Enabling basic remote client access

This topic describes how to enable basic access for remote clients using a virtual private network (VPN). After completing the procedures below, and verifying that you have VPN connectivity, it is recommended that you implement a higher level of security, as detailed in Configuring remote client access with enhanced security. To enable basic remote client access, complete the following procedures:

Assigning IP addresses to remote VPN clients—Specify how VPN clients receive IP addresses when connecting to the corporate network.
Setting VPN client access networks and authentication methods—Specify the networks from which VPN clients can initiate VPN connections, and verify that MS-CHAPv2 is the only authentication method enabled.
Enabling VPN client access and setting the tunneling protocol—Enable virtual private networking on Forefront TMG for remote clients, and verify that Point-to-Point Tunneling Protocol (PPTP) is the only tunneling protocol enabled.
Testing basic VPN connectivity—Initiate a VPN connection from an external network, and monitor remote access usage and authentication attempts via the Sessions viewer.

Prerequisites

Before you begin, it is recommended that you create a VPN Clients group as described in the procedure "Create users and groups for remote VPN clients" in Defining remote VPN clients.

Assigning IP addresses to remote VPN clients

To assign IP addresses to remote VPN clients

In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node, and in the details pane, click the VPN Clients tab.
In the details pane, click Configure Address Assignment Method.

On the Address Assignment tab, select one of the following options:

Static address pool—If you want to assign static addresses to the remote VPN clients.

Dynamic Host Configuration Protocol (DHCP)—If you want to assign addresses to the remote VPN clients dynamically.

Note:
You can configure Forefront TMG to use a DHCP server to assign IP addresses for VPN remote clients only for single-server arrays. Use static pool address assignment whenever there are multiple array members.

If you selected Static address pool, do the following:

Click Add.

In arrays of more than one array member, in Select the server, select the array member for which you are defining the static address pool.

Note:
In a deployment with multiple array members, a VPN client can connect to any of them. This configuration defines what address pool each array member can use. The address pools for each array member must not intersect with the address pool of any other array member.

In Start address, type the first address in the range of addresses to assign to the VPN clients.
In End address, type the last address in the range of addresses to assign to the VPN clients.
Click OK to close the dialog box.

In Use the following network to obtain DHCP, DNS and WINS services, select the network on which the name resolution servers are located.
If you want to configure DNS and WINS server settings, click Advanced.
1. Set DNS server address configuration by selecting one of the following:
  - Obtain DNS server addresses using DHCP configuration—.
  - Use the following DNS server addresses—To provide the static IP address of the DNS server that VPN clients should use for name resolution. If you select this option, in Primary, type the IP address of a DNS server located on the Internal network that the VPN clients can use to resolve names on the Internal network. In Backup, type the IP address of a DNS server located on the Internal network, that the VPN clients can use to resolve names on the Internal network, when the primary DNS server is not available.
2. Set WINS server address configuration by selecting one of the following:
  - Obtain WINS server addresses using DHCP configuration—If VPN clients should obtain the WINS server by using a DHCP configuration.
  - Use the following WINS server addresses—To provide the static IP address of the WINS server that VPN clients should use for name resolution. If you select this option, in Primary, type the IP address of a WINS server located on the Internal network that the VPN clients can use to resolve names on the Internal network. In Backup, type the IP address of a WINS server located on the Internal network that the VPN clients can use to resolve names on the Internal network, when the primary DNS server is not available.
If you have not specified remote access users or groups, see Defining remote VPN clients.
Leave the Remote Access Policy (VPN) Properties window open for the next step in enabling basic remote client access.

Note:
Addresses assigned through Active Directory (on the Dial-in tab of the user properties in Computer Management) cannot be used on arrays with more than one member server.

Setting VPN client access networks and authentication methods

To set VPN client access networks and authentication methods

Click the Access Networks tab on the Remote Access Policy (VPN) Properties window.
Verify that the External network is selected, and select the check box for any other networks from which clients will initiate connections to the VPN server.
Click the Authentication tab on the Remote Access Policy (VPN) Properties window.
Verify that Microsoft encrypted authentication version 2 (MS-CHAPv2) is selected, and clear any other authentication methods.
Click OK to save your changes, then on the Apply Changes bar, click Apply.

Enabling VPN client access and setting the tunneling protocol

To enable VPN client access and select a tunneling protocol

On the Tasks pane, click Configure VPN Client Access, and on the General tab, click Enable VPN client access.

Note:
When you enable VPN client access, a system policy rule named Allow VPN clients to firewall is enabled. This rule establishes a routing relationship between the Internal network and the two VPN client networks (VPN Clients and Quarantined VPN Clients). You should create access rules to allow appropriate access to VPN clients. For example, you can create a rule to allow access from the VPN Clients network to the Internal network on all protocols or for specific protocols.

Note:

When you enable VPN client access, a system policy rule named Allow VPN clients to firewall is enabled. This rule establishes a routing relationship between the Internal network and the two VPN client networks (VPN Clients and Quarantined VPN Clients).
You should create access rules to allow appropriate access to VPN clients. For example, you can create a rule to allow access from the VPN Clients network to the Internal network on all protocols or for specific protocols.

If required, adjust the maximum number of simultaneously connected clients Maximum number of VPN clients allowed (per array member). The default setting is 100; the maximum setting is 1000.

Click the Protocols tab, and verify that Enable PPTP is selected.

Tip:
It is recommended that you begin testing VPN connectivity with the PPTP protocol only. After you have verified connectivity, you should enable Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPSec) authentication and encryption protocol for increased security. For instructions, see Configuring remote client access with enhanced security.

Testing basic VPN connectivity

To test basic VPN connectivity

Using a remote client, initiate a VPN connection from an external network.
In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node, and in the details pane, click the VPN Clients tab.
On the Tasks tab, click Monitor VPN Clients. The Sessions viewer displays the data for VPN clients connecting to Forefront TMG.

Next Steps

Configuring remote client access with enhanced security