UAG SSTP Split Tunnel
Network Connector in IAG used to have two different types of tunneling mode, split tunnel and non split tunnel you can find details here if not familiar with these options https://technet.microsoft.com/en-us/library/dd278013.aspx . When Microsoft shipped UAG , it came up with windows 7 as an endpoint supporting full VPN tunnelling platform, however windows 7 came up with a new type of VPN tunnel called SSTP , here is some good reference to SSTP overview https://blogs.technet.com/b/rrasblog/archive/2007/01/10/how-sstp-based-vpn-connection-works.aspx or visit TechNet centre for details. SSTP architecture is very different from Network Connector VPN type that is still their in UAG but only for backward compatability. With SSTP Windows 7 only allows non split tunnelling by default, which means all VPN traffic goes through corporate gateway.
Being in support I have been asked this question as how to enable split tunneling in windows 7 using SSTP through UAG portal. Ofcourse UAG product group clearly states that SSTP is non split tunnelling bydefault so it means split tunnelling is not possible from UAG portal.Anyhow I got a case few weeks ago where one of our premier customer had this requirement to enable split tunnelling using SSTP. I knew the answer that its not possible and not supported, however I started fiddling with UAG SSTP in my lab environment. Digging through Source code and testing various scenarios I managed to find the way to enable split tunnel. Let me walk you through this failrly simple but unsupported configuration. Let me also set your expectations first, this is a client side solution , its not elegant so you need to have a mechanism of dropping the modified dialer file on all windows 7 machines that would be launching SSTP split tunnel through portal and this is not a supported solution from Microsoft UAG support. if you are happy with all disclaimers then lets proceed further :).
Steps to configure SSTP Split tunneling :
1- Sstp.pbk is part of \InternalSite\Win32ActiveX\WhlClntProxy.cab. so once you deploy UAG client components on Windows 7 endpoint this pbk file gets dropped with them. Now extract the SSTP.pbk file from UAG client components.
2- Click on properties and click the Networking button and select Networking tab:
3- Click TCP/IPV4 and hit properties button:
4- Click the Advance button and under IPSettings tab uncheck the "Use default gateway on remote network" option:
5- now copy this SSTP.pbk file back to UAG client components directory on windows 7 machine.
6- Launch the SSTP application from UAG portal now and check your routing table .
hope this helps ;-)
Comments
Anonymous
January 01, 2003
thanks Jason. I am not sure the reasoning behind nsplit tunnel decision.Anonymous
January 26, 2011
Excellent post; so what is stopping the original version of the pbk file supplied from UAG having the option disabled by default?Anonymous
May 10, 2012
Hi Faisal, Not sure if you are aware, but Ben Ari provides an alternative option for modifying the sstp.pbk 'on the fly' by using custom UAG code; the code and an explanation can be found in his UAG customisation book. Cheers JJAnonymous
March 31, 2014
Is there any way that you can stop users from changing this?