Wednesday 11 September 2013

Creating a SSTP split tunnel in UAG

I like to provide remote access by publishing applications on UAG, but there are times when a full VPN tunnel gets around a number of issues, but may reduce your security posture.  I don't like to make changes to the security unless they are respected or being used by responsible people.  For most people using the SSTP VPN tunnel feature in UAG would be adequate, but there are times when a user needs a split tunnel.

I was told that SSTP in UAG did not support split tunnels, but there seems to be a workaround with this blog post: http://blogs.technet.com/b/fsl/archive/2011/01/26/uag-sstp-split-tunnel.aspx

In trying this myself, I did the following:

I went to the following location: C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0 (The location of your files may be different depending to what service pack level you are at with UAG). 

Copy the 'sstp.pbk' file to the desktop, and rename the original file in the original location (I chose 'sstp.pbk_old').  Go back to the desktop and double click on the 'sstp.pbk' file you just copied.


You will be presented with the following box, where you need to select 'Properties':


Highlight 'Internet Protocol Version 4 (TCP/IPv4)', and then click on the 'Properties' button:


From this screen, you will need to selected the 'Advanced' button:


From this box, uncheck the 'Use default gateway on remote network' option, and close all the boxes.


Take the modified 'sstp.pbk' file and copy it back to the original location.

To prove the difference it makes, I took a 'route print' using the original 'sstp.pbk' file, and a 'route print' of the modified 'sstp.pbk' file.

I haven't tested this in anger, but looks like it will solve the issue we currently encountering.

Tuesday 10 September 2013

UAG ActiveX issues on IE10

I saw something today that I had not encountered before.  I had a user connecting to my UAG setup, but it seemed like the UAG client would install when running as administrator, but would not run.

After running a remote session, I spotted that there was an extra icon that I had not seen before on the IE10 address bar:

 
It turns out this is an ActiveX filter built into Internet Explorer.  Although with it running, the UAG components can not execute, meaning only web applications will run.

This feature can be disable by going to the cog icon, clicking on "Safety" and then unchecking "ActiveX Filtering"