The Private Cloud Man

Private Cloud Technologies, Architecture and more!

How To Enable SSTP (Secure Socket Tunneling Protocol) Split Tunneling with UAG 2010

How To Enable SSTP (Secure Socket Tunneling Protocol) Split Tunneling with UAG 2010

  • Comments 14
  • Likes

UAG 2010 (UAG) supports two types of network level SSL VPN:

  • Network Connector
  • Secure Socket Tunneling Protocol (SSTP)

Network Connector is aimed at legacy clients and SSTP for Windows 7 clients.

Network Connector supports both split and non-split tunneling configurations while SSTP, when accessed through the UAG portal, supports only non-split tunneled connections.

This can be a problematic for firms that want to enable a split tunneled configuration to reduce the bandwidth drain that VPN clients can extract when split tunneling isn’t supported. And with current network security opinions moving away from disabling split tunneling as a security solution (see my articles on split tunneling for more information at http://blogs.technet.com/b/tomshinder/archive/2010/03/02/why-split-tunneling-is-not-a-security-issue-with-directaccess.aspx), it makes sense that admins would want to enable split tunneling for their UAG SSTP clients.

Faisal Hussain provides a solution on his blog and you can find it at:

http://blogs.technet.com/b/fsl/archive/2011/01/26/uag-sstp-split-tunnel.aspx

image

WARNING:
This is an unsupported solution and has not been tested or validated by CSS.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog :
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
http://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder

Comments
  • Hi Tom,

    If u want become our hero in this case, then please aks your team mates if they could provide us a modified version of the "WhlClntProxy.cab" with "Splitt-Tunneling enabled" and "Class based route addition disabled". On this way we could control the routes by using DHCP options...

    TBH: I'm not asking for a CSS supported version of the file. Im just asking for a "Microsoft digital signed" version of the modified CAB file to streamline the deployment^^

    Thanks!

    -Kai

  • Well, u can advise your mates by telling them these two SSTP.PBK values...

    IpPrioritizeRemote=0 (Splitt Tunnel enabled)

    DisableClassBasedDefaultRoute=1 (Class based route addition disabled)

    -Kai

  • Hi Kai!

    I'll take this feedback to the team and see what they can do.

    Thanks!

    Tom

  • Hi Kai,

    You know what's funny here?

    That we have all these people wanting split tunneling enabled for SSTP - but then we hear people want to force tunneling for DirectAccess - it's hard to figure this out! :)

    Thanks!

    Tom

  • Hi Tom,

    well, make Splitt Tunneling configurable in the UI and it will fit everybodies need. :) But the hack with the custom "WhlClntProxy.cab" file will help most of us without much afford from your team...

    BTW: In the meanwhile i'll give blogs.technet.com/.../some-client-side-magic-scripting.aspx a try and see if i can publish a custom VBScript wich changes the needed values at the client side after the PBK gets deployed (but this should be considered as a very ugly way!)^^

    -Kai

  • Hi Kai,

    I agree - if it were up to me, the split tunneling decision would be configurable in the UI :)

    If you publish the script, let me know, and I'll post a link to it on the blog - while it won't be supported, it still provides an option for those who want to do this.

    Thanks!

    Tom

  • Hi Tom,

    sure i can send you my scripts once they are finalized. But give me some time, since i'm somewhat busy right now and i dont want to make a run-of-the-mill solution...

    BTW: Do you have a good and comprehensive documentation on the SSLVPNTemplates.xml and wizardsdefault.ini files? I couldn't find useful informations regarding the containing advanced settings (e.g. flags, userrights, etc.).

    -Kai

  • Hi Kai,

    Thanks! I'm sure they will be excellent when you find the time.

    All the information we have on those files are in the public locations. :(

    Tom

  • Hi Tom,

    the public available content in almost non-existent. Even www.bing.com doenst show anything. This might be a good topic for future Edge Man blogs, dude!

    In the meanwhile i have to fuzzy out the correct results^^

    -Kai

  • I'll see if there's anyone in the PG who might know something about this.

    Thanks!

    Tom

  • Hi Tom,

    i got the scripts and UAG customizations up and running. I will document them a lil tomorrow evening before sending to you.

    Be suprized, its a blast! :)

    -Kai

  • wH00t! That's great!!!

    Thanks!

    Tom

  • Hi Tom,

    Can you send me a copy of this script? It is possible to inject routes to client's routing table with this method? Once the SSTP is disconnected, is it possible to remove these route? I read some articles about using CMAK to customize the SSTP connectoid. Can this be intergrated with UAG portal?

    Thanks,

    kevin

  • Hello,

    Question on SSTP VPN through UAG using Windows 7 Clients. I trying to find out if i can  "Disable Local Network Access" when the VPN is connected.

    I know this can be done with Network Connect, but windows 7 clients use sstp from what I've read.

    Does anyone know if this can be done.

    Thanks,

    Antonio

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment