Udostępnij za pośrednictwem


How To Enable SSTP (Secure Socket Tunneling Protocol) Split Tunneling with UAG 2010

UAG 2010 (UAG) supports two types of network level SSL VPN:

  • Network Connector
  • Secure Socket Tunneling Protocol (SSTP)

Network Connector is aimed at legacy clients and SSTP for Windows 7 clients.

Network Connector supports both split and non-split tunneling configurations while SSTP, when accessed through the UAG portal, supports only non-split tunneled connections.

This can be a problematic for firms that want to enable a split tunneled configuration to reduce the bandwidth drain that VPN clients can extract when split tunneling isn’t supported. And with current network security opinions moving away from disabling split tunneling as a security solution (see my articles on split tunneling for more information at https://blogs.technet.com/b/tomshinder/archive/2010/03/02/why-split-tunneling-is-not-a-security-issue-with-directaccess.aspx), it makes sense that admins would want to enable split tunneling for their UAG SSTP clients.

Faisal Hussain provides a solution on his blog and you can find it at:

https://blogs.technet.com/b/fsl/archive/2011/01/26/uag-sstp-split-tunnel.aspx

image

WARNING: This is an unsupported solution and has not been tested or validated by CSS.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog :
https://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Facebook: https://www.facebook.com/tshinder

Comments

  • Anonymous
    January 01, 2003
    Hi Kai, I agree - if it were up to me, the split tunneling decision would be configurable in the UI :) If you publish the script, let me know, and I'll post a link to it on the blog - while it won't be supported, it still provides an option for those who want to do this. Thanks! Tom

  • Anonymous
    January 01, 2003
    Hi Kai, Thanks! I'm sure they will be excellent when you find the time. All the information we have on those files are in the public locations. :( Tom

  • Anonymous
    January 01, 2003
    Hello, Question on SSTP VPN through UAG using Windows 7 Clients. I trying to find out if i can  "Disable Local Network Access" when the VPN is connected. I know this can be done with Network Connect, but windows 7 clients use sstp from what I've read. Does anyone know if this can be done. Thanks, Antonio

  • Anonymous
    January 01, 2003
    Hi Kai, You know what's funny here? That we have all these people wanting split tunneling enabled for SSTP - but then we hear people want to force tunneling for DirectAccess - it's hard to figure this out! :) Thanks! Tom

  • Anonymous
    January 01, 2003
    Hi Kai! I'll take this feedback to the team and see what they can do. Thanks! Tom

  • Anonymous
    January 01, 2003
    I'll see if there's anyone in the PG who might know something about this. Thanks! Tom

  • Anonymous
    January 01, 2003
    wH00t! That's great!!! Thanks! Tom

  • Anonymous
    April 29, 2011
    Hi Tom, If u want become our hero in this case, then please aks your team mates if they could provide us a modified version of the "WhlClntProxy.cab" with "Splitt-Tunneling enabled" and "Class based route addition disabled". On this way we could control the routes by using DHCP options... TBH: I'm not asking for a CSS supported version of the file. Im just asking for a "Microsoft digital signed" version of the modified CAB file to streamline the deployment^^ Thanks! -Kai

  • Anonymous
    April 29, 2011
    Well, u can advise your mates by telling them these two SSTP.PBK values... IpPrioritizeRemote=0 (Splitt Tunnel enabled) DisableClassBasedDefaultRoute=1 (Class based route addition disabled) -Kai

  • Anonymous
    April 29, 2011
    The comment has been removed

  • Anonymous
    May 03, 2011
    Hi Tom, sure i can send you my scripts once they are finalized. But give me some time, since i'm somewhat busy right now and i dont want to make a run-of-the-mill solution... BTW: Do you have a good and comprehensive documentation on the SSLVPNTemplates.xml and wizardsdefault.ini files? I couldn't find useful informations regarding the containing advanced settings (e.g. flags, userrights, etc.). -Kai

  • Anonymous
    May 03, 2011
    Hi Tom, the public available content in almost non-existent. Even www.bing.com doenst show anything. This might be a good topic for future Edge Man blogs, dude! In the meanwhile i have to fuzzy out the correct results^^ -Kai

  • Anonymous
    May 05, 2011
    Hi Tom, i got the scripts and UAG customizations up and running. I will document them a lil tomorrow evening before sending to you. Be suprized, its a blast! :) -Kai

  • Anonymous
    July 28, 2011
    Hi Tom, Can you send me a copy of this script? It is possible to inject routes to client's routing table with this method? Once the SSTP is disconnected, is it possible to remove these route? I read some articles about using CMAK to customize the SSTP connectoid. Can this be intergrated with UAG portal? Thanks, kevin