Publishing remote network access with Network Connector

Updated: February 15, 2013

Applies To: Unified Access Gateway

Some of the Forefront Unified Access Gateway 2010 SP3 features discussed in this article may be deprecated and may be removed in subsequent releases. For a complete list of deprecated features, see Features Deprecated in Forefront UAG SP3.

Using Forefront Unified Access Gateway (UAG), you provide remote client VPN access to the internal corporate network by publishing the SSL Network Tunneling application. Before publishing the SSL Network Tunneling Application, you must set up the VPN client network using either Secure Sockets Tunneling Protocol (SSTP), or the legacy proprietary Forefront UAG Network Connector.

This topic describes the steps required to configure remote client access with Network Connector, as follows:

  1. Configuring network adapter settings─Configure the adapter that the Network Connector server should use.

  2. Modifying the default listener─By default, Network Connector listens for remote VPN client requests on TCP port 6003. You can modify the default listener (protocol and port combination), if required.

  3. Assigning IP addresses to VPN clients─Assign IP addresses to remote VPN clients from a static address pool. DHCP address allocation is not supported.

  4. Adding a Forefront TMG access rule─Configure a Forefront TMG access rule in order to assign IP addresses.

  5. Configuring Internet access─Define how VPN clients connected to the corporate network access the Internet. You can route Internet requests through the client's original Internet connection, or through the corporate network gateway. Alternatively, you can specify that VPN clients cannot access the Internet.

  6. Adding additional networks─You can define up to 200 additional network destinations that are available to VPN clients connecting with Network Connector. This is useful if your corporate network has multiple subnets, and if you want to allow VPN client access to additional subnets.

  7. Logging extended Network Connector traffic─By default, IP addresses allocated to VPN clients connecting to Forefront UAG Network Connector are logged. Logged information includes the user name and domain (in the format DOMAIN\username), and the IP address allocated from the pool. If required, you can enable extended logging for Network Connector traffic. Extended logging should only be enabled when troubleshooting because it creates large, accumulative dump files. These files are not deleted automatically and may reduce the server performance. Note that dump files can be written, read, and deleted, while there are active sessions to the Network Connector application.

Configuring network adapter settings

To configure network adapter settings for the Network Connector server

  1. In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.

  2. On the SSL Network Tunneling Server dialog box, on the Network Segment tab, in the Complementary Data area, you can specify alternative network settings. Select Only if Network Configuration is Missing to specify that the remote VPN client should use the settings specified in the Network Connection area. Alternative settings should be used only if no data is configured for the same item in Network Connection.

  3. In the Complementary Data area, select Always, Overriding Existing Network Configuration of This Server to specify that the data in Complementary Data is always used, regardless of the configuration of the selected connection. This setting is useful for connecting clients, if you want to use a different Domain Name System (DNS), Windows Internet Name Service, or default gateway. Fields that are left empty are ignored.

  4. At the bottom left corner of the SSL Network Tunneling Server dialog box, select the Activate SSL Network Tunneling check box. Clearing this check box disables an active Network Connector.

  5. After you have completed the configuration of the server, click OK on the SSL Network Tunneling Server dialog box to activate the Network Connector.

  6. In the Forefront UAG Management console, click the Activate configuration icon to save and activate the configuration, and then on the Activate Configuration dialog box, click Activate. The configuration settings you have defined are applied to the Network Connector server. The Microsoft Forefront UAG SSL Network Tunneling Client, and the Microsoft Forefront UAG SSL Network Tunneling Server services are started, and set to automatic startup mode.

Note

A dedicated network icon in the Windows notification area indicates to endpoints that the Network Connector Server service has started.

Leaving empty one or more of the fields in the Network Connection and Complementary Data areas, might result in a limited client session. For example, if no DNS is defined, no DNS services will be available for remote VPN users connecting with Network Connector.

It is recommended that you do not modify the name of the network adapter associated with the Network Connector. If you do change the name, and the adapter is disabled and then enabled, the Network Connector server may not start as expected.

Modifying the default listener

To modify the default listener

  1. In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.

  2. On the SSL Network Tunneling Server dialog box, click the Advanced tab.

  3. In the Listener area, in the Type list, select the protocol, and then in the Port box, specify the port.

Assigning IP addresses to VPN clients

To assign IP addresses to VPN clients

  1. In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.

  2. On the SSL Network Tunneling Server dialog box, click the IP Provisioning tab.

  3. In the Pool Type area, do one of the following:

    • Click Corporate IP Addresses, to specify that IP addresses that belong to the IP address range configured on the Network Segment tab should be assigned to remote VPN clients. Ensure that you exclude the specified range from your internal Dynamic Host Configuration Protocol (DHCP) server. Forefront UAG cannot use a DHCP server to assign IP addresses to remote VPN clients.

