Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol that communicates over port 443. When you publish the SSL Network Tunneling (SSTP) application through Forefront Unified Access Gateway (UAG), you must make sure not to restrict end user access to the SSTP application by blocking port 443; instead you can block user access to services and protocols that are available over SSTP.
For more information about configuring remote client access with SSTP, see Publishing remote network access with SSTP.
This topic describes how to block end user access to the internal network and all of its services and protocols.
To block end user access to services through SSTP
-
On the Forefront UAG server, open the Forefront Threat Management Gateway (TMG) Management console.
-
Right-click Firewall Policy, click New, and then click Access Rule.
-
In the New Access Rule Wizard, in Access rule name, enter a name for the rule, such as SSTP Block, and then click Next.
-
On the Rule Action page of the wizard, click Deny, and then click Next.
-
On the Protocols page of the wizard, in This rule applies to, click All outbound traffic, and then click Next.
Note: To block only certain protocols, click Selected protocols, and click Add. Then, on the Add Protocols dialog box, for each protocol that you want to block, click the protocol name, and then click Add. -
On the Access Rule Sources page of the wizard, click Add. On the Add Network Entities dialog box, in Networks, click VPN Clients, and then click Add. On the Add Network Entities dialog box, click Close, and then on the Access Rule Sources page of the wizard, click Next.
-
On the Access Rule Destinations page of the wizard, click Add. On the Add Network Entities dialog box, in Networks, click Internal, and then click Add. On the Add Network Entities dialog box, click Close, and then on the Access Rule Destinations page of the wizard, click Next.
-
On the User Sets page of the wizard, click All Users, and then click Remove.
-
On the User Sets page of the wizard, click Add, and then on the Add Users dialog box, click New to open the New User Set Wizard.
- In the New User Set Wizard, in User set name,
enter a name for the user set, such as SSTPBlockedUsers, and
then click Next.
- In the New User Set Wizard, on the Users page, click
Add, and then click Windows users and groups.
- On the Select Users or Groups dialog box, select users
or groups that will be blocked from using services over SSTP, and
then click OK.
- In the New User Set Wizard, click Next, and then
click Finish.
- In the New User Set Wizard, in User set name,
enter a name for the user set, such as SSTPBlockedUsers, and
then click Next.
-
On the Add Users dialog box, click the user set that you created, and then click Add. On the Add Users dialog box, click Close, and then on the User Sets page of the New Access Rule wizard, click Next.
-
On the Completing the New Access Rule Wizard page, click Finish.
-
On the Forefront TMG Management console, click Apply to activate the new rule.