How to configure site to site VPN using Forefront TMG 2010

To configure site to site VPN using Forefront TMG 2010, you must meet following prerequisites:
Windows Server 2012 Step by Step

  • An user account to authenticate VPN
  • Routable public IP in both sides
  • Create site to site rules in both TMG server
  • For secure VPN using EAP authentication, import computer certificate in both TMG server.

To create a user account for the remote site gateway:

  • On the Forefront TMG server, click Start, point to Administrative Tools, and then click Computer Management.
  • In the Computer Management console, in the tree, click System Tools, click Local Users and Groups, and then click Users.
  • In the details pane, right-click the applicable user, and then click Properties.
  • On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), select Allow access.


An example of site to site VPN:


To Create Site to Site VPN Rule in TMG server:

  • In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).
  • In the details pane, click the Remote Sites tab.
  • In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, On the Welcome page, in the Site-to-Site network name text box, you must type the exact name of the remote network’s gateway. 34



    Add a range of IP addresses for remote site clients. If you don’t have load balancer then click next otherwise type the IP address of load balancer.


    Create a network rule in next steps that include source and protocol type ad click next, click next.




    Apply Changes. Click ok. View rules applied in firewall.


    To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.


    Repeat similar steps in remote sites to complete site to site VPN.

    To import Certificates in TMG server:

    Click on System>Select TMG server>Click on Install Server Certificate as shown in picture and follow the prompt.


    To complete the EAP configuration:
    1. On the Forefront TMG computer, click Start, click Administrative Tools, and then click Routing and Remote Access.
    2. In the Routing and Remote Access MMC snap-in, select the Network Interfaces node.
    3. When you applied the changes to the Forefront TMG configuration, a demand dial interface with the same name you gave the network was created. Select this demand dial interface, and then click Properties.
    4. On the Security tab, the advanced custom settings option should be selected. Click Settings to open Advanced Security Settings.
    5. Select the EAP you will be using, and then click Properties to configure EAP according to your EAP provider.

    To check site-to-site VPN connectivity:

    1. In the Forefront TMG Management console, in the tree, click the Monitoring node.
    2. In the details pane, on the Sessions tab, verify whether your VPN session is listed. The site-to-site VPN session has the following properties:
      • Session Type shows VPN Site-to-Site.
      • Client Host Name shows the remote VPN server’s public IP address (if the session was initiated by the local VPN server, this field will be empty).
      • Client IP shows the IP address assigned for the VPN session.
      • Application Name shows that this is a VPN connection and displays the protocol used for the connection. Application Name is not displayed by default. To add it, right-click one of the column headings in the Sessions tab, and click Application Name.


    3. To create a session filter that displays only site-to-site VPN sessions:
      1. On the Tasks tab, click Edit Filter.
      2. In the Edit Filter dialog box, in Filter by, select Session Type. In Condition, select Equals; and in Value, select VPN Remote Site.
      3. Click Add To List, and then click Start Query. You must click Start Query to save the filter.



    Share Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

  • Relevant Articles:

    How to configure L2TP/IPSec VPN using Forefront TMG 2010

    Windows 7: L2TP IPSec VPN dialler

    How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide

    Install Forefront TMG SP1

    How to configure reverse proxy using Forefront TMG 2010— step by step

7 thoughts on “How to configure site to site VPN using Forefront TMG 2010

  1. Hi,
    For Site to site VPN with branch office.
    Netgear Router is better (in terms of speed) or TMG2010 is better for VPN configuration ??
    Please suggest.


  2. Hi

    I’ve gone through your guide.

    I have a situation here. I have 2 TMG firewalls in 2 locations, connected through a ADSL router to the internet

    I configured everything as given but using L2TP/IPSec. I get an error 789 in the event viewer for RasClient and sometimes 809.

    Please guide me


  3. Hi
    I’ve installed a tmg and imported all configuration from my old tmg server , every thing is ok except that vpn site-to-site does not work, means tmg does no let packets to pass .
    I have created the vpn again exactly through your guide ( as i used to do before ) but i can not see any sessions for this connection.
    could you help me with what the problem may be ? thank you .


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.