It is recommended that Network Policy Server (NPS) be installed on a different computer than the one where Forefront TMG is installed. A benefit of such a deployment is the ability to easily use NPS to evaluate the health of clients accessing the network by means other than via the VPN.

In such a deployment, where Forefront TMG sends RADIUS messages to the NPS for authentication and authorization of the VPN connection, you must configure NPS to recognize the Forefront TMG computer as a RADIUS client.

You can use the NPS role that was installed on the Forefront TMG server to evaluate non-VPN clients. To do so, you need to create an access rule from Forefront TMG to NPS, and be sure to include the port number used by the NPS role for RADIUS connections.

To configure Forefront TMG as a RADIUS client on NPS

  1. On the computer on which you have installed NPS, click Start, click Run, type nps.msc, and then press ENTER to open the NPS management console. Leave this window open for the following NPS configuration tasks.

  2. In the tree, expand RADIUS Clients and Servers, right-click RADIUS Clients, and then click New RADIUS Client. The New RADIUS Client dialog box opens.

  3. On the New RADIUS Client dialog box, in the Friendly name box, type a description of Forefront TMG. In the Address (IP or DNS) box, type the IP address of Forefront TMG.

  4. In the Shared secret box, type a shared secret. Record the shared secret for use when configuring Forefront TMG as a RADIUS client (see Configuring Forefront TMG as a RADIUS client for details).

  5. In the Confirm shared secret box, type the shared secret again.

  6. Select the RADIUS client is NAP-capable check box, and then click OK.

Related Topics

Copyright © 2009 by Microsoft Corporation. All rights reserved.