This topic describes how to configure a more secure VPN connection for remote access clients. You do so by first deploying a computer certificate to Forefront TMG and the remote VPN clients, and then enabling Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPSec) authentication and encryption protocol for increased security, and enabling Extensible Authentication Protocol (EAP).

Prerequisites

Before you begin, be sure to complete the steps described in Enabling basic remote client access.

Deploying certificates to Forefront TMG and VPN clients

When you configure remote client access with enhanced security, you must deploy certificates to Forefront TMG and to the remote clients.

To deploy certificates to Forefront TMG and VPN clients

  1. Obtain a server certificate. You must either set up a local certification authority (CA) and request a server certificate, or use a certificate issued by a commercial CA.

  2. Install the server certificate.

  3. Install the root certificate on client computers.

Enabling the L2TP tunneling protocol

To enable the L2TP tunneling protocol

  1. In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node, and in the details pane, click the VPN Clients tab.

  2. In the Tasks tab, click Configure VPN Client Access.

  3. Click the Protocols tab, and select Enable L2TP.

  4. Click OK and to save your changes, on the Apply Changes bar, click Apply.

Enabling EAP authentication

To enable EAP authentication

  1. In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node, and in the details pane, click the VPN Clients tab.

  2. In the Tasks tab, click Select Authentication Methods.

  3. On the Authentication tab, select Extensible authentication protocol (EAP) with smart card or other certificate.

  4. Click OK and to save your changes, on the Apply Changes bar, click Apply.

Related Topics


Copyright © 2009 by Microsoft Corporation. All rights reserved.