In this article, I will describe how to configure Forefront TMG as a RADIUS client. As a radius client FF TMG act as a messenger sending RADIUS request to NPS for authentication and authorization of VPN connection. The following Visio diagram shows placement of TMG as radius client.
To configure FF TMG as a RADIUS client
Log on to TMG server, open Forefront TMG Management console, click Remote Access Policy (VPN)>click Radius Server or Specify RADIUS Configuration.
You will see VPN property. On the RADIUS tab, click Use RADIUS for authentication>click RADIUS Servers.
click Add. Type Server name or IP address of the NPS server. create a new shared secret. This Shared Secret will be same as shared secret in NPS server when you add TMG as a client in NPS.
Click OK>Click OK. Apply Changes and click ok.
Note: Above configuration apply for ONLY VPN clients.
To configure Forefront TMG to authenticate local client
Open Forefront TMG Management console, click the Firewall Policy node>Click Tasks pane> click Configure Client Access. Select Internal (Local Networks)>click Configure.
Click on Web Proxy tab>click Authentication> Under Method, clear any other selected methods, and then select RADIUS. Click RADIUS Servers>click Add.
Now add Server name or IP address of the RADIUS server, add New Shared secret as you did in previous steps. Apply changes you have made.
To create Radius Firewall Policy using FF TMG 2010
Open Forefront TMG Management console, right click the Firewall Policy node>Click New>Click Access Policy. You will see new policy wizard. Type the name of the policy>Click next
Click Allow on Rule Action>Click Add on protocol property>add Radius and Radius Accounting protocol
On the access rule window, add VPN clients as source. If you are creating this policy for internal clients than add internal networks instead of VPN clients.
Specify destination that is NPS server location on the next screenshot. in this article NPS server is placed in internal networks so I added internal network.
On the next window, add Active Directory Group which this rule has been applied for.
Click Finish and apply changes.
Note: you have to create firewall policy for the clients. In this example, I have shown firewall policy for VPN client. If you want to create policy for internal client, you have to change source of clients. Protocol will be same as shown above screen shots.
To add Forefront TMG as a RADIUS client on NPS
Log on to Network Policy Server, Open NPS management console>right click RADIUS Clients>click New RADIUS Client.
On the New RADIUS Client dialog box>type a name>type a description of FF TMG>Type IP address of Forefront TMG. In the shared secret box, type a shared secret. This shared secret is the same shared secret you typed in FF TMG as mentioned at the beginning of this article.
Select the RADIUS client is NAP-capable check box, if you want to enforce VPN client’s health policy. click OK.
To enforce Health Policy for VPN clients:
On Network Policy Server or a different windows server 2008, open Server Manager>Click Role>Click Add Role>Select Health Registration Authority Role>Click Next and follow the screenshots.
Open NPS Management Console>Right Click on Health Policy>Click New
Type Policy Name>Select Client’s SHV Checks>Check Windows Security Health Validator
Select and Check appropriate firewall policy, windows update and antivirus update policy. Apply and Click Ok.
Click Configure to add remediation server for health registration.