Configure Forefront TMG as a NPS (Radius) Client for VPN and local clients

In this article, I will describe how to configure Forefront TMG as a RADIUS client. As a radius client FF TMG act as a messenger sending RADIUS request to NPS for authentication and authorization of VPN connection. The following Visio diagram shows placement of TMG as radius client.


To configure FF TMG as a RADIUS client

Log on to TMG server, open Forefront TMG Management console, click Remote Access Policy (VPN)>click Radius Server or Specify RADIUS Configuration.


You will see VPN property. On the RADIUS tab, click Use RADIUS for authentication>click RADIUS Servers.


click Add. Type Server name or IP address of the NPS server. create a new shared secret. This Shared Secret will be same as shared secret in NPS server when you add TMG as a client in NPS.



Click OK>Click OK. Apply Changes and click ok.

Note: Above configuration apply for ONLY VPN clients.

To configure Forefront TMG to authenticate local client


Open Forefront TMG Management console, click the Firewall Policy node>Click Tasks pane> click Configure Client Access. Select Internal (Local Networks)>click Configure.



Click on Web Proxy tab>click Authentication> Under Method, clear any other selected methods, and then select RADIUS. Click RADIUS Servers>click Add.



Now add Server name or IP address of the RADIUS server, add New Shared secret as you did in previous steps. Apply changes you have made. 

To create Radius Firewall Policy using FF TMG 2010

Open Forefront TMG Management console, right click the Firewall Policy node>Click New>Click Access Policy. You will see new policy wizard. Type the name of the policy>Click next



Click Allow on Rule Action>Click Add on protocol property>add Radius and Radius Accounting protocol



On the access rule window, add VPN clients as source. If you are creating this policy for internal clients than add internal networks instead of VPN clients.


Specify destination that is NPS server location on the next screenshot. in this article NPS server is placed in internal networks so I added internal network.


On the next window, add Active Directory Group which this rule has been applied for.



Click Finish and apply changes.



Note: you have to create firewall policy for the clients. In this example, I have shown firewall policy for VPN client. If you want to create policy for internal client, you have to change source of clients. Protocol will be same as shown above screen shots.

To add Forefront TMG as a RADIUS client on NPS

Log on to Network Policy Server, Open NPS management console>right click RADIUS Clients>click New RADIUS Client.


On the New RADIUS Client dialog box>type a name>type a description of FF TMG>Type IP address of Forefront TMG. In the shared secret box, type a shared secret. This shared secret is the same shared secret you typed in FF TMG as mentioned at the beginning of this article.



Select the RADIUS client is NAP-capable check box, if you want to enforce VPN client’s health policy. click OK.


To enforce Health Policy for VPN clients:

On Network Policy Server or a different windows server 2008, open Server Manager>Click Role>Click Add Role>Select Health Registration Authority Role>Click Next and follow the screenshots.


Open NPS Management Console>Right Click on Health Policy>Click New


Type Policy Name>Select Client’s SHV Checks>Check Windows Security Health Validator


Select and Check appropriate firewall policy, windows update and antivirus update policy. Apply and Click Ok.



Click Configure to add remediation server for health registration.




About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , , , , . Bookmark the permalink.

17 Responses to Configure Forefront TMG as a NPS (Radius) Client for VPN and local clients

  1. uzair says:

    Dear Mr. Raihan,

    i want to know some config. of TMG, my query is, i have 3 location and all are connecting to head office through just a GRE tunnels, i want to authenticate them through windows 2008 radius server and run TMG for internet to whole company. Will you please help me to overcome this issue.



  2. mohsin says:

    Thanks for ur help i will try and update you but will you please give me any doc or site where i found all configuration and installation of TMG Like internet sharing, vpn, radius, and others.


  3. uzair says:

    Dear Mr. Rehan,

    i want to do port forwarding or port mapping in TMG.

    Explaining scenerio,

    i have ftp and application servers inside tmg (on local ip addresses), tmg has public ip and serving internet to local clients, i want to access our applications servers from the internet but they have local ip address, may be port mapping or port forwarding will resolve the issue.

    please reply ASAP.


  4. uzair says:

    Dear Mr Rehan,

    i don’t have so many servers i just have 3 server one is for tmg and other are accounting application server and ftp server, i have public ip pool /28 Public ip pool, if i don’t go with rev. proxy setup because its very complex.

    suppose if i assign public ip addess to tmg and other servers so is there any way in tmg which allow internal or external user to communicate with tmg and other server easily.


  5. uzair says:

    plz update


  6. uzair says:

    plz ad ur feedback and also informed me that i don’t have domain server. is it important in tmg to install domain,


    • I dont understand what you mean. TMG is a member server. you can not install AD on TMG. thats not best practice. Reverse proxy is very easy but if you cant than use port forwarding in your router.


  7. uzair says:

    Dear Rehan,

    i mean to say i am running workgroup envoirement, i don’t have AD server. The question is can i install and run tmg on workgroup envoirment. i just want to perform net sharing and run server publishing rule for port forwarding. plz update….

    Port forwarding (server publishing) link is given below please add ur feedback on it.


  8. uzair says:



  9. uzair says:

    TC BYE


  10. Muna says:

    I need help to setup TMG 2010 on remote datacenter configured as VPN server.
    Scenario is there are two datacenters, hub datacenter and remote datacenter, at hub datacenter we have Active Directory Service (ADS) installed on Windows 2008 R2 Domain Controller (DC) also has NPS server role configured as a RADIUS server integrated with ADS. Well on DC there are two NIC’s on NIC 1 local IP configured and on NIC 2 Public Static IP configured. We need to install TMG 2010 server on remote datacenter configured as VPN server and there is only single NIC with Public static IP configured. VPN client connects to TMG 2010 VPN server should get remote authentication on Domain Controller at hub datacenter.

    In such scenario can we configure remote TMG 2010 server as a RADIUS client & proxy and forward the VPN client authentication to DC at hub datacenter which is also configured as RADIUS server?


  11. kejian says:

    Dear Mr. Rehan,

    I want to get client ip address of web access from radius message in TMG http proxy.

    Explaining scenerio: I have configed radius authentication method in TMG http proxy , we can get login-name and password in Access Request message. My question is : which way we can get ip client of orgin http request ?

    please reply ASAP.

    Thx a lot !



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s