Creating a VPN remote site connection
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
The Create VPN Site-to-Site Connection wizard helps you configure Forefront TMG to create a Virtual Private Network (VPN) connection from a remote site to your corporate network.
In the wizard, you can perform the following tasks:
Specify a VPN traffic protocol.
Assign IP addresses to the remote VPN client connection.
Specify the account used to authenticate at the remote site.
Configure authentication for the remote site.
Specify an IPsec authentication method.
Specify IP address ranges of the remote site network.
Create a network rule to route traffic to and from the remote network.
Create a access rule to allow traffic to and from the remote network
After you run the wizard, you can configure additional settings to enable the VPN connection.
The following procedure describes how to configure a site-to-site VPN on Forefront TMG.
Creating a VPN remote site connection
To create a VPN site-to site network
In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).
In the details pane, click the Remote Sites tab.
In the Tasks tab, click Create VPN Site-to-Site Connection.
In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, and note the following:
On the Welcome page, in the Site-to-Site network name text box, you must type the exact name of the remote network’s gateway.
Note the following about the Internet Protocol security (IPsec) tunneling protocol:
When you create or modify a remote site network that uses IPsec, you must restart the Microsoft Firewall service so that the IPsec filters can be modified to reflect the new configuration. This process can take up to several minutes, depending on the number of subnets included in the address ranges for the network. To minimize the effect, it is recommended that you define IP address ranges that are aligned in subnet boundaries.
If you stop or restart the IPsec PolicyAgent service, all dynamic IPsec configuration information is lost, including the Forefront TMG VPN site-to-site IPsec configuration settings, and the VPN clients are disconnected. To restore the settings, start the PolicyAgent service or restart the Firewall service.
If the Forefront TMG server is a member of an array, on the Connection Owner page, click the array member that will serve as the VPN tunnel endpoint in the array. If Network Load Balancing (NLB) is enabled for the array, you do not have to specify a connection owner; it will be assigned automatically.
If you are using certificate authentication with the VPN protocol L2TP/IPSec, the Forefront TMG servers on both sides of the VPN are required to have digital certificates from the same Certification Authority. Note that certificate authentication is the recommended, and most secure, protocol method.
When entering an address range for the remote VPN server on the Network Addresses page, you must match the exact network definition and subnet mask of the remote site.
To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.