Using Forefront Unified Access Gateway (UAG), you provide remote client VPN access to the internal corporate network by publishing the SSL Network Tunneling application. Before publishing the SSL Network Tunneling Application, you must set up the VPN client network using either Secure Sockets Tunneling Protocol (SSTP), or the legacy proprietary Forefront UAG Network Connector.
This topic describes the steps required to configure remote client access with Network Connector, as follows:
- Configuring network adapter settings─Configure the
adapter that the Network Connector server should use.
- Modifying the default
listener─By default, Network Connector listens for remote VPN
client requests on TCP port 6003. You can modify the default
listener (protocol and port combination), if required.
- Assigning IP addresses to VPN
clients─Assign IP addresses to remote VPN clients from a static
address pool. DHCP address allocation is not supported.
- Adding a Forefront TMG access
rule─Configure a Forefront TMG access rule in order to assign
IP addresses.
- Configuring Internet
access─Define how VPN clients connected to the corporate
network access the Internet. You can route Internet requests
through the client's original Internet connection, or through the
corporate network gateway. Alternatively, you can specify that VPN
clients cannot access the Internet.
- Adding additional
networks─You can define up to 200 additional network
destinations that are available to VPN clients connecting with
Network Connector. This is useful if your corporate network has
multiple subnets, and if you want to allow VPN client access to
additional subnets.
- Logging extended Network
Connector traffic─By default, IP addresses allocated to VPN
clients connecting to Forefront UAG Network Connector are logged.
Logged information includes the user name and domain (in the format
DOMAIN\username), and the IP address allocated from the pool. If
required, you can enable extended logging for Network Connector
traffic. Extended logging should only be enabled when
troubleshooting because it creates large, accumulative dump files.
These files are not deleted automatically and may reduce the server
performance. Note that dump files can be written, read, and
deleted, while there are active sessions to the Network Connector
application.
Configuring network adapter settings
To configure network adapter settings for the Network Connector server
-
In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.
-
On the SSL Network Tunneling Server dialog box, on the Network Segment tab, in the Complementary Data area, you can specify alternative network settings. Select Only if Network Configuration is Missing to specify that the remote VPN client should use the settings specified in the Network Connection area. Alternative settings should be used only if no data is configured for the same item in Network Connection.
-
In the Complementary Data area, select Always, Overriding Existing Network Configuration of This Server to specify that the data in Complementary Data is always used, regardless of the configuration of the selected connection. This setting is useful for connecting clients, if you want to use a different Domain Name System (DNS), Windows Internet Name Service, or default gateway. Fields that are left empty are ignored.
-
At the bottom left corner of the SSL Network Tunneling Server dialog box, select the Activate SSL Network Tunneling check box. Clearing this check box disables an active Network Connector.
-
After you have completed the configuration of the server, click OK on the SSL Network Tunneling Server dialog box to activate the Network Connector.
-
In the Forefront UAG Management console, click the Activate configuration icon to save and activate the configuration, and then on the Activate Configuration dialog box, click Activate. The configuration settings you have defined are applied to the Network Connector server. The Microsoft Forefront UAG SSL Network Tunneling Client, and the Microsoft Forefront UAG SSL Network Tunneling Server services are started, and set to automatic startup mode.
Note: |
---|
A dedicated network icon in the Windows notification area indicates to endpoints that the Network Connector Server service has started.Leaving empty one or more of the fields in the Network Connection and Complementary Data areas, might result in a limited client session. For example, if no DNS is defined, no DNS services will be available for remote VPN users connecting with Network Connector.It is recommended that you do not modify the name of the network adapter associated with the Network Connector. If you do change the name, and the adapter is disabled and then enabled, the Network Connector server may not start as expected. |
Modifying the default listener
To modify the default listener
-
In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.
-
On the SSL Network Tunneling Server dialog box, click the Advanced tab.
-
In the Listener area, in the Type list, select the protocol, and then in the Port box, specify the port.
Assigning IP addresses to VPN clients
To assign IP addresses to VPN clients
-
In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.
-
On the SSL Network Tunneling Server dialog box, click the IP Provisioning tab.
-
In the Pool Type area, do one of the following:
- Click Corporate IP Addresses, to
specify that IP addresses that belong to the IP address range
configured on the Network Segment tab should be assigned to
remote VPN clients. Ensure that you exclude the specified range
from your internal Dynamic Host Configuration Protocol (DHCP)
server. Forefront UAG cannot use a DHCP server to assign IP
addresses to remote VPN clients.
- Click Private IP Addresses, to specify
that IP addresses that do not belong to the IP address ranges
specified on the Network Segment tab should be assigned to
remote VPN clients. For example, if the corporate segment is
configured to
192.168.0.0/255.255.248.0
, an example of a "corporate pool" would be192.168.6.2-192.168.6.200
, and an example of a "private pool" would be10.16.16.2-10.16.16.200
.
