Nightmare on VPN street with TMG and SSTP Part 1 of 4

The day started out like any other where I was working remotely and needed to get some files from my house.  I had setup a TMG 2010 server as my internet gateway and front end firewall approximately 2 years ago.  It was a build and swing from ISA 2006.  The ISA 2006 server allowed L2TP VPN.

The only issue I had was many companies block that outbound – so I couldn’t VPN into my home network.  Never, TMG 2010 is (was) here and it offered SSTP capability.  Whoo hoo!

I set TMG 2010 up and configured it using my internal Microsoft CA and was off to the races.  The only glitch I ran into was something called the NoCertRevocationCheck issue on the client.  Enabling this allowed everything to work.  Here’s the Microsoft link with the key name.

Fast forward to NOW.  My 2 year internal certificate had expired and my VPN client could no longer login using SSTP.  This is where the ‘fun’ starts.

I’ll start off by giving credit to the blogs/posts/webpages that helped me figure out how to fix this issue:

  1. Thanks to Amit Kumar, a software design engineer at Microsoft.  This article was instrumental in getting me on the right track:
  2. Microsoft article “How to restrict SSTP connections to a specific IP address in Windows Server 2008
    1. This article was the last piece of the puzzle I needed.
  3. Microsoft article “How an IIS Web server and a Secure Socket Tunneling Protocol (SSTP)-based Routing and Remote Access server can co-exist on a Windows Server 2008-based server
    1. Although IIS had nothing to do with my issue, there were pieces of information here that helped me work through various scenarios of how SSL works on a VPN connection.
  4. Brian Reid had a nice post on the process what was tangentially related to my issue:
    1. configuring-sstp-vpn-on-small-business

This blog process and resolution will be broken out into the following posts:

Post 1:  This one – the lead up to the issue and credits

Post 2:  Some background and the generation of the new certificate from the TMG 2010 server to the internal Microsoft CA.

Post 3:  The configuration of TMG, the removal of the old cert and reg entries, the addition of the new certificate.

Post 4:  Using the client to determine the SHA256 value since this isn’t “visible” within the certificate itself.  Then the subsequent TMG configuration and the testing.

Please see part two to continue.

This entry was posted in Computers and Internet and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s