The Create VPN Site-to-Site Connection wizard helps you configure Forefront TMG to create a Virtual Private Network (VPN) connection from a remote site to your corporate network.
In the wizard, you can perform the following tasks:
- Specify a VPN traffic protocol.
- Assign IP addresses to the remote VPN client
connection.
- Specify the account used to authenticate at
the remote site.
- Configure authentication for the remote
site.
- Specify an IPsec authentication method.
- Specify IP address ranges of the remote site
network.
- Create a network rule to route traffic to and
from the remote network.
- Create a access rule to allow traffic to and
from the remote network
After you run the wizard, you can configure additional settings to enable the VPN connection.
The following procedure describes how to configure a site-to-site VPN on Forefront TMG.
Creating a VPN remote site
connection
To create a VPN site-to site network
-
In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).
-
In the details pane, click the Remote Sites tab.
-
In the Tasks tab, click Create VPN Site-to-Site Connection.
-
In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, and note the following:
- On the Welcome page, in the Site-to-Site network
name text box, you must type the exact name of the remote
network’s gateway.
- Note the following about the Internet Protocol security (IPsec)
tunneling protocol:
- When you create a remote site network that
uses IPsec, the Microsoft Firewall service modifies the IPsec
filters on the computer when restarting the Firewall service. This
process can take up to several minutes, depending on the number of
subnets included in the address ranges for the network. To minimize
the effect, it is recommended that you define IP address ranges
that are aligned in subnet boundaries.
- If you stop or restart the IPsec PolicyAgent
service, all dynamic IPsec configuration information is lost,
including the Forefront TMG VPN site-to-site IPsec configuration
settings, and the VPN clients are disconnected. To restore the
settings, start the PolicyAgent service or restart the Firewall
service.
- When you create a remote site network that
uses IPsec, the Microsoft Firewall service modifies the IPsec
filters on the computer when restarting the Firewall service. This
process can take up to several minutes, depending on the number of
subnets included in the address ranges for the network. To minimize
the effect, it is recommended that you define IP address ranges
that are aligned in subnet boundaries.
- If the Forefront TMG server is a member of an array, on the
Connection Owner page, click the array member that will
serve as the VPN tunnel endpoint in the array. If Network Load
Balancing (NLB) is enabled for the array, you do not have to
specify a connection owner; it will be assigned automatically.
- If you are using certificate authentication with the VPN
protocol L2TP/IPSec, the Forefront TMG servers on both sides of the
VPN are required to have digital certificates from the same
Certificate Authority. Note that certificate authentication is the
recommended, and most secure, protocol method.
- When entering an address range for the remote VPN server on the
Network Addresses page, you must match the exact network
definition and subnet mask of the remote site.
- On the Welcome page, in the Site-to-Site network
name text box, you must type the exact name of the remote
network’s gateway.
-
To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.
Related Topics
Copyright © 2009 by Microsoft Corporation. All rights reserved.