To configure site to site VPN using Forefront TMG 2010, you must meet following prerequisites:
- An user account to authenticate VPN
- Routable public IP in both sides
- Create site to site rules in both TMG server
- For secure VPN using EAP authentication, import computer certificate in both TMG server.
To create a user account for the remote site gateway:
- On the Forefront TMG server, click Start, point to Administrative Tools, and then click Computer Management.
- In the Computer Management console, in the tree, click System Tools, click Local Users and Groups, and then click Users.
- In the details pane, right-click the applicable user, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), select Allow access.
An example of site to site VPN:
To Create Site to Site VPN Rule in TMG server:
- In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).
- In the details pane, click the Remote Sites tab.
- In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, On the Welcome page, in the Site-to-Site network name text box, you must type the exact name of the remote network’s gateway.
Add a range of IP addresses for remote site clients. If you don’t have load balancer then click next otherwise type the IP address of load balancer.
Create a network rule in next steps that include source and protocol type ad click next, click next.
Apply Changes. Click ok. View rules applied in firewall.
To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.
Repeat similar steps in remote sites to complete site to site VPN.
To import Certificates in TMG server:
Click on System>Select TMG server>Click on Install Server Certificate as shown in picture and follow the prompt.
To complete the EAP configuration:
- On the Forefront TMG computer, click Start, click Administrative Tools, and then click Routing and Remote Access.
- In the Routing and Remote Access MMC snap-in, select the Network Interfaces node.
- When you applied the changes to the Forefront TMG configuration, a demand dial interface with the same name you gave the network was created. Select this demand dial interface, and then click Properties.
- On the Security tab, the advanced custom settings option should be selected. Click Settings to open Advanced Security Settings.
- Select the EAP you will be using, and then click Properties to configure EAP according to your EAP provider.
To check site-to-site VPN connectivity:
- In the Forefront TMG Management console, in the tree, click the Monitoring node.
- In the details pane, on the Sessions tab, verify whether your VPN session is listed. The site-to-site VPN session has the following properties:
- Session Type shows VPN Site-to-Site.
- Client Host Name shows the remote VPN server’s public IP address (if the session was initiated by the local VPN server, this field will be empty).
- Client IP shows the IP address assigned for the VPN session.
- Application Name shows that this is a VPN connection and displays the protocol used for the connection. Application Name is not displayed by default. To add it, right-click one of the column headings in the Sessions tab, and click Application Name.
- To create a session filter that displays only site-to-site VPN sessions:
- On the Tasks tab, click Edit Filter.
- In the Edit Filter dialog box, in Filter by, select Session Type. In Condition, select Equals; and in Value, select VPN Remote Site.
- Click Add To List, and then click Start Query. You must click Start Query to save the filter.
Hi,
For Site to site VPN with branch office.
Netgear Router is better (in terms of speed) or TMG2010 is better for VPN configuration ??
Please suggest.
LikeLike
Speed depends of your your broadband connections/ISP/router.
TMG deliver whatever speed available and supplied by your ISP. TMG does not shape any traffic at all. TMG is better in terms of security.
LikeLike
Hi
I’ve gone through your guide.
I have a situation here. I have 2 TMG firewalls in 2 locations, connected through a ADSL router to the internet
I configured everything as given but using L2TP/IPSec. I get an error 789 in the event viewer for RasClient and sometimes 809.
Please guide me
LikeLike
List of error and meaning of the error http://support.microsoft.com/kb/923944
789 error http://support.microsoft.com/kb/326751
Please install correct certificate in both site. Please create access rule in both sides. pls create firewall rule in your router.
LikeLike
Hi
I’ve installed a tmg and imported all configuration from my old tmg server , every thing is ok except that vpn site-to-site does not work, means tmg does no let packets to pass .
I have created the vpn again exactly through your guide ( as i used to do before ) but i can not see any sessions for this connection.
could you help me with what the problem may be ? thank you .
LikeLike
I am wondering you use any certificate for site to site VPN. If so please install certificate in both site.
If you have change IPs than add new IPs in router’s ACL.
LikeLike
Hi and Thanx for your reply ,
no , we do not use certificate and IPs had not ben changed . any other possibility ?
LikeLike