Yep, the future version of ISA, TMG, will provide SSL VPN through SSTP(using RRAS).
SSL VPN was a highly missed feature from ISA Server 2004/2006.
TMG, through SSTP offers full VPN access, and not just a browser-based VPN(sometimes labeled as clienteles SSL VPN, although in order to provide “full network access”, this clientless approach will require a “program” to be loaded on client computer). Currently you can use the built-in SSTP VPN clients from Windows Vista and Windows 7 RC to connect to the TMG Beta 3 SSTP VPN server.
As with ISA Server 2004/2006 and PPTP and L2TP/IPsec VPN connections, you can use the same granular access rules to provide per user/group access to resources for SSTP remote access VPN connections on TMG Beta 3(even for clients using EAP-based user authentication methods).
And now TMG comes with NAP support, so you can check the health status of the SSTP|L2TP/IPsec|PPTP VPN clients.
Also the IPS inspects the VPN clients’ traffic(see bellow for details).
So it seems that TMG will provide a more robust remote VPN access solution than its predecessor ISA Server.
Let’s take a quick look at the SSTP VPN on TMG Beta 3:
![conf1 conf1](/blog/image.axd?picture=conf1_thumb.png)
If you are familiar with Windows Server 2008’s RRAS and SSTP, you will be pleasantly surprised by the ingenious solution used on TMG Beta 3 to specify the IP address and the certificate used by the SSTP VPN server: configuring a web listener(in a simplified form):
Let’s see a little bit this web listener:
![wiz1 wiz1](/blog/image.axd?picture=wiz1.png)
Specify the IP address on which TMG will listen for incoming SSTP VPN connections:
![wiz4 wiz4](/blog/image.axd?picture=wiz4.png)
Specify the certificate to be used for SSTP:
![wiz6 wiz6](/blog/image.axd?picture=wiz6.png)
And that’s it:
![wiz7 wiz7](/blog/image.axd?picture=wiz7.png)
You can spot the created web listener if you head over to the Firewall Policy node, Toolbox panel, Network Objects/Web Listeners(but perhaps you should not try to modify it from there):
![list4 list4](/blog/image.axd?picture=list4.png)
As already said, you can use NAP with SSTP, if you want.
Full access when the VPN client passes the health checks:
![vpncon1 vpncon1](/blog/image.axd?picture=vpncon1.png)
Restricted access due to non-compliance:
![vpncon2 vpncon2](/blog/image.axd?picture=vpncon2.png)
IPS in action, a VPN client tries to compromise a file sharing server behind the TMG Beta 3 VPN server by attempting to exploit a vulnerability:
![nis2 nis2](/blog/image.axd?picture=nis2_thumb.png)