How To Enable SSTP (Secure Socket Tunneling Protocol) Split Tunneling with UAG 2010


UAG 2010 (UAG) supports two types of network level SSL VPN:

  • Network Connector
  • Secure Socket Tunneling Protocol (SSTP)

Network Connector is aimed at legacy clients and SSTP for Windows 7 clients.

Network Connector supports both split and non-split tunneling configurations while SSTP, when accessed through the UAG portal, supports only non-split tunneled connections.

This can be a problematic for firms that want to enable a split tunneled configuration to reduce the bandwidth drain that VPN clients can extract when split tunneling isnโ€™t supported. And with current network security opinions moving away from disabling split tunneling as a security solution (see my articles on split tunneling for more information at http://blogs.technet.com/b/tomshinder/archive/2010/03/02/why-split-tunneling-is-not-a-security-issue-with-directaccess.aspx), it makes sense that admins would want to enable split tunneling for their UAG SSTP clients.

Faisal Hussain provides a solution on his blog and you can find it at:

http://blogs.technet.com/b/fsl/archive/2011/01/26/uag-sstp-split-tunnel.aspx

image

WARNING:
This is an unsupported solution and has not been tested or validated by CSS.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The โ€œEdge Manโ€ blog :
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
https://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder

Comments (14)

  1. Anonymous says:

    Hi Kai,

    I agree – if it were up to me, the split tunneling decision would be configurable in the UI ๐Ÿ™‚

    If you publish the script, let me know, and I'll post a link to it on the blog – while it won't be supported, it still provides an option for those who want to do this.

    Thanks!

    Tom

  2. Anonymous says:

    Hi Kai,

    Thanks! I'm sure they will be excellent when you find the time.

    All the information we have on those files are in the public locations. ๐Ÿ™

    Tom

  3. Anonymous says:

    Hello,

    Question on SSTP VPN through UAG using Windows 7 Clients. I trying to find out if i can  "Disable Local Network Access" when the VPN is connected.

    I know this can be done with Network Connect, but windows 7 clients use sstp from what I've read.

    Does anyone know if this can be done.

    Thanks,

    Antonio

  4. Anonymous says:

    Hi Kai,

    You know what's funny here?

    That we have all these people wanting split tunneling enabled for SSTP – but then we hear people want to force tunneling for DirectAccess – it's hard to figure this out! ๐Ÿ™‚

    Thanks!

    Tom

  5. Anonymous says:

    Hi Kai!

    I'll take this feedback to the team and see what they can do.

    Thanks!

    Tom

  6. Anonymous says:

    I'll see if there's anyone in the PG who might know something about this.

    Thanks!

    Tom

  7. Anonymous says:

    wH00t! That's great!!!

    Thanks!

    Tom

  8. KaiWilke says:

    Hi Tom,

    If u want become our hero in this case, then please aks your team mates if they could provide us a modified version of the "WhlClntProxy.cab" with "Splitt-Tunneling enabled" and "Class based route addition disabled". On this way we could control the routes by using DHCP options…

    TBH: I'm not asking for a CSS supported version of the file. Im just asking for a "Microsoft digital signed" version of the modified CAB file to streamline the deployment^^

    Thanks!

    -Kai

  9. KaiWilke says:

    Well, u can advise your mates by telling them these two SSTP.PBK values…

    IpPrioritizeRemote=0 (Splitt Tunnel enabled)

    DisableClassBasedDefaultRoute=1 (Class based route addition disabled)

    -Kai

  10. KaiWilke says:

    Hi Tom,

    well, make Splitt Tunneling configurable in the UI and it will fit everybodies need. ๐Ÿ™‚ But the hack with the custom "WhlClntProxy.cab" file will help most of us without much afford from your team…

    BTW: In the meanwhile i'll give blogs.technet.com/…/some-client-side-magic-scripting.aspx a try and see if i can publish a custom VBScript wich changes the needed values at the client side after the PBK gets deployed (but this should be considered as a very ugly way!)^^

    -Kai

  11. KaiWilke says:

    Hi Tom,

    sure i can send you my scripts once they are finalized. But give me some time, since i'm somewhat busy right now and i dont want to make a run-of-the-mill solution…

    BTW: Do you have a good and comprehensive documentation on the SSLVPNTemplates.xml and wizardsdefault.ini files? I couldn't find useful informations regarding the containing advanced settings (e.g. flags, userrights, etc.).

    -Kai

  12. KaiWilke says:

    Hi Tom,

    the public available content in almost non-existent. Even http://www.bing.com doenst show anything. This might be a good topic for future Edge Man blogs, dude!

    In the meanwhile i have to fuzzy out the correct results^^

    -Kai

  13. KaiWilke says:

    Hi Tom,

    i got the scripts and UAG customizations up and running. I will document them a lil tomorrow evening before sending to you.

    Be suprized, its a blast! ๐Ÿ™‚

    -Kai

  14. kevinPJ says:

    Hi Tom,

    Can you send me a copy of this script? It is possible to inject routes to client's routing table with this method? Once the SSTP is disconnected, is it possible to remove these route? I read some articles about using CMAK to customize the SSTP connectoid. Can this be intergrated with UAG portal?

    Thanks,

    kevin

Skip to main content