    • Click Private IP Addresses, to specify that IP addresses that do not belong to the IP address ranges specified on the Network Segment tab should be assigned to remote VPN clients. For example, if the corporate segment is configured to 192.168.0.0/255.255.248.0, an example of a "corporate pool" would be 192.168.6.2-192.168.6.200, and an example of a "private pool" would be 10.16.16.2-10.16.16.200.

  4. In the Address Pool area, define IP address ranges that can be assigned to remote clients. You can enter up to 10 ranges of IP addresses. All the defined addresses must use the same subnet mask. Do not define IP addresses that are configured on the internal network adapter, or a private IP address range. The subnet for the IP ranges you defined is displayed in Pool Subnet.

  5. At the bottom left corner of the SSL Network Tunneling Server dialog box, select the Activate SSL Network Tunneling check box. Clearing this check box disables an active Network Connector.

  6. After you have completed the configuration of the server, on the SSL Network Tunneling Server dialog box, click OK to activate Network Connector.

  7. In the Forefront UAG Management console, click the Activate configuration icon to save and activate the configuration, and then on the Activate Configuration dialog box, click Activate. The configuration settings you have defined are applied to the Network Connector server. The Network Connector Windows service (Network Connector Server) is started and is set to automatic startup mode.

Adding a Forefront TMG access rule

To add a Forefront TMG access rule

  1. In the Forefront TMG Management console, click to expand Forefront TMG (server_name).

  2. In the tree, click the Firewall Policy node.

  3. On the Tasks tab, click Create Access Rule.

  4. On the Welcome page of the New Access Rule Wizard, type a name for the rule, and then click Next.

  5. On the Rule Action page, select Allow.

  6. On the Protocols page, in the This rule applies to list, select All Outbound Traffic.

  7. On the Malware Inspection page, select Do not enable malware inspection for this rule.

  8. On the Access Rule Sources page, click Add.

  9. On the Add Network Entities dialog box, click the New menu, and then click Address Range.

  10. On the New Address Range Rule Element dialog box, specify the Start Address and End Address of the IP address pool. Then click OK.

  11. On the Add Network Entities dialog box, click Close. In the Access Rule Sources page, click Next.

  12. On the Access Rule Destinations page, click Add.

  13. On the Add Network Entities dialog box, click the New Menu, and then click to expand Network. Select Internal, and then click Add. Click Close to close the Add Network Entities dialog box.

  14. On the Access Rule Destinations page, click Next.

  15. On the User Sets page, leave the default settings to allow access to all users. Alternatively, click Add to limit access to the VPN client user group only. Then click Next.

  16. On the final page of the wizard, click Finish

Note

Forefront UAG assigns the first IP address from the defined pool to the SSL Network Tunneling server.

Ensure that the defined IP address pool is sufficient for your needs, and contains enough IP addresses for remote VPN clients. Note that IP addresses that end with zero, or 255, are not used for IP assignment. The last address in each mathematical subnet is allocated for system use. For example if a pool consists of addresses 192.168.0.0-192.168.0.15, the addresses 192.168.0.0, 192.168.0.1 and 192.168.0.15 will be unavailable for use. If a pool consists of IP addresses 192.168.0.1-192.168.0.10, addresses 192.168.0.1, 192.168.0.7 and 192.168.0.9 will be unavailable leaving 7 IP addresses available for client use.

If you selected Private IP addresses, configure the corporate gateway to route the private pool's subnet from the gateway's internal network adapter to the IP address of the Network Connector server. In addition, if your corporate firewall filters traffic on its internal interface, you should configure the firewall to allow bidirectional traffic between the private pool subnet and the corporate subnet defined in the Network Segment tab. To enable access to the wide area network (WAN) or Internet, configure the firewall to allow bidirectional traffic between the private pool subnet and the WAN, and define the private pool permissions. In addition, if you are using Network Address Translation (NAT) to enable access to the WAN or Internet, define the subnet of the private pool as an additional internal interface.

If the IP address pool is a corporate pool, make sure you exclude the IP address range you define here from your organization's DHCP server, to avoid IP address conflict with Network Connector clients. IP address conflicts between corporate computers and endpoint computers will result in idle sessions, in which remote clients launch the Network Connector application with no errors, but have no access to the Network Connector server, or to the resources that should be enabled via the server.

If the IP address pool consists of private addresses, and the Internet access level defined in the Access Control tab is set to Split Tunneling or No Internet Access, to enable access to the corporate network, you must add the corporate network as an additional network. If you do not add the corporate network, remote clients are granted access only to other clients and cannot access the corporate network. For instructions about defining additional networks, see To add additional networks.

When a domain client logs in using an IP address allocated from the pool, an A record for the address is created on the internal network DNS server. A new address may be allocated each time the client connects, which may result in clients having multiple A records on the DNS server.

