I have recently had the opportunity to work with SSTP VPN inside of Microsoft’s Unified Access Gateway and it has been quite a learning experience to say the least.

I ran into one issue in particular that I want to cover today, where RPC packets were being blocked on all of the client PC’s coming in over the SSTP VPN (Secure Socket Tunneling Protocol Virtual Private Network).

In the end I had to turn to our go-to folks for all things UAG and TMG to figure this one out.  Therefore I would like to give a quick shout out to Inderjeet Singh and Ashutosh Patel who work for a company called nAppliance.  Inderjeet has helped me countless times in the past and in this instance he put me in contact with Mr. Patel who happens to be an expert at TMG related stuff.  My thanks again to the both of you gentlemen.

With RPC packets being dropped by the TMG portion of UAG it is not possible to renew SSL computer certificates.  You will be able to see that the certificate server has a SSL certificate template that it can use to create a machine based SSL certificate, but it will not finish the certificate creation or renewel process.  Those of you with DirectAccess and UAG both can probably understand how not having a machine certificate can be a bit of a problem.

So for all of you out there grappling with this same issue, below is how you to enable all RPC packets over UAG SSTP VPN connections.

This will need to be done every time a new UAG configuration change is activated.  You might be able to create a custom user generated firewall rule in TMG that will do this and not be over written every time you perform an activation, but Microsoft does not recommend making any changes to TMG since UAG runs on top of that AND… that may not be supported.

1. Close all of the UAG windows.

2. Open TMG via Start > All Programs > Forefront TMG Management.

3. On the left hand side of the screen you will see “Firewall Policy”.  Left click that:

4. The firewall policy that you must edit is configured automatically by UAG and will be listed further down the list.  The name of the policy is “Publishing Rule::IpVPNAccessRule”.

5. Right click the rule and left click “Configure RPC Protocol policy”.  Then UNCHECK the “Enforce strict RPC Compliance” box.  Click Apply, Click OK and then click the “Apply” button that pops up above the section where the firewall policies are listed.  It will take a few minutes for the firewall policies to sync up on both servers but afterwards your client PC’s should be able to renew their computer SSL certificates.


1 comment so far

Add Your Comment
  1. You FIxed it!