«

»

Oct 23 2012

Configuring a PPTP Site to Site VPN with TMG 2010

If you have branch offices, you need VPN. Without VPN it will be hard to do file sharing, policies and other stuff. If TMG 2010 is your way to go for this, then read on. TMG 2010 supports multiple protocols for VPN like, IPsec, L2TP over IPSEC and PPTP. The last one is the simplest type of VPN you can create with TMG, and this is what I’m going to show you in this guide. I’ll take care of the other two in some future articles. I’m going to put my configuration in the table bellow so you can create an image of what’s going on.

Site A (Main office) Site B (Branch office)
TMG name: TMG-Site1
Public IP: 208.67.110.10
Internal IP: 192.168.100.254/24
TMG name: TMG-Site2
Public IP: 208.67.110.11
Internal IP:  192.168.50.254/24
Client Site1
IP: 192.168.100.10/24
Gateway: 192.168.100.254
Client Site2
IP: 192.168.50.10/24
Gateway: 192.168.50.254/24

To start we need to make sure we have connection between our TMG 2010 servers; do a PING and see if it responds.

     

Now open the TMG console from the main office and go to Remote Access Policy (VPN). Here we have a couple of things to set up; first click the Configure Address Assignment Method link so we can set up how TMG will assign IP addresses to VPN clients.

We can choose to use a DHCP server, or a static IP address pool. Right now I don’t have a DHCP server for this network, so I’m going to choose the static IP address assignment. Click the Add button, select the server from the drop-down-box, then type the IP address range you want to assign to VPN clients. Click OK when you’re done, then OK again to close the Remote Access Policy (VPN) Properties window.

     

Back on the TMG console click the Enable VPN Client Access link. If you don’t do it, the other TMG server (branch office) will not be able to connect. Click the Apply button to save the changes to the configuration store.

Now go to the Remote Sites tab and click the Create VPN Site-to-Site Connection link.

Give the connection a distinctive name and click Next.

Choose Point-to-Point Tunneling Protocol (PPTP) and continue the wizard.

After clicking Next, a pop-up opens telling us that a user account must be present on the system with dial-in permissions and that it needs to have the same name as the site we are creating now.

Click OK on the message and open Server Manager. Go to the Local Users and Groups section, right-click Users and choose New User.

The name of the user must match the name of the site, Site1-to-Site2 in this case. Provide a strong password and check the User cannot change password and Password never expires boxes then click the Create button.

Open the account properties, go to the Dial-in tab and select the Allow Access radio button under Network Access Permission section.

Back on the Create Site-to-Site Connection Wizard, type the FQDN or the IP address of the remote site.

This is a bit misleading, but here we must provide an account name and credentials that exists on the remote site so the connection can be established. Since the TMG server is not part of any domain I will leave the Domain box empty. The account does not exist right now on the other TMG server, but we need to create it. Because I don’t want to have multiples accounts created on a server for one VPN connection I’m going to call this account Site2-to-Site1; this will be the VPN connection name that we are going to create on the branch TMG, later on. You will see when we start configuring the Site2 TMG.

Log in to the branch office TMG server, open Server Manager and create the user account.

Click the Add Range button and type the IP address range of the remote site. If you have multiple IP ranges you need to type them all.

     

If you are using NLB for the remote site type the IP address of the load balancer, if not clear the box and continue the wizard.

The VPN connection requires a network rule, and here the rule can be created automatically for us. Just click Next to continue.

A Network Access Rule also needs to be created between the site-to-site VPN and the internal network. Most of the times you will allow only the minimum required traffic, but for this example I will allow all the traffic.

Click Finish to create the site-to-site VPN connection. If a message pops-up that the Routing and Remote Access service needs to be restarted, just click OK to continue; but be careful because if you have users connected trough VPN they will be disconnected once the RRAS service restarts.

Don’t forget to hit the Apply button so changes can be saved in the TMG configuration store.

The main office TMG is configured. It’s time to go and take care of the branch office server. Everything we’ve done ’till now needs to be done again with some small name and IP changes. Open the Site 2 TMG console and set the address IP assignment first, then enable the VPN client access. The IP address assignment needs to be on a different subnet. When you’re done click the Apply button to save the changes.

Give the VPN connection a name; I’m going to call this Site2-to-Site1.

At the Remote Site Gateway page, type the public IP address or FQDN of the TGM from the main office.

This is where it gets tricky again. I’ve explain it above so I’m not going to review it. The account name (Site1-to-Site2) already exist on the main office because we created it during the VPN connection wizard.

After you’re done with the wizard, apply the changes to the configuration store then wait a couple of minutes until the connections initialize. Only then the site-to-site VPN connection will work. If you don’t want to wait you can force them by opening the Routing and Remote Access console > Network Interfaces, right-click the VNP interface and choose Connect.

It’s time to test and see if is really working. From the main office client ping the client from the branch office, and vice versa.

     

Create a share on one of the clients and access the share from the other side. That should work to, if not it means you did not allow access trough access rules, or the firewall on the client is blocking the traffic.

5 comments

Skip to comment form

  1. Hamid

    Hi Adrian,
    I have problem in simple PPTP VPN server,
    here is my network design:
    1- I have window 7 on my laptop
    2- I have Installed Win2008R2 on Virtual Box via DHCP scope
    3- windows have 2 LAN card (one with NAT : 192.168.90.10 and one is Bridge: 192.168.55.80)
    4- The bridge LAN card have internet from my main ISA server
    5- I installed TMG 2010SP2 ENT on Win2008 Virtual box
    6- The VPN Server PPTP configured on this TMG
    7- I maked VPN connection on my own windows7 (Laptop)
    8- VPN connection trying connect to external LAN (192.168.55.80)
    9- Connection after authorizing me show (Register your computer to network…)
    10- But register process not successfully and show me this error message :
    11- : Error 720: A connection to the remote computer could not be established. you might need to change the network settings for this connection

    can you Help me?

    1. Adrian Costea

      Hi,

      You need to configure your TMG server as a remote access VPN server in order for clients to be able to connect. Here is an article that can help you with this.
      http://www.isaserver.org/articles-tutorials/configuration-general/Checking-Out-TMG-2010-Virtual-Private-Network-Server-Part1.html

  2. Hamid

    Hi,
    Exactly I read this article and done step by step,
    and VPN connection trying to register my client, it mean is VPN working and Authenticating clients, but in end of process to give IP address and register it give above error.

    1. Adrian Costea

      Try from another client, a fresh installed one will be best (a VM) and see if the problem is reproducing. If not, you have a problem on this client.

  3. Hamid

    I test it from other systems, the error was same, :-(
    but I find solution, it was my fault, after I created an VPN access rule in firewall polices problem finished, just now I have Other problem,
    I config PPTP assign IP by DHCP, and when my client take IP it is not reng of VM local address, :-(

Leave a Reply

Your email address will not be published. Required fields are marked *

 
css.php /** Codul Java pentru butonul de Facebook (Like) de sub Subscribe by Email */
/** Sfarsit cod */