Pre-requisites:
- Windows Active Directory and DNS
- DHCP server or range of free IP addresses
- Enterprise Root CA
- Forefront TMG is a member server.
- Computer certificate installed in TMG server
- Public IP assigned in external NIC of TMG server
Configure L2TP/IPSec VPN
1. open the Forefront TMG Management Console. Click Forefront TMG (Array Name) in the left pane.
2.In the left pan click on Remote Access Policy>Click on Configure Address Assignment method. You will be presented with Remote Access Policy Property. Now follow the screenshots.
3. Add a range of IP addresses (Example:10.10.11.1-10.10.11.255) to be assigned by TMG server or assign internal DHCP server.
4. Check MSCHAPv2 Authentication and Check Enable EAP
5. Apply Changes. OK.
6. In the left pan click on Remote Access Policy, in the task pan>click on configure VPN Client Access. You will be presented with VPN Clients property. Check enable on general Tab.
7. In the Group Tab, Add Windows AD groups you allowed to access VPN.
8. In the Protocol Tab, Check Enable L2TP/IPSec
9. In the User mapping, Check enable User Mapping and provide internal domain name.
10. Click Apply and ok. Apply changes.
11.In the left pan click on Networking, Click network Rules Tab. From the task pan, run new Create Network Rules wizard. Create new network rules allowing VPN client access from external network to internal network. Select route relation between external and internal network.
12. In the left pan right click on Firewall Policy>Click New>Click new access Policy. Follow the screenshots.
13. Apply changes.
14. make sure you allow remote access in AD user Dial-in property.
15. Now create a dialler in Windows 7 machine shown below link. Log on to that machine using domain credentials and test VPN.
Relevant Articles:
How to configure L2TP IPSec VPN using ISA Server
Windows 7: L2TP IPSec VPN dialler
Share this 
Blog by Raihan Al-Beruni 
Pingback: How to configure site to site VPN using Forefront TMG 2010 | MicrosoftGURU
Hi – thanks for this information.
i have just one question: is it mandatory that the external NIC has assigned a public IP ?
i have no luck, if TMG is behind a NAT router, and the ports are forwarded to the external interface of the TMG with a private IP.
LikeLike
It’s not mandatory to have public Ip on TMG unless you are doing Edge topology.
Just add this to router and remove any firewall blocking IP. (Here, xx is your public IP) L2tp port 1701 and pptp 1723
remark – Allow PPTP VPN traffic. Required for Internet users to establish a PPTP VPN connection to the ISA
permit tcp any host xx.xx.147.67 eq 1701
permit gre any host xx.xx.147.67
Create proper policies in TMG that should work. send me your router config and TMG config on my forum http://microsoftguru.com.au/forum
LikeLike
Excellent work. Just established VPN for my network. Great work !!
LikeLike
thanks for visiting my site
LikeLike
Keep up the good work 🙂
LikeLike
Hi Raihan,
Will it be able to set up this VPN on a Single NIC TMG?
LikeLike
Should work depending on your network topology.
LikeLike
Hi Raihan,
Thanks for this article, I have followed your steps and connect successfully, however when checking IP details, I find that I have no default gateway. I do get IP as specified step 3 on this article.
Please advise.
Thanks in advance.
LikeLike
Client’s are getting IP from TMG or internal DHCP Server? Can you please DHCP config on server?
LikeLike
Hi Raihan,
Thanks for the response, apologies for the delayed response from my side.
The IP the i get is from TMG server, I have and internal DHCP aswell but this is set so that you manually have to add mac address in order for people to connect to internet(Inherited config from previous IT person…want to change going forward) as we have about three labs with student computers.
I have also noticed that when connecting it disables local browsing to the internet IE : not able to browser google or any other website. Also not able to browser network shares not IP and dns names.
DHCP server config :
Address Pool – Start – 172.16.1.11
– End – 172.16.1.252
Exclusion Range – Start – 172.16.1.11
– End – 172.16.1.252
IP that i get when connectiing to VPN 172.16.2.5
Thanks in adavnce.
Hope this ifo helps.
LikeLike
Technical Information (for support personnel)
• Error Code 10060: Connection timeout
• Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
• Date: 5/14/2012 12:23:50 PM [GMT]
• Server: xxxxxxxxxxxxxxx
• Source: Firewall
LikeLike
Hi can someone help me with this problem?
Technical Information (for support personnel)
• Error Code 10060: Connection timeout
• Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
• Date: 5/14/2012 12:23:50 PM [GMT]
• Server: xxxxxxxxxxxxxxx
• Source: Firewall
LikeLike
Hi Raihan,
Recently my server got crashed and i have rebuilt it. As earlier i followed your instructions and had fully functional vpn setup. But this time i m trying to set it up again and as soon as i enable vpn client access, browsing on internal systems stop. On investigation i noticed that all requests including dns are not responded. The internal interface of forefront is started to be treated as external. I don’t know why it is happening though i have throughly followed your instructins as i did before and had everything functioning.
Do you have any ideas why it is happening?
LikeLike
Hi Raihan,
I am getting the error “The network includes IP addresses in the range 192.168.1.0-192.168.1.254. Networks can not contain IP addresses that overlap with another network”, while assigning IP range in Remote access policy. Can you please guide me on this ?
Thanks
Vips
LikeLike
Hello Raiham:
Its there a way on TMG to assign another port for the L2TP configuration? instead of using default port?
regards.
LikeLike
Configure Custom port in TMG. However default port is recommended.
LikeLike
Hello Raihan Al-Beruni,
I have just installed TMG SERVER 2010 and everthing works fine but Cisco anyconnect with RDP connections is not working, With out TMG server clients are access to RDP server using cisco acyconnect, even any other VPN client is not connecting with tmg.
I have allowed all vpn protocol in firewall.
Please advise me to solve this issue.
Thanks
Kashif.
LikeLike
Did you allowed RDP port 3389 in TMG server? TMG block everything by default.
LikeLike
Hello Raihan,
I’ve been trying to configure TMG as VPN gateway PPTP first to get it working but I still receive error 806 while trying to connect from Win7 machine. I have gone thru dozens of sites, manuals and no luck, maybe you can help a bit?
TMG config is simple:
3 leg perimeter,
VPN uses internal dhcp,
VPN has rule allowing all out traffic to internal and tmg,
TMG has rule VPN PPTP server publish,
no other firewall between TMG and internet
authentication MSCHAP2 for vpn
I think thats all…
LikeLike
You need to install computer certificate into TMG server from your internal CA. Create a rule to allow VPN traffic. Create Active Directory Security group who should have access to VPN. this should work for you. Add that AD Group into TMG
LikeLike
Hi Raihan,
I have been trying to setup the TMG VPN connection but in the logs it shows external IP vpn connection initiated. That’s as far as it gets. I am using Edge Topology and I have a router between my Server and Internet connection. Is there a way to have it work with this kind of topology? Your assistance will be highly appreciated.
Anthony.
LikeLike
step1: run tracert to find out where you have been blocked. then in your router you have to configure port forwarding otherwise it will not work. make sure your router has routable public IP configured.
LikeLike
Hi Raihan
I have followed your instructions before and had a working vpn setup. We have recently upgraded our server and I have reinstalled forefront and trying to setup vpn but this time i have three networks. Internal, External and Perimeter. When remotely I try to dial in to VPN, I can see logs initiating (which is allowed by system rules) and then it sits there and then I see closed. On my remote system I see time out or error. No more logs to go forward.
Do you have ny ideas?
Thanks in anticipation.
LikeLike