Configuring Internet access

To configure Internet access

  1. In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.

  2. On the SSL Network Tunneling Server dialog box, click the Access Control tab.

  3. In the Internet Access area, select one of the following:

    • Click Split Tunneling (Route Internet Traffic Through Original Client Connection), to specify that remote VPN clients should access the Internet through the Internet connection configured on the client endpoint.

    • Click Non-Split Tunneling (Route Internet Traffic Through the Corporate Gateway), to specify that remote VPN clients should access the Internet through the corporate Internet gateway. Select the Disable Local Area Network Access check box, to specify that client endpoints connected to Network Connector cannot access the local network on the client endpoint (for example a home network). Note that when you select non-split tunneling, the settings on the Additional Networks tab do not apply, because all network traffic passes through the Network Connector tunnel. In this mode, if the client endpoint session ends unexpectedly, users are prompted to reenable their Internet connection.

    • Click No Internet Access, to specify that remote VPN clients cannot access the Internet. In this mode, client endpoints can only access networks defined in the Network Segment and Additional Networks tabs. Select the Disable Local Area Network Access check box, to specify that client endpoints connected to Network Connector cannot access the local network on the client endpoint (for example, a home network).

  4. In the IP Spoofing Policy area, select the Disable Spoofed Traffic check box, to specify that the Network Connector server should check and validate the source IP address of each packet arriving at the server, and tunnel traffic only from connected Network Connector clients. Clear this setting to specify that other types of traffic should be tunneled.

  5. In the Protocol Blockers area, select any protocols that should be blocked. When a setting is enabled, all traffic using the protocol is blocked.

Adding additional networks

To add additional networks

  1. In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.

  2. On the SSL Network Tunneling Server dialog box, click the Additional Networks tab.

  3. Select the Enable Access to the Following Additional Networks check box, and then click Add.

  4. In the Add Network dialog box, specify the IP addresses and mask for the network. Ensure that the IP address and mask are valid and do not overlap with other defined networks.

  5. Specify how IP address conflicts should be handled by selecting one of the following:

    • If you want to specify that if there is a conflict, and that the connection attempt will fail and the VPN remote client will not be connected to Network Connector, select Fail.

    • If you want to specify that the client endpoint can choose whether to fail the attempted connection or skip the conflicting network and connect to other networks using Network Connector, select Prompt.

    • If you want to specify that the conflicting network connection is skipped and that the client endpoint should connect to other non-conflicting networks using Network Connector, select Skip.

  6. Repeat the steps for each additional network you want to define.

Note

Settings on the Additional Networks tab are not used if the Internet access level defined on the Access Control tab is set to Non-Split Tunneling. In this mode, all network traffic is tunneled over the network connector VPN connection.

When the Internet access levels defined on the Access Control tab are set to Split Tunneling or No Internet Access, the corporate network must be defined as an additional network. Otherwise, remote VPN clients can access only VPN clients and not the corporate network.

Logging extended Network Connector traffic

To log extended Network Connector traffic

  1. On the computer on which the Network Connector server is installed, access the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\RemoteAccess

  2. Create the following new registry key: NetworkConnector.

  3. Under the key you created in step 2, create a DWORD value named log\sniff. Do one of the following:

    • To enable logging of low-level network traffic to and from remote clients, set the DWORD value to 1.

    • To enable logging of tunneled network traffic to and from remote clients, set the value to 2.

    • To enable logging of both low-level and tunneled network traffic to and from remote clients, set the value to 3.

  4. When you have finished troubleshooting, to disable logging, set the log\sniff value to 0.

  5. After configuring the registry, on the Advanced tab of the SSL Network Tunneling Server dialog box, do the following:

    1. In the Log Level box, specify the level of log detail required for Network Connector traffic. You can specify a level between 1 and 5, where 5 is the most detailed. It is recommended that you log Network Connector traffic when troubleshooting, and then set the value to 0 to disable logging when troubleshooting is complete.

    2. In Log Path, specify one of the following locations:

      • To specify that the log file is created in the same folder in which the server executable resides, select Server Executable Path. Usually this is in the following location:

        \Microsoft Forefront Unified Access Gateway\common\big\whlios.log

      • To specify a custom location, select Alternative Path, and then type the folder path.

Note

The dump files are written in TCPDUMP format.

The low-level and tunneled traffic dumps consist of similar information but are not necessarily the same, because not all low-level traffic is tunneled and vice versa.

The log\sniff registry value is polled by the server executable while running, so it may be updated while the Network Connector is in session.

The dump files are created in the same location in which the log files are created, with the following file names:

  • Low-level network traffic: <log_file_name>.lowlevel.dmp

  • Tunneled network traffic: <log_file_name>.tunneldmp