Using Forefront Unified Access Gateway (UAG), you provide remote client VPN access to the internal corporate network by publishing the SSL Network Tunneling application. Before publishing the SSL Network Tunneling application, you must set up the VPN client network using either Secure Sockets Tunneling Protocol (SSTP), or the legacy proprietary Forefront UAG Network Connector.

This topic describes the steps required to configure remote client access with SSTP, as follows:

  1. Enabling SSL network tunneling─Follow this procedure to enable remote client VPN access to all routes and subnets defined in the internal network.

  2. Specifying the maximum number of VPN client connections─Limit the number of remote VPN clients that can connect concurrently to Forefront UAG using SSL network tunneling.

  3. Publishing SSL Network Tunneling─After configuring a Forefront UAG remote VPN network that uses SSL network tunneling, you can make the VPN connection available to client endpoints by publishing it via a Forefront Unified Access Gateway (UAG) trunk.

  4. Selecting a VPN protocol─Select a protocol for remote client VPN connections.

  5. Assigning IP addresses to VPN clients─Assign IP addresses to remote VPN clients. You can do this statically by creating a pool of IP addresses and assigning them to remote VPN client connections, or you can allocate IP addresses to remote VPN clients dynamically using DHCP. Note that you cannot use DHCP when Forefront UAG servers are deployed in a multi-server array configuration.

By default, all users have full access to the internal network through SSTP. To block user access to the internal network or to particular services over SSTP, see Configuring Forefront TMG to block users over SSTP.

Enabling SSL network tunneling

To enable SSL network tunneling

  1. In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling (SSTP).

  2. On the SSL Tunneling Configuration dialog box, select Enable remote client VPN access.

Specifying the maximum number of VPN client connections

To set a maximum limit for VPN client connections

  1. On the General tab of the SSL Tunneling Configuration dialog box, specify a limit for maximum concurrent client connections in Maximum VPN client connections.

Publishing SSL Network Tunneling

To publish SSL Network Tunneling

  1. On the General tab of the SSL Tunneling Configuration dialog box, select a trunk on which the SSL Network Tunneling application will be published. After selecting the trunk, the public host name of the trunk portal and the HTTPS certificate for the trunk, will be displayed.

Selecting a VPN protocol

To select a VPN protocol

  1. On the Protocols tab of the SSL Tunneling Configuration dialog box, select the SSTP protocol. For more information about SSTP, see The Secure Socket Tunneling Protocol at Microsoft TechNet. The following table compares the VPN protocols.

    Important:
    Using PPTP or L2TP/IPsec is not currently supported.

    Attributes PPTP L2TP/IPsec SSTP

    Encapsulation

    GRE

    L2TP over UDP

    SSTP over TCP

    Encryption

    Microsoft Point-to-Point Encryption (MPPE) with RC4

    IPsec ESP with Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES)

    SSL with RC 4 or AES

    Tunnel maintenance protocol

    PPTP

    L2TP

    SSTP

    When user authentication occurs

    Before encryption begins

    After the IPsec session is established

    After the SSL session is established

    Certificates required to establish the VPN tunnel

    None

    Computer certificates on both the VPN client and the VPN server

    Computer certificate on the VPN server and root CA certificate on the VPN client

Assigning IP addresses to VPN clients

To assign IP addresses to VPN clients

  1. On the IP Address Assignment tab of the SSL Tunneling Configuration dialog box, select the assignment method, as follows:

    • To allocate IP addresses statically, select Assign addresses from static address pool, and then click Add to specify an IP address range.

      Tip:
      Ensure that you remove the IP address range specified in the static pool from the address range defined for the internal network. Addresses in the two ranges should not overlap.
    • To allocate IP addresses automatically, select Assign address using DHCP. DHCP is not supported when multiple Forefront UAG servers are gathered in an array configuration. This limitation exists because of routing issues for DHCP address allocation in an array topology.