Forefront TMG Beta 3 – Quick View: Finally SSL VPN is here

Yep, the future version of ISA, TMG, will provide SSL VPN through SSTP(using RRAS).
SSL VPN was a highly missed feature from ISA Server 2004/2006.

TMG, through SSTP offers full VPN access, and not just a browser-based VPN(sometimes labeled as clienteles SSL VPN, although in order to provide “full network access”, this clientless approach will require a “program” to be loaded on client computer). Currently you can use the built-in SSTP VPN clients from Windows Vista and Windows 7 RC to connect to the TMG Beta 3 SSTP VPN server.
As with ISA Server 2004/2006 and PPTP and L2TP/IPsec VPN connections, you can use the same granular access rules to provide per user/group access to resources for SSTP remote access VPN connections on TMG Beta 3(even for clients using EAP-based user authentication methods).
And now TMG comes with NAP support, so you can check the health status of the SSTP|L2TP/IPsec|PPTP VPN clients.
Also the IPS inspects the VPN clients’ traffic(see bellow for details).

So it seems that TMG will provide a more robust remote VPN access solution than its predecessor ISA Server.

 

Let’s take a quick look at the SSTP VPN on TMG Beta 3:

conf1

If you are familiar with Windows Server 2008’s RRAS and SSTP, you will be pleasantly surprised by the ingenious solution used on TMG Beta 3 to specify the IP address and the certificate used by the SSTP VPN server: configuring a web listener(in a simplified form):

conf2

Let’s see a little bit this web listener:
wiz1

Specify the IP address on which TMG will listen for incoming SSTP VPN connections:
wiz2
wiz3
wiz4

Specify the certificate to be used for SSTP:
wiz5
wiz6

And that’s it:
wiz7

You can spot the created web listener if you head over to the Firewall Policy node, Toolbox panel, Network Objects/Web Listeners(but perhaps you should not try to modify it from there):

list1
list2
list3
list4

 

As already said, you can use NAP with SSTP, if you want.

Full access when the VPN client passes the health checks:

nap1
 nap2
vpncon1

Restricted access due to non-compliance:

nap3
vpncon3
vpncon2

 

IPS in action, a VPN client tries to compromise a file sharing server behind the TMG Beta 3 VPN server by attempting to exploit a vulnerability:

nis1
nis2

Comments (2) -

  • John Kerr

    6/1/2010 6:24:10 AM |

    Hi Adrian,

    When you say "although in order to provide “full network access”, this clientless approach will require a “program” to be loaded on client computer".
    What program is this?

    For instance i have a need where 3G Ip cameras connect to a hosted server using VPN. Will TMG do this?

    • adimcev

      6/1/2010 10:39:26 PM |

      Hello John,

      If you are using TMG and SSTP, then you will need a SSTP VPN client. Windows Vista and Windows 7 include by default a SSTP VPN client.

      Clientless VPNs use browser-delivered Java or ActiveX clients for certain applications or full network connectivity, usually the SSL VPN server provides Web-based proxies for HTTP, HTTPS, or FTP(where the web browser itself is the client).

      Thanks,
      Adrian

Comments are closed