- An user account to authenticate VPN
- Routable public IP in both sides
- Create site to site rules in both TMG server
- For secure VPN using EAP authentication, import computer certificate in both TMG server.
To create a user account for the remote site gateway:
- On the Forefront TMG server, click Start, point to Administrative Tools, and then click Computer Management.
- In the Computer Management console, in the tree, click System Tools, click Local Users and Groups, and then click Users.
- In the details pane, right-click the applicable user, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), select Allow access.
An example of site to site VPN:
To Create Site to Site VPN Rule in TMG server:
- In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).
- In the details pane, click the Remote Sites tab.
- In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, On the Welcome page, in the Site-to-Site network name text box, you must type the exact name of the remote network’s gateway.
Add a range of IP addresses for remote site clients. If you don’t have load balancer then click next otherwise type the IP address of load balancer.
Create a network rule in next steps that include source and protocol type ad click next, click next.
Apply Changes. Click ok. View rules applied in firewall.
To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.
Repeat similar steps in remote sites to complete site to site VPN.
To import Certificates in TMG server:
Click on System>Select TMG server>Click on Install Server Certificate as shown in picture and follow the prompt.
To complete the EAP configuration:
- On the Forefront TMG computer, click Start, click Administrative Tools, and then click Routing and Remote Access.
- In the Routing and Remote Access MMC snap-in, select the Network Interfaces node.
- When you applied the changes to the Forefront TMG configuration, a demand dial interface with the same name you gave the network was created. Select this demand dial interface, and then click Properties.
- On the Security tab, the advanced custom settings option should be selected. Click Settings to open Advanced Security Settings.
- Select the EAP you will be using, and then click Properties to configure EAP according to your EAP provider.
To check site-to-site VPN connectivity:
- In the Forefront TMG Management console, in the tree, click the Monitoring node.
- In the details pane, on the Sessions tab, verify whether your VPN session is listed. The site-to-site VPN session has the following properties:
- Session Type shows VPN Site-to-Site.
- Client Host Name shows the remote VPN server’s public IP address (if the session was initiated by the local VPN server, this field will be empty).
- Client IP shows the IP address assigned for the VPN session.
- Application Name shows that this is a VPN connection and displays the protocol used for the connection. Application Name is not displayed by default. To add it, right-click one of the column headings in the Sessions tab, and click Application Name.
- To create a session filter that displays only site-to-site VPN sessions:
- On the Tasks tab, click Edit Filter.
- In the Edit Filter dialog box, in Filter by, select Session Type. In Condition, select Equals; and in Value, select VPN Remote Site.
- Click Add To List, and then click Start Query. You must click Start Query to save the filter.