Connection owner for a Site-to-Site connection is missing in TMG
Consider the following scenario. You are running an array of more than one TMG Server 2010 and need to establish a VPN Site-to-Site connection. Therefore you will need to define a connection owner. The reason for this is that you need to define a tunnel endpoint in your array.
Normally you define the connection owner this in the wizard while creating such a Site-to-Site connection.
Furthermore you can change this setting after you have created it. For the Site-to-Site connection there is a tab called 'Server' which enables you to change this.
Generally speaking you should have this tab if you have an array of multiple servers and if NLB has been disabled.
This is also explained in the following TechNet article: http://technet.microsoft.com/en-us/library/dd441072.aspx
“If the Forefront TMG server is a member of an array, on the Connection Owner page, click the array member that will serve as the VPN tunnel endpoint in the array. If Network Load Balancing (NLB) is enabled for the array, you do not have to specify a connection owner; it will be assigned automatically.”
However, if you have enabled NLB on one interface only (e.g. the internal one), but not on the external interface, the 'Server' tab will be missing if you open the properties of a Site-to-Site connection. This can get an issue if you need to change the connection owner.
To address this issue, you can use the following script which resets the connection owner. Copy the content below to a text editor and save the file to a vbs file (e.g. connectionsowner.vbs).
Then you can run the script with the syntax
'cscript connectionsowner.vbs ConnectionName NewConnectionOwnerName'.
Running this script will create an output in the cmd.exe like the following example:
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script will display the currently assigned Server for a given
' VPN S2S connection and will set it to the value in the parameter
' serverName. Future versions can add this one as an addtl. argument
' to the script
' This script can be run from a command prompt by entering the
' following command:
' CScript SetAssignedServer.vbs NetworkName
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Option Explicit
'Define the constants needed
Const Error_FileNotFound = &H80070002
Const fpcPolicyRuleWebPublishing = &H02
Const fpcPolicyRuleServerPublishing = &H01
Dim networkName
Dim network
Dim serverName
Main(WScript.Arguments)
Sub Main(args)
If(args.Count <> 2) Then
Usage()
End If
networkName = args(0)
serverName = args(1)
SetValue()
End Sub
Sub SetValue()
' Create the root obect.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects needed.
Dim array ' An FPCArray object
' Get references to the array object
' and the network rules collection.
Set array = root.GetContainingArray
'Get the Networks
Dim arrayNetworks
Set arrayNetworks = array.NetworkConfiguration.Networks
On Error Resume Next
Set network = arrayNetworks.Item(networkName)
If Err.Number = Error_FileNotFound Then
WScript.Echo _
"The network specified could not be found."
WScript.Quit
End If
On Error GoTo 0
WScript.Echo "Found the network " &networkName &" it currently has the server " &network.VpnConfiguration.AssignedServer &" assigned to it"
'set the assigned server to the servername
network.VpnConfiguration.SetAssignedServer(serverName)
CheckError
WScript.Echo "Now set the connection owner server to " &network.VpnConfiguration.AssignedServer &" "
'save the changes
network.Save false, true
CheckError
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
Sub Usage()
WScript.Echo "Usage:" & VbCrLf _
& " CScript " & WScript.ScriptName & " NetworkName" & " ServerName" & VbCrLf _
& "" & VbCrLf _
& " NetworkName - Name of a VPN S2S network" & VbCrLf
WScript.Quit
End Sub
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Please note that running this script will not display the missing tab again, but you will be able to change the settings. You would need to completely disable NLB integration in TMG to see this tab again.
I hope this blog is helpful for you and I am looking forward to your comments.
Author:
Frank Hennemann
Microsoft CSS Forefront Security Edge Team
Reviewer:
Thomas Detzner
Microsoft Consulting Services
Comments
- Anonymous
May 18, 2012
Wow...how is this something that has not been addressed? I can't disable NLB without setting the server, but I can't set the server until NLB is disabled.....wow...just wow.