- Click Corporate IP Addresses, to
specify that IP addresses that belong to the IP address range
configured on the Network Segment tab should be assigned to
remote VPN clients. Ensure that you exclude the specified range
from your internal Dynamic Host Configuration Protocol (DHCP)
server. Forefront UAG cannot use a DHCP server to assign IP
addresses to remote VPN clients.
-
In the Address Pool area, define IP address ranges that can be assigned to remote clients. You can enter up to 10 ranges of IP addresses. All the defined addresses must use the same subnet mask. Do not define IP addresses that are configured on the internal network adapter, or a private IP address range. The subnet for the IP ranges you defined is displayed in Pool Subnet.
-
At the bottom left corner of the SSL Network Tunneling Server dialog box, select the Activate SSL Network Tunneling check box. Clearing this check box disables an active Network Connector.
-
After you have completed the configuration of the server, on the SSL Network Tunneling Server dialog box, click OK to activate Network Connector.
-
In the Forefront UAG Management console, click the Activate configuration icon to save and activate the configuration, and then on the Activate Configuration dialog box, click Activate. The configuration settings you have defined are applied to the Network Connector server. The Network Connector Windows service (Network Connector Server) is started and is set to automatic startup mode.
Adding a Forefront TMG access rule
To add a Forefront TMG access rule
-
In the Forefront TMG Management console, click to expand Forefront TMG (server_name).
-
In the tree, click the Firewall Policy node.
-
On the Tasks tab, click Create Access Rule.
-
On the Welcome page of the New Access Rule Wizard, type a name for the rule, and then click Next.
-
On the Rule Action page, select Allow.
-
On the Protocols page, in the This rule applies to list, select All Outbound Traffic.
-
On the Malware Inspection page, select Do not enable malware inspection for this rule.
-
On the Access Rule Sources page, click Add.
-
On the Add Network Entities dialog box, click the New menu, and then click Address Range.
-
On the New Address Range Rule Element dialog box, specify the Start Address and End Address of the IP address pool. Then click OK.
-
On the Add Network Entities dialog box, click Close. In the Access Rule Sources page, click Next.
-
On the Access Rule Destinations page, click Add.
-
On the Add Network Entities dialog box, click the New Menu, and then click to expand Network. Select Internal, and then click Add. Click Close to close the Add Network Entities dialog box.
-
On the Access Rule Destinations page, click Next.
-
On the User Sets page, leave the default settings to allow access to all users. Alternatively, click Add to limit access to the VPN client user group only. Then click Next.
-
On the final page of the wizard, click Finish
Note: |
---|
Forefront UAG, assigns the first IP address from the defined pool to the SSL Network Tunneling server.Ensure that the defined IP address pool is sufficient for your needs, and contains enough IP addresses for remote VPN clients. Note that IP addresses that end with zero, or 255, are not used for IP assignment. The last address in each mathematical subnet is allocated for system use. For example if a pool consists of addresses 192.168.0.0-192.168.0.15, the addresses 192.168.0.0, 192.168.0.1 and 192.168.0.15 will be unavailable for use. If a pool consists of IP addresses 192.168.0.1-192.168.0.10, addresses 192.168.0.1, 192.168.0.7 and 192.168.0.9 will be unavailable leaving 7 IP addresses available for client use.If you selected Private IP addresses, configure the corporate gateway to route the private pool's subnet from the gateway's internal network adapter to the IP address of the Network Connector server. In addition, if your corporate firewall filters traffic on its internal interface, you should configure the firewall to allow bidirectional traffic between the private pool subnet and the corporate subnet defined in the Network Segment tab. To enable access to the wide area network (WAN) or Internet, configure the firewall to allow bidirectional traffic between the private pool subnet and the WAN, and define the private pool permissions. In addition, if you are using Network Address Translation (NAT) to enable access to the WAN or Internet, define the subnet of the private pool as an additional internal interface.If the IP address pool is a corporate pool, make sure you exclude the IP address range you define here from your organization's DHCP server, to avoid IP address conflict with Network Connector clients. IP address conflicts between corporate computers and endpoint computers will result in idle sessions, in which remote clients launch the Network Connector application with no errors, but have no access to the Network Connector server, or to the resources that should be enabled via the server.If the IP address pool consists of private addresses, and the Internet access level defined in the Access Control tab is set to Split Tunneling or No Internet Access, to enable access to the corporate network, you must add the corporate network as an additional network. If you do not add the corporate network, remote clients are granted access only to other clients and cannot access the corporate network. For instructions about defining additional networks, see Add additional networks.When a domain client logs in using an IP address allocated from the pool, an A record for the address is created on the internal network DNS server. A new address may be allocated each time the client connects, which may result in clients having multiple A records on the DNS server. |
Configuring Internet access
To configure Internet access
-
In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.
-
On the SSL Network Tunneling Server dialog box, click the Access Control tab.
-
In the Internet Access area, select one of the following:
- Click Split Tunneling (Route Internet
Traffic Through Original Client Connection), to specify that
remote VPN clients should access the Internet through the Internet
connection configured on the client endpoint.
