How to configure L2TP/IPSec VPN using Forefront TMG 2010


  1. Windows Active Directory and DNS
  2. DHCP server or range of free IP addresses
  3. Enterprise Root CA
  4. Forefront TMG is a member server.
  5. Computer certificate installed in TMG server
  6. Public IP assigned in external NIC of TMG server

Configure L2TP/IPSec VPN

1. open the Forefront TMG Management Console. Click Forefront TMG (Array Name) in the left pane.

2.In the left pan click on Remote Access Policy>Click on Configure Address Assignment method. You will be presented with Remote Access Policy Property. Now follow the screenshots.

1 2

3. Add a range of IP addresses (Example: to be assigned by TMG server or assign internal DHCP server.



4. Check MSCHAPv2 Authentication and Check Enable EAP


5. Apply Changes. OK.


6. In the left pan click on Remote Access Policy, in the task pan>click on configure VPN Client Access. You will be presented with VPN Clients property. Check enable on general Tab.


7. In the Group Tab, Add Windows AD groups you allowed to access VPN.


8. In the Protocol Tab, Check Enable L2TP/IPSec


9. In the User mapping, Check enable User Mapping and provide internal domain name.

10 11

10. Click Apply and ok. Apply changes.


11.In the left pan click on Networking, Click network Rules Tab. From the task pan, run new Create Network Rules wizard. Create new network rules allowing VPN client access from external network to internal network. Select route relation between external and internal network.


12.  In the left pan right click on Firewall Policy>Click New>Click new access Policy. Follow the screenshots.

13 14 15 16 17 18 19

13. Apply changes.

14. make sure you allow remote access in AD user Dial-in property.


15. Now create a dialler in Windows 7 machine shown below link. Log on to that machine using domain credentials and test VPN.

Relevant Articles:

How to configure L2TP IPSec VPN using ISA Server

Windows 7: L2TP IPSec VPN dialler

Share this Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , . Bookmark the permalink.

24 Responses to How to configure L2TP/IPSec VPN using Forefront TMG 2010

  1. Pingback: How to configure site to site VPN using Forefront TMG 2010 | MicrosoftGURU

  2. tom says:

    Hi – thanks for this information.
    i have just one question: is it mandatory that the external NIC has assigned a public IP ?

    i have no luck, if TMG is behind a NAT router, and the ports are forwarded to the external interface of the TMG with a private IP.


    • It’s not mandatory to have public Ip on TMG unless you are doing Edge topology.
      Just add this to router and remove any firewall blocking IP. (Here, xx is your public IP) L2tp port 1701 and pptp 1723
      remark – Allow PPTP VPN traffic. Required for Internet users to establish a PPTP VPN connection to the ISA
      permit tcp any host xx.xx.147.67 eq 1701
      permit gre any host xx.xx.147.67

      Create proper policies in TMG that should work. send me your router config and TMG config on my forum


  3. Farzan Qureshi says:

    Excellent work. Just established VPN for my network. Great work !!


  4. Henry says:

    Hi Raihan,

    Will it be able to set up this VPN on a Single NIC TMG?


  5. Bradley says:

    Hi Raihan,

    Thanks for this article, I have followed your steps and connect successfully, however when checking IP details, I find that I have no default gateway. I do get IP as specified step 3 on this article.

    Please advise.

    Thanks in advance.


  6. Bradley says:

    Hi Raihan,

    Thanks for the response, apologies for the delayed response from my side.

    The IP the i get is from TMG server, I have and internal DHCP aswell but this is set so that you manually have to add mac address in order for people to connect to internet(Inherited config from previous IT person…want to change going forward) as we have about three labs with student computers.

    I have also noticed that when connecting it disables local browsing to the internet IE : not able to browser google or any other website. Also not able to browser network shares not IP and dns names.

    DHCP server config :

    Address Pool – Start –
    – End –
    Exclusion Range – Start –
    – End –

    IP that i get when connectiing to VPN

    Thanks in adavnce.

    Hope this ifo helps.


  7. Albert says:

    Technical Information (for support personnel)
    • Error Code 10060: Connection timeout
    • Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
    • Date: 5/14/2012 12:23:50 PM [GMT]
    • Server: xxxxxxxxxxxxxxx
    • Source: Firewall


  8. Albert says:

    Hi can someone help me with this problem?

    Technical Information (for support personnel)
    • Error Code 10060: Connection timeout
    • Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
    • Date: 5/14/2012 12:23:50 PM [GMT]
    • Server: xxxxxxxxxxxxxxx
    • Source: Firewall


  9. Farzan says:

    Hi Raihan,
    Recently my server got crashed and i have rebuilt it. As earlier i followed your instructions and had fully functional vpn setup. But this time i m trying to set it up again and as soon as i enable vpn client access, browsing on internal systems stop. On investigation i noticed that all requests including dns are not responded. The internal interface of forefront is started to be treated as external. I don’t know why it is happening though i have throughly followed your instructins as i did before and had everything functioning.

    Do you have any ideas why it is happening?


  10. Vips says:

    Hi Raihan,

    I am getting the error “The network includes IP addresses in the range Networks can not contain IP addresses that overlap with another network”, while assigning IP range in Remote access policy. Can you please guide me on this ?




  11. Maximo Patino says:

    Hello Raiham:

    Its there a way on TMG to assign another port for the L2TP configuration? instead of using default port?



  12. kashif says:

    Hello Raihan Al-Beruni,

    I have just installed TMG SERVER 2010 and everthing works fine but Cisco anyconnect with RDP connections is not working, With out TMG server clients are access to RDP server using cisco acyconnect, even any other VPN client is not connecting with tmg.

    I have allowed all vpn protocol in firewall.

    Please advise me to solve this issue.



  13. Kuba says:

    Hello Raihan,
    I’ve been trying to configure TMG as VPN gateway PPTP first to get it working but I still receive error 806 while trying to connect from Win7 machine. I have gone thru dozens of sites, manuals and no luck, maybe you can help a bit?
    TMG config is simple:
    3 leg perimeter,
    VPN uses internal dhcp,
    VPN has rule allowing all out traffic to internal and tmg,
    TMG has rule VPN PPTP server publish,
    no other firewall between TMG and internet
    authentication MSCHAP2 for vpn

    I think thats all…


    • You need to install computer certificate into TMG server from your internal CA. Create a rule to allow VPN traffic. Create Active Directory Security group who should have access to VPN. this should work for you. Add that AD Group into TMG


  14. anthony says:

    Hi Raihan,
    I have been trying to setup the TMG VPN connection but in the logs it shows external IP vpn connection initiated. That’s as far as it gets. I am using Edge Topology and I have a router between my Server and Internet connection. Is there a way to have it work with this kind of topology? Your assistance will be highly appreciated.



    • step1: run tracert to find out where you have been blocked. then in your router you have to configure port forwarding otherwise it will not work. make sure your router has routable public IP configured.


  15. Farzan says:

    Hi Raihan

    I have followed your instructions before and had a working vpn setup. We have recently upgraded our server and I have reinstalled forefront and trying to setup vpn but this time i have three networks. Internal, External and Perimeter. When remotely I try to dial in to VPN, I can see logs initiating (which is allowed by system rules) and then it sits there and then I see closed. On my remote system I see time out or error. No more logs to go forward.

    Do you have ny ideas?

    Thanks in anticipation.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s