Terminate a VPN at a Front-End Firewall
In your network environment, you may need to manage a VPN that terminates at a front-end firewall. For example, you may need to provide VPN access to a remote branch office that has a firewall device. In this scenario the Security Server in Windows EBS functions as a back-end firewall.
To allow computers in the VPN to access the Windows EBS network, you need to configure the Security Server to allow traffic to and from the front-end firewall.
To allow access when terminating a VPN at a front-end firewall
Log on to the Management Server by using an account that is a member of the Domain Admins group.
Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.
Click the Security tab, click Network firewall, and then in the tasks pane, click Start Forefront Threat Management Gateway console.
In the Windows Security dialog box, type your credentials to connect to the Security Server. Then click OK.
In the Forefront TMG console tree, click Firewall Policy, click the Toolbox tab, and then click Network Objects.
Click New, and then click Address Range.
In the New Address Range Rule Element dialog box, do the following:
In Name, type a name for the address range (for example, Remote branch range).
In Start Address and End Address, type the range of IP addresses, and then click OK.
In the results pane, click Apply to save your changes and update the configuration.
In the console tree, right-click Networking, point to New, and then click Network Rule. The New Network Rule Wizard appears.
On the Welcome to the New Network Rule Wizard page, type a name for the network rule, and then click Next.
On the Network Traffic Sources page, do the following:
Click Add.
In the Add Network Entities dialog box, expand Address Ranges, click the address range that you created previously, click Add, and then click Close.
Click Next.
On the Network Traffic Destinations page, do the following:
Click Add.
In the Add Network Entities dialog box, expand Networks, click Internal, click Add, and then click Close.
Click Next.
On the Network Relationship page, click Route, and then click Next.
Note
Do not choose the Network Address Translation (NAT) option.
On the Completing the New Network Rule Wizard page, review the settings for the network rule, and then click Finish.
In the results pane, click Apply to save your changes and update the configuration.
Click the Network Rules tab, right click the rule that you just created, and then click Move Up. Continue moving the rule until it appears in the list before the Internet Access rule.
In the console tree, right-click Firewall Policy, point to New, and then click Access Rule. The New Access Rule Wizard appears.
On the Welcome to the New Access Rule Wizard page, type a name for the access rule, and then click Next.
On the Rule Action page, choose the Allow option, and then click Next.
On the Protocols page, in This rule applies to, choose All outbound traffic, and then click Next.
On the Malware Inspection page, choose if you want to have HTTP content inspected for malware, and then click Next.
On the Access Rule Sources page, do the following:
Click Add.
In the Add Network Entities dialog box, expand Address Ranges, click the address range that you created previously, and then click Add.
Expand Networks, click Internal, click Add, and then click Close.
Click Next.
On the Access Rule Destinations page, do the following:
Click Add.
In the Add Network Entities dialog box, expand Address Ranges, click the address range that you created previously, and then click Add.
Expand Networks, click Internal, click Add, and then click Close.
Click Next.
On the User Sets page, accept the default value, and then click Next.
On the Completing the New Access Rule Wizard page, review the settings for the access rule, and then click Finish.
In the results pane, click Apply to save your changes and update the configuration.