?
Solved

Microsoft Forefront UAG 2010 SP1 - remote network access (SSTP) mystery

Posted on 2011-09-26
6
Medium Priority
?
875 Views
Last Modified: 2012-07-01
I have an Forefront UAG https trunk working as a portal site, providing terminal server access.  But I can't get remote network access (VPN) to work on the same trunk/portal.


I am using Forefront UAG 2010 SP1
 - Private network consists of several segments: 172.16.x.0/24 (where x=1,2,or 3)
 - Astaro  firewall routes between private segments
 - router address on each segment is 172.16.x.1
 - UAG is dual homed on 172.16.1.11 and with public address xx.xx.xx.xx
 - UAG private network is defined as 172.16.1.1 -- 172.16.255.255

Remote network access is enabled (both SSTP and SSL)
 - IP address pool for SSTP is 172.17.1.2 -- 172.17.1.253
 - IP address pool for SSL is 172.18.1.2 -- 172.17.2.253

The UAG server is a member of the domain.  Portal authentication using domain userid/password works just fine.  Network access is configured to use the same domain for authentication.  At first I had configured only selected domain groups to be allowed to use remote network access, but now I  have allowed all users to simplify.


When I try to launch remote network access (click on remote network access icon in UAG portal) the client application seems to launch just fine.  Shows as connected.  But nothing works.
 - Ping to any 172.16.x.x. address does not work
 - Ping to hostnames does not work
 - ROUTE PRINT on the client shows no entries for 172.* addreses
 - there is not new virtual adapter showing in IP config

Bascially, nothing seems to happen and I am a loss how to debug.
0
Comment
Question by:Carlo-Giuliani
  • 4
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36817091
Change the private network to three x class C networks on separate lines in the gui. Both TMG and UAG have a view of the world at the Class C break point.

172.16.1.0 - 172.16.1.255
172.16.2.0 - 172.16.2.255
etc

Save the TMG config and re-apply the UAG policy
0
 
LVL 12

Author Comment

by:Carlo-Giuliani
ID: 36907654
Hmm...interesting idea.  I will give that a try when I can get back to it.
 
0
 
LVL 12

Author Comment

by:Carlo-Giuliani
ID: 36957746

I have tried Keith's suggestion...no difference.

But I now realized by description of the symptoms was not correct.  It looks like the SSTP tunnel is beingn established...and the client is assigned an appropriate IP address.  But there is no communication with any devices on the private network.

 
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36957937
Different ball game then entirely.
Open the TMG console rather than the UAG console - run up the reatime log viewer - what are you seeing when access is attempted?
0
 
LVL 12

Accepted Solution

by:
Carlo-Giuliani earned 0 total points
ID: 38125743
I eventually gave up on UAG and replaced it with a Barracuda SSLVPN virtual appliance.  Cheaper, much easier to configure, and does everything we need.
0
 
LVL 12

Author Closing Comment

by:Carlo-Giuliani
ID: 38142496
see last comment.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question