Can SSTP VPN and HTTPS Reverse Proxy functions be used together in TMG?

Forums › IT Pro and developers › Can SSTP VPN and HTTPS Reverse Proxy functions be used together in TMG?

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#99782 27-Mar-2012 11:33

TMG is currently installed with wildcard certificate as a reverse proxy for a combination of MS and non-MS HTTPS traffic, I would like to add SSL VPN functionality to the mix, but if I did, what URL would be used for VPN target?

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#600640 27-Mar-2012 11:49

Note: I suspect that SSTP will attempt to bind to 443 and will not share with the Reverse Proxy function, I wonder however if I can create an additional listener on another adapter and Reverse Proxy the SSTP traffic to that?

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#600659 27-Mar-2012 12:20

The SSTP actually binds to IIS. I have it happily sharing with Exchange ActiveSync and Remote Desktop Gateway on my 2008 server (no TMG though).

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#600673 27-Mar-2012 12:50

Now that I did not know. That changes my approach significantly. Assuming the client passes the URL in the message I should be good to go with a stand alone host.

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#600871 27-Mar-2012 18:14

Any tips on diagnosing SSTP behind TMG? I can get to it, confirmed by toggling users "dial-in" setting between Allow & Deny and getting the expected 812 error when deny, but when allow is set I get "registering computer" and then Error 619. I checked this article and the hash on the reverse proxy and the RAS match.

Note: tested this directly and VPN established successfully. TMG reports the traffic being redirected successfully, i.e. no drops or blocks.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#601106 28-Mar-2012 09:40

Hmm. I'm afraid you've gone a bit beyond my realm of knowledge there. I'm certain someone here will be able to help with that though.

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#601117 28-Mar-2012 10:07

Going to rebuild with an on-domain RAS machine and RODC, I suspect it's a certificate chaining issue. If not, I've read an article where others have made this work by changing the RAS to being unencrypted. I'll update this with my findings.

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#601164 28-Mar-2012 11:55

Yes, that worked. Created a server with a FQDN, installed the certificate and installed RAS. Then set that in the reverse proxy and connection was successful. Seems the certificate path must hold all the way through for this to work, other end-points I have gotten away with installing their self-signed certificates into TMG.