The Create VPN Site-to-Site Connection wizard helps you configure Forefront TMG to create a Virtual Private Network (VPN) connection from a remote site to your corporate network.

In the wizard, you can perform the following tasks:

After you run the wizard, you can configure additional settings to enable the VPN connection.

The following procedure describes how to configure a site-to-site VPN on Forefront TMG.

Creating a VPN remote site connection

To create a VPN site-to site network

  1. In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).

  2. In the details pane, click the Remote Sites tab.

  3. In the Tasks tab, click Create VPN Site-to-Site Connection.

  4. In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, and note the following:

    1. On the Welcome page, in the Site-to-Site network name text box, you must type the exact name of the remote network’s gateway.

    2. Note the following about the Internet Protocol security (IPsec) tunneling protocol:

      • When you create a remote site network that uses IPsec, the Microsoft Firewall service modifies the IPsec filters on the computer when restarting the Firewall service. This process can take up to several minutes, depending on the number of subnets included in the address ranges for the network. To minimize the effect, it is recommended that you define IP address ranges that are aligned in subnet boundaries.

      • If you stop or restart the IPsec PolicyAgent service, all dynamic IPsec configuration information is lost, including the Forefront TMG VPN site-to-site IPsec configuration settings, and the VPN clients are disconnected. To restore the settings, start the PolicyAgent service or restart the Firewall service.

    3. If the Forefront TMG server is a member of an array, on the Connection Owner page, click the array member that will serve as the VPN tunnel endpoint in the array. If Network Load Balancing (NLB) is enabled for the array, you do not have to specify a connection owner; it will be assigned automatically.

    4. If you are using certificate authentication with the VPN protocol L2TP/IPSec, the Forefront TMG servers on both sides of the VPN are required to have digital certificates from the same Certificate Authority. Note that certificate authentication is the recommended, and most secure, protocol method.

    5. When entering an address range for the remote VPN server on the Network Addresses page, you must match the exact network definition and subnet mask of the remote site.

  5. To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.

Related Topics

Copyright © 2009 by Microsoft Corporation. All rights reserved.