- Click Non-Split Tunneling (Route Internet
Traffic Through the Corporate Gateway), to specify that remote
VPN clients should access the Internet through the corporate
Internet gateway. Select the Disable Local Area Network
Access check box, to specify that client endpoints connected to
Network Connector cannot access the local network on the client
endpoint (for example a home network). Note that when you select
non-split tunneling, the settings on the Additional Networks
tab do not apply, because all network traffic passes through the
Network Connector tunnel. In this mode, if the client endpoint
session ends unexpectedly, users are prompted to reenable their
Internet connection.
- Click No Internet Access, to specify
that remote VPN clients cannot access the Internet. In this mode,
client endpoints can only access networks defined in the Network
Segment and Additional Networks tabs. Select the
Disable Local Area Network Access check box, to specify that
client endpoints connected to Network Connector cannot access the
local network on the client endpoint (for example, a home
network).
- Click Split Tunneling (Route Internet
Traffic Through Original Client Connection), to specify that
remote VPN clients should access the Internet through the Internet
connection configured on the client endpoint.
-
In the IP Spoofing Policy area, select the Disable Spoofed Traffic check box, to specify that the Network Connector server should check and validate the source IP address of each packet arriving at the server, and tunnel traffic only from connected Network Connector clients. Clear this setting to specify that other types of traffic should be tunneled.
-
In the Protocol Blockers area, select any protocols that should be blocked. When a setting is enabled, all traffic using the protocol is blocked.
Adding additional networks
To add additional networks
-
In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.
-
On the SSL Network Tunneling Server dialog box, click the Additional Networks tab.
-
Select the Enable Access to the Following Additional Networks check box, and then click Add.
-
In the Add Network dialog box, specify the IP addresses and mask for the network. Ensure that the IP address and mask are valid and do not overlap with other defined networks.
-
Specify how IP address conflicts should be handled by selecting one of the following:
- If you want to specify that if there is a
conflict, and that the connection attempt will fail and the VPN
remote client will not be connected to Network Connector, select
Fail.
- If you want to specify that the client
endpoint can choose whether to fail the attempted connection or
skip the conflicting network and connect to other networks using
Network Connector, select Prompt.
- If you want to specify that the conflicting
network connection is skipped and that the client endpoint should
connect to other non-conflicting networks using Network Connector,
select Skip.
- If you want to specify that if there is a
conflict, and that the connection attempt will fail and the VPN
remote client will not be connected to Network Connector, select
Fail.
-
Repeat the steps for each additional network you want to define.
Note: |
---|
Settings on the Additional Networks tab are not used if the Internet access level defined on the Access Control tab is set to Non-Split Tunneling. In this mode, all network traffic is tunneled over the network connector VPN connection.When the Internet access levels defined on the Access Control tab are set to Split Tunneling or No Internet Access, the corporate network must be defined as an additional network. Otherwise, remote VPN clients can access only VPN clients and not the corporate network. |
Logging extended Network Connector traffic
To log extended Network Connector traffic
-
On the computer on which the Network Connector server is installed, access the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\RemoteAccess
-
Create the following new registry key: NetworkConnector.
-
Under the key you created in step 2, create a DWORD value named log\sniff. Do one of the following:
- To enable logging of low-level network
traffic to and from remote clients, set the DWORD value to 1.
- To enable logging of tunneled network traffic
to and from remote clients, set the value to 2.
- To enable logging of both low-level and
tunneled network traffic to and from remote clients, set the value
to 3.
- To enable logging of low-level network
traffic to and from remote clients, set the DWORD value to 1.
-
When you have finished troubleshooting, to disable logging, set the log\sniff value to 0.
-
After configuring the registry, on the Advanced tab of the SSL Network Tunneling Server dialog box, do the following:
- In the Log Level box, specify the level of log detail
required for Network Connector traffic. You can specify a level
between 1 and 5, where 5 is the most detailed. It is recommended
that you log Network Connector traffic when troubleshooting, and
then set the value to 0 to disable logging when troubleshooting is
complete.
- In Log Path, specify one of the following locations:
- To specify that the log file is created in
the same folder in which the server executable resides, select
Server Executable Path. Usually this is in the following
location:
\Microsoft Forefront Unified Access Gateway\common\big\whlios.log
- To specify a custom location, select
Alternative Path, and then type the folder path.
- To specify that the log file is created in
the same folder in which the server executable resides, select
Server Executable Path. Usually this is in the following
location:
- In the Log Level box, specify the level of log detail
required for Network Connector traffic. You can specify a level
between 1 and 5, where 5 is the most detailed. It is recommended
that you log Network Connector traffic when troubleshooting, and
then set the value to 0 to disable logging when troubleshooting is
complete.
Note: |
---|
The dump files are written in TCPDUMP format.The low-level and
tunneled traffic dumps consist of similar information but are not
necessarily the same, because not all low-level traffic is tunneled
and vice versa.The log\sniff registry value is polled by the
server executable while running, so it may be updated while the
Network Connector is in session.The dump files are created in the
same location in which the log files are created, with the
following file names:
|