracuda SSLVPN virtual appliance.  Cheaper, much easier to configure, and does everything we need.
0
 
LVL 12

Author Closing Comment

by:Carlo-Giuliani
ID: 38142496
see last comment.
0

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question