Wednesday 11 September 2013

Creating a SSTP split tunnel in UAG

I like to provide remote access by publishing applications on UAG, but there are times when a full VPN tunnel gets around a number of issues, but may reduce your security posture.  I don't like to make changes to the security unless they are respected or being used by responsible people.  For most people using the SSTP VPN tunnel feature in UAG would be adequate, but there are times when a user needs a split tunnel.

I was told that SSTP in UAG did not support split tunnels, but there seems to be a workaround with this blog post: http://blogs.technet.com/b/fsl/archive/2011/01/26/uag-sstp-split-tunnel.aspx

In trying this myself, I did the following:

I went to the following location: C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0 (The location of your files may be different depending to what service pack level you are at with UAG). 

Copy the 'sstp.pbk' file to the desktop, and rename the original file in the original location (I chose 'sstp.pbk_old').  Go back to the desktop and double click on the 'sstp.pbk' file you just copied.


You will be presented with the following box, where you need to select 'Properties':


Highlight 'Internet Protocol Version 4 (TCP/IPv4)', and then click on the 'Properties' button:


From this screen, you will need to selected the 'Advanced' button:


From this box, uncheck the 'Use default gateway on remote network' option, and close all the boxes.


Take the modified 'sstp.pbk' file and copy it back to the original location.

To prove the difference it makes, I took a 'route print' using the original 'sstp.pbk' file, and a 'route print' of the modified 'sstp.pbk' file.

I haven't tested this in anger, but looks like it will solve the issue we currently encountering.

No comments:

Post a Comment