mardi 15 janvier 2013

[UAG] VPN Access

1/ Introduction

After my post about [UAG] SSL Network Tunneling : Connection ended, I will describe the main steps to deploy a VPN gateway through Forefront UAG.

2/ Common part

In order to deploy the VPN SSL feature through the Forefront UAG portal (highly recommended :)) we need to add a Remote Network Access application located on the Client/server and legacy section.

3/ VPN (SSTP) for Windows Vista or higher

First of all you will found a brief description of the VPN SSTP on this article: How SSTP based VPN connection works.

3.1/ Prerequisite

If the user wants to use the Windows built-in VPN client, on his Active Directory account properties we need to allow the access on the Network Access Permission section on the Dial-in tab.

On the Getting Started wizard at the Network Configuration step, when we need to define the internal network IP address range we exclude the IP pool of the VPN client to avoid a warning / error message while configuring the VPN SSTP feature.

Attention: this IP range must be the same used on the IP Address Assignment of the VPN SSTP settings.

3.2/ Remote Network Access settings

On the Admin > Remote Network Access menu we choose SSL Network Tunneling (SSTP).

In order to access to the settings we need to enable Enable remote client VPN access, then on the General tab don't forget to select the trunk with the right FQDN for the VPN access. We could also change the number of the client connected with the Maximum VPN client connections setting.

On the Protocols tab we need to enable Secure Socket Tunneling Protocol (SSTP).

On the IP Address Assignment tab for each array member (if we make an array) we specify the IP range to handle for the VPN client.

Take care of what I said on chapter 3.1 :).

And on the User Groups tab we could limit the scope of the VPN SSTP to a specified group and to a specified resources.

4/ VPN (SSL) for Windows Xp

On the Admin > Remote Network Access menu we choose SSL Network Tunneling.

In order to access to the settings we need to enable Activate SSL Network Tunneling, then on the Network Segment tab don't forget to provide the following setting:
  • Advanced Networking configuration in order to provide to the VPN client the DNS information and the default gateway to use
  • On the Connection Name column check if the connected interface is the internal one

On the IP Provisioning tab I choose to use the Corporate IP Addresses setting and to provide an IP pool for each array member.
Access Control tab, for this part I let the user to use his personal internet connection and not the corporate web proxy.

On the Additional Networks tab it's possible to limit the access to a limited scope of resources.

And finally on the Advanced tab I let the default settings.

The server informs us that some IP will be excluded on the client IP pool, then we need to activate the configuration.

Aucun commentaire:

Enregistrer un commentaire