Using Forefront Unified Access Gateway (UAG), you provide remote client VPN access to the internal corporate network by publishing the SSL Network Tunneling application. Before publishing the SSL Network Tunneling application, you must set up the VPN client network using either Secure Sockets Tunneling Protocol (SSTP), or the legacy proprietary Forefront UAG Network Connector.
This topic describes the steps required to configure remote client access with SSTP, as follows:
- Enabling SSL network
tunneling─Follow this procedure to enable remote client VPN
access to all routes and subnets defined in the internal
- Specifying the maximum number of VPN
client connections─Limit the number of remote VPN clients that
can connect concurrently to Forefront UAG using SSL network
- Publishing SSL Network
Tunneling─After configuring a Forefront UAG remote VPN network
that uses SSL network tunneling, you can make the VPN connection
available to client endpoints by publishing it via a Forefront
Unified Access Gateway (UAG) trunk.
- Selecting a VPN protocol─Select
a protocol for remote client VPN connections.
- Assigning IP addresses to VPN
clients─Assign IP addresses to remote VPN clients. You can do
this statically by creating a pool of IP addresses and assigning
them to remote VPN client connections, or you can allocate IP
addresses to remote VPN clients dynamically using DHCP. Note that
you cannot use DHCP when Forefront UAG servers are deployed in a
multi-server array configuration.
By default, all users have full access to the internal network through SSTP. To block user access to the internal network or to particular services over SSTP, see Configuring Forefront TMG to block users over SSTP.
Enabling SSL network tunneling
To enable SSL network tunneling
In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling (SSTP).
On the SSL Tunneling Configuration dialog box, select Enable remote client VPN access.
Specifying the maximum number of VPN client connections
To set a maximum limit for VPN client connections
On the General tab of the SSL Tunneling Configuration dialog box, specify a limit for maximum concurrent client connections in Maximum VPN client connections.
Publishing SSL Network Tunneling
To publish SSL Network Tunneling
On the General tab of the SSL Tunneling Configuration dialog box, select a trunk on which the SSL Network Tunneling application will be published. After selecting the trunk, the public host name of the trunk portal and the HTTPS certificate for the trunk, will be displayed.
Selecting a VPN protocol
To select a VPN protocol
On the Protocols tab of the SSL Tunneling Configuration dialog box, select the SSTP protocol. For more information about SSTP, see The Secure Socket Tunneling Protocol at Microsoft TechNet. The following table compares the VPN protocols.
Important: Using PPTP or L2TP/IPsec is not currently supported. Attributes PPTP L2TP/IPsec SSTP
L2TP over UDP
SSTP over TCP
Microsoft Point-to-Point Encryption (MPPE) with RC4
IPsec ESP with Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES)
SSL with RC 4 or AES
Tunnel maintenance protocol
When user authentication occurs
Before encryption begins
After the IPsec session is established
After the SSL session is established
Certificates required to establish the VPN tunnel
Computer certificates on both the VPN client and the VPN server
Computer certificate on the VPN server and root CA certificate on the VPN client
Assigning IP addresses to VPN clients
To assign IP addresses to VPN clients
On the IP Address Assignment tab of the SSL Tunneling Configuration dialog box, select the assignment method, as follows:
- To allocate IP addresses statically, select
Assign addresses from static address pool, and then click
Add to specify an IP address range.
Tip: Ensure that you remove the IP address range specified in the static pool from the address range defined for the internal network. Addresses in the two ranges should not overlap.
- To allocate IP addresses automatically,
select Assign address using DHCP. DHCP is not supported when
multiple Forefront UAG servers are gathered in an array
configuration. This limitation exists because of routing issues for
DHCP address allocation in an array topology.
- To allocate IP addresses statically, select Assign addresses from static address pool, and then click Add to specify an IP address range.