Enable Cross-Premises Connectivity to Amazon EC2 with Forefront Threat Management Gateway (TMG) 2010
EC2 is Amazon’s Infrastructure as a Service (IaaS) cloud platform. With it you can create virtual machines in the cloud running a variety of operating systems and services. Enabling seamless and transparent cross-premises network connectivity to the cloud will be vital as organizations begin to extend their on-premises datacenter to IaaS providers like Amazon EC2. Amazon EC2 has a feature called Virtual Private Cloud (VPC) that provides support for virtual networks that can be configured to leverage IPsec site-to-site VPN to allow network-to-network connectivity, effectively allowing network engineers to bridge their on-premises LAN to their hosted cloud infrastructure. In this article I’ll demonstrate how to configure Amazon EC2 VPC and Forefront TMG site-to-site networking to achieve these goals. This article assumes that you are familiar with the Amazon EC2 cloud platform. If you are not, you can sign up for a free trial of Amazon EC2.
Configuring Amazon EC2 VPC
Log in to the Amazon EC2 management console here and in the Compute & Networking group select VPC.
Click the Get started creating a VPC button to begin creating your first Amazon Virtual Private Cloud.
There are several options to choose from when creating your first VPC. For the purposes of this demonstration I’ve chosen to create a VPC with a Private Subnet Only and Hardware VPN Access.
Enter the IP address assigned to the external network interface of the Forefront TMG firewall. Next, select the option to Use static routing and then enter the IP subnet in CIDR notation that will be used on the private internal network. Be sure to click the Add button before moving to the next screen.
Review the VPC configuration and click Create VPC. Make note of the VPC IP subnet, as this will be needed later when we configure the site-to-site VPN settings on the Forefront TMG firewall.
Once the VPC has been configured, click Download Configuration.
Forefront TMG 2010 is not explicitly supported for connecting to an Amazon VPC, and so it does not appear in the drop down list of configurations to choose from. However, to retrieve the necessary settings required to configure Forefront TMG site-to-site VPN, select Microsoft from the Vendor drop down list and click Yes, Download. Save the downloaded text file for later reference.
Configuring an Amazon EC2 Virtual Server
Once the VPC has been created we can launch a virtual server (instance) in the newly created VPC. In the Amazon EC2 management console, click Services and choose EC2.
Click Launch Instance to create a new virtual server.
There are several deployment wizards to choose from when creating an EC2 instance. I’ve chosen the Classic Wizard here.
Choose an Amazon Machine Image (AMI) to deploy. I’ve chosen a basic Windows Server 2012 image.
Select the option to launch the instance into the EC2-VPC.
Click Continue 5 more times until you come to the Configure Firewall step. Select the option to Create a new Security Group and provide a name and description for the group. To aid in troubleshooting network connectivity, create an access rule to allow ICMP by selecting Custom ICMP rule from the Create a new rule: drop-down menu. Select Echo Reply and leave 0.0.0.0/0 as the Source. Click Add Rule to add the firewall rule to the security group.
Review the configuration settings for the new instance and click Launch.
Once complete, right-click the new instance and choose Connect. Make note of the instance’s private IPv4 address. We’ll need this address to connect to the instance once the site-to-site VPN tunnel is configured and operational on the Forefront TMG firewall. Once you’ve noted the IPv4 address, click Close. Note: It can sometimes take 10 or 15 minutes before the virtual server is available and online.
Configuring TMG Site-to-Site VPN
On the TMG firewall, open the management console and highlight the Remote Access Policy (VPN) node in the navigation tree. Select the Remote Sites tab in the center console and click Create VPN Site-to-Site Connection. When the Create Site-to-Site Connection Wizard launches, enter the name of the site-to-site network and click Next.
Select IP Security protocol (IPsec) tunnel mode.
Open the configuration text file downloaded from Amazon earlier. Scroll down until you reach the tunnel configuration details and note the public IPv4 address of the first Remote Tunnel Endpoint.
Enter the first tunnel endpoint IPv4 address in the Remote VPN gateway IP address field in TMG. In addition, enter the public IPv4 address assigned to the External network interface on the TMG firewall in the Local VPN gateway IP address field.
Copy the pre-shared key for the first tunnel from the downloaded configuration file to the use pre-shared key for authentication field.
Choose Add Range and enter the range of IPv4 addresses corresponding to the remote site network, as noted previously. In our example the remote site network is 10.0.1.0/24.
Select the option to Create a network rule specifying a route relationship between the remote site network and the Internal network.
Security best practices dictate that only those protocols and ports required should be open through the firewall. However, for demonstration purposes here I’ve chosen to allow all traffic.
Review the configuration and click Finish.
Before saving and applying the configuration, right-click the new remote site connection and choose Properties. On the connection tab click IPsec Settings.
Select the Phase I tab and change Encryption algorithm to AES128 and Integrity algorithm to SHA1. Leave the remaining settings at the defaults.
Select the Phase II tab and change Encryption algorithm to AES128 and the Integrity algorithm to SHA1. Select the option to Generate a new key every 10000 Kbytes. Leave the remaining settings at the defaults. Once complete, save and apply the configuration changes.
Testing Cross Premises Connectivity to Amazon EC2
Once the site-to-site tunnel is configured on the Forefront TMG firewall, return to the Amazon EC2 management console and navigate to the VPC Dashboard. Under Your VPN Connections you’ll notice that the status indicates that one tunnel is down. This is normal because the VPC is configured with two tunnel endpoints, but Forefront TMG can only be configured to connect to one of them at a time. In the event of an outage, the TMG firewall will have to be manually reconfigured to establish site-to-site VPN connectivity to the second VPC tunnel.
Click View details, then highlight the VPN connection. The VPN connection details at the bottom of the window indicate the current status for each tunnel. Here, the first tunnel has been configured correctly and shows a status of up.
To test remote connectivity to the new virtual server, establish an RDP session on a host that is located behind the TMG firewall. Launch the Remote Desktop Connection client and enter the IPv4 address noted earlier.
After entering your logon credentials you should be presented with a warning that The remote computer could not be authenticated due to problems with its security certificate. Choose Yes to continue logging in.
We’ve now successfully established a remote desktop session to our virtual server in the Amazon EC2 virtual private cloud.
Forefront TMG’s site-to-site networking feature can serve as a key enabler of hybrid cloud deployments by providing important network connectivity between on-premises hosts and cloud-based infrastructure services such as Amazon EC2.