Note: keep in mind that the information in this article is based on a beta version of Microsoft Forefront TMG and is subject to change.
Let us begin
A few weeks ago, Microsoft released Beta 3 of Microsoft Forefront TMG (Threat Management Gateway), which has a lot of new exciting features.
Microsoft Forefront TMG, like ISA Server 2006 has built-in Client and Site to Site VPN capabilities. Site to Site VPN can be established with the following protocols:
- L2TP over IPSEC
The Site to Site VPN configurations remain nearly unchanged in TMG compared to ISA Server 2006. One of the new VPN client functionalities in TMG is the support for SSTP (Secure Socket Tunneling Protocol) VPN, but this new functionality is not what I want to show you in this article.
Let us start with the Site to Site VPN configuration. Start the TMG Management console and navigate to the Remote Access Policy (VPN) node. In the task pane, click Create VPN Site-to-Site connection. This will start the wizard to create a VPN Remote Site.
Follow the instructions of the VPN Site-to-Site Connection Wizard and specify the Site-to-Site network name.
Select the VPN Protocol. For the example in this article we will use the Point-to-Point Tunneling Protocol (PPTP).
After selecting the PPTP protocol, a pop-up opens and displays a warning that you must create a user account for the Site-to-Site VPN that must match the name of the Site-to-Site VPN network. If this user account name does not match the name of the Site-to-Site VPN network, a missconfiguration occurs or just a client VPN connection will be established.
Let us now create the user account used for the Site-to-Site VPN on the other TMG server. We will name the user account Hannover, like the Site-to-Site VPN network name. Activate the checkboxes that does not allow the password to expire or be changed. You should assign a strong password for this user account.
Next, you must allow Network access permissons for the Site-to-Site VPN account.
The next step in the configuration process is to select the IP address assignment method for the remote VPN client connection from the other site of the Site-to-Site VPN. It is also possible to use DHCP or IP addreses from a static IP address pool.
If you are using Microsoft Forefront TMG Enterprise, you have to specify the connection owner when Network Load Balancing is not used – which is true in our example. If NLB is used, the connection owner will be automatically assigned.
Specify the IP address or FQDN (Fully Qualified Domain Name) of the remote site VPN Server.
Specify the remote site user account which is used for the Site-to-Site connection. This account is used to establish a connection to the remote site.
TMG Server must know the IP address ranges of the remote site networks to which TMG will connect. You have to specify all IP address ranges of the remote sites.
If you are using NLB for connecting the remote Sites, you have to specify the DIP (Dedicated IP address) of the remote site Gateway. In our example, we do not use NLB, so the option remains unchecked.
A Site-to-Site VPN connection requires a network rule which connects both sites of the Site-to-Site VPN. The wizard automatically creates a Network rule with a Route relationship. It is possible to change the network rule after the wizard has finished.
The Site-to-Site VPN Wizard also creates a network access rule between the two sites automatically. You have to specify the allowed protocols through the Site-to-Site network. Ideally, you should only allow a mimimum of required protocols.
At this stage, the wizard has collected all the necessary information to create the Site-to-Site VPN. Give the configuration a review and after that click Finish.
A new window will now open to remind you that you must create a local user account for the Site-to-Site VPN connection, so that the other site of the VPN connection can use the Site-to-Site VPN.
When you click Apply, the Site-to-Site VPN will now be sucessfully created. It is possible to change the Site-to-Site VPN properties should you wish to do so. Right-click the VPN connection and click on the properties tab. One of the things you should pay attention to is the connection timeout for inactive connections on the Connection tab.
The Authentication tab allows you to select the authentication protocols. MS-CHAP v2 is the default authentication protocol and you should only change the protocol if it is absolutly necessary (and it should not be necessary), because all other protocols are not as secure as the MS-CHAP v2 protocol.
If you would like to have an overview of the Site-to-Site VPN configuration, right click the Site-to-Site rule and click Site-to-Site Summary. All this can be seen in the following screenshot.
Next, you should review the Firewall rule created by the Site-to-Site VPN wizard. Because I used the HTTP protocol in the Site-to-Site VPN firewall rule, you will find the rule under the Web Access Policy node.
Lastly, you should check the network rule created by the Site-to-Site VPN wizard. You will find the network rule in the TMG Management console under the Networking node in the network rule tab.
We have successfully configured the Site-to-Site VPN configuration on one TMG site. You now have to configure the TMG Server on the other site of the Site-to-Site VPN.
In this article, I have given you an overview on how to create a PPTP Site to Site VPN with Microsoft Forefront Threat Management Gateway. The process is nearly the same as in ISA Server 2006, so it should be easy for you to create a Site to Site VPN with Microsoft Forefront TMG.