Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersCan SSTP VPN and HTTPS Reverse Proxy functions be used together in TMG?


1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

Topic # 99782 27-Mar-2012 11:33
Send private message

TMG is currently installed with wildcard certificate as a reverse proxy for a combination of MS and non-MS HTTPS traffic, I would like to add SSL VPN functionality to the mix, but if I did, what URL would be used for VPN target?

Create new topic


1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  Reply # 600640 27-Mar-2012 11:49
Send private message

Note: I suspect that SSTP will attempt to bind to 443 and will not share with the Reverse Proxy function, I wonder however if I can create an additional listener on another adapter and Reverse Proxy the SSTP traffic to that?

3065 posts

Uber Geek
+1 received by user: 485

Trusted
Subscriber

  Reply # 600659 27-Mar-2012 12:20
Send private message

The SSTP actually binds to IIS. I have it happily sharing with Exchange ActiveSync and Remote Desktop Gateway on my 2008 server (no TMG though).

 
 
 
 




1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  Reply # 600673 27-Mar-2012 12:50
Send private message

Now that I did not know. That changes my approach significantly. Assuming the client passes the URL in the message I should be good to go with a stand alone host.



1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  Reply # 600871 27-Mar-2012 18:14
Send private message

Any tips on diagnosing SSTP behind TMG? I can get to it, confirmed by toggling users "dial-in" setting between Allow & Deny and getting the expected 812 error when deny, but when allow is set I get "registering computer" and then Error 619. I checked this article and the hash on the reverse proxy and the RAS match.

Note: tested this directly and VPN established successfully. TMG reports the traffic being redirected successfully, i.e. no drops or blocks.

3065 posts

Uber Geek
+1 received by user: 485

Trusted
Subscriber

  Reply # 601106 28-Mar-2012 09:40
Send private message

Hmm. I'm afraid you've gone a bit beyond my realm of knowledge there. I'm certain someone here will be able to help with that though.



1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  Reply # 601117 28-Mar-2012 10:07
Send private message

Going to rebuild with an on-domain RAS machine and RODC, I suspect it's a certificate chaining issue. If not, I've read an article where others have made this work by changing the RAS to being unencrypted. I'll update this with my findings.



1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  Reply # 601164 28-Mar-2012 11:55
Send private message

Yes, that worked. Created a server with a FQDN, installed the certificate and installed RAS. Then set that in the reverse proxy and connection was successful. Seems the certificate path must hold all the way through for this to work, other end-points I have gotten away with installing their self-signed certificates into TMG.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.