Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersCan SSTP VPN and HTTPS Reverse Proxy functions be used together in TMG?
lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

#99782 27-Mar-2012 11:33
Send private message

TMG is currently installed with wildcard certificate as a reverse proxy for a combination of MS and non-MS HTTPS traffic, I would like to add SSL VPN functionality to the mix, but if I did, what URL would be used for VPN target?

Create new topic
lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #600640 27-Mar-2012 11:49
Send private message

Note: I suspect that SSTP will attempt to bind to 443 and will not share with the Reverse Proxy function, I wonder however if I can create an additional listener on another adapter and Reverse Proxy the SSTP traffic to that?



Kyanar
4089 posts

Uber Geek
+1 received by user: 1684

ID Verified
Trusted

  #600659 27-Mar-2012 12:20
Send private message

The SSTP actually binds to IIS. I have it happily sharing with Exchange ActiveSync and Remote Desktop Gateway on my 2008 server (no TMG though).

lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #600673 27-Mar-2012 12:50
Send private message

Now that I did not know. That changes my approach significantly. Assuming the client passes the URL in the message I should be good to go with a stand alone host.



lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #600871 27-Mar-2012 18:14
Send private message

Any tips on diagnosing SSTP behind TMG? I can get to it, confirmed by toggling users "dial-in" setting between Allow & Deny and getting the expected 812 error when deny, but when allow is set I get "registering computer" and then Error 619. I checked this article and the hash on the reverse proxy and the RAS match.

Note: tested this directly and VPN established successfully. TMG reports the traffic being redirected successfully, i.e. no drops or blocks.

Kyanar
4089 posts

Uber Geek
+1 received by user: 1684

ID Verified
Trusted

  #601106 28-Mar-2012 09:40
Send private message

Hmm. I'm afraid you've gone a bit beyond my realm of knowledge there. I'm certain someone here will be able to help with that though.

lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #601117 28-Mar-2012 10:07
Send private message

Going to rebuild with an on-domain RAS machine and RODC, I suspect it's a certificate chaining issue. If not, I've read an article where others have made this work by changing the RAS to being unencrypted. I'll update this with my findings.

HP

 
 
 
 

Shop now for HP laptops and other devices (affiliate link).
lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #601164 28-Mar-2012 11:55
Send private message

Yes, that worked. Created a server with a FQDN, installed the certificate and installed RAS. Then set that in the reverse proxy and connection was successful. Seems the certificate path must hold all the way through for this to work, other end-points I have gotten away with installing their self-signed certificates into TMG.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright