Publishing remote network access with SSTP
Updated: February 15, 2013
Applies To: Unified Access Gateway
Some of the Forefront Unified Access Gateway 2010 SP3 features discussed in this article may be deprecated and may be removed in subsequent releases. For a complete list of deprecated features, see Features Deprecated in Forefront UAG SP3.
Using Forefront Unified Access Gateway (UAG), you provide remote client VPN access to the internal corporate network by publishing the SSL Network Tunneling application. Before publishing the SSL Network Tunneling application, you must set up the VPN client network using either Secure Sockets Tunneling Protocol (SSTP), or the legacy proprietary Forefront UAG Network Connector.
This topic describes the steps required to configure remote client access with SSTP, as follows:
To enable SSL network tunneling─Follow this procedure to enable remote client VPN access to all routes and subnets defined in the internal network.
To set a maximum limit for VPN client connections─Limit the number of remote VPN clients that can connect concurrently to Forefront UAG using SSL network tunneling.
To publish SSL Network Tunneling─After configuring a Forefront UAG remote VPN network that uses SSL network tunneling, you can make the VPN connection available to client endpoints by publishing it via a Forefront UAG trunk.
To assign IP addresses to VPN clients─Assign IP addresses to remote VPN clients. You can do this statically by creating a pool of IP addresses and assigning them to remote VPN client connections, or you can allocate IP addresses to remote VPN clients dynamically using DHCP. Note that you cannot use DHCP when Forefront UAG servers are deployed in a multi-server array configuration.
To limit access to specific Active Directory groups—You can configure Forefront UAG to only allow VPN clients in specific Active Directory user groups to access certain IP addresses or ranges of IP addresses.
The trunk through which you publish SSTP must use Active Directory authentication.
The Forefront UAG server must be domain joined to the Active Directory domain used by the SSTP application for authentication.
To enforce Forefront UAG portal authentication, do not set users dial-in properties to Allow access.
To enable SSL network tunneling
In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling (SSTP).
On the SSL Network Tunneling Configuration dialog box, select Enable remote client VPN access.
To set a maximum limit for VPN client connections
- On the General tab of the SSL Network Tunneling Configuration dialog box, specify a limit for maximum concurrent client connections in Maximum VPN client connections.
To publish SSL Network Tunneling
- On the General tab of the SSL Network Tunneling Configuration dialog box, select a trunk on which the SSL Network Tunneling application will be published. After selecting the trunk, the public host name of the trunk portal and the HTTPS certificate for the trunk, will be displayed.
To assign IP addresses to VPN clients
On the IP Address Assignment tab of the SSL Network Tunneling Configuration dialog box, select the assignment method, as follows:
To allocate IP addresses statically, select Assign addresses from static address pool, and then click Add to specify an IP address range.
Ensure that you remove the IP address range specified in the static pool from the address range defined for the internal network. Addresses in the two ranges should not overlap.
To allocate IP addresses automatically, select Assign address using DHCP. DHCP is not supported when multiple Forefront UAG servers are gathered in an array configuration. This limitation exists because of routing issues for DHCP address allocation in an array topology.
To limit access to specific Active Directory groups
On the User Groups tab of the SSL Network Tunneling Configuration dialog box, select the Limit access to specific Active Directory user groups check box, and then click Add.
On the Define Remote VPN Client Authorization dialog box, click Select to select the Active Directory user groups for which you want to restrict access.
Click Add Address or Add Range and enter the IP address or range of IP addresses that the selected user groups can access.