Configuring a PPTP Site to Site VPN with TMG 2010
If you have branch offices, you need VPN. Without VPN it will be hard to do file sharing, policies and other stuff. If TMG 2010 is your way to go for this, then read on. TMG 2010 supports multiple protocols for VPN like, IPsec, L2TP over IPSEC and PPTP. The last one is the simplest type of VPN you can create with TMG, and this is what I’m going to show you in this guide. I’ll take care of the other two in some future articles. I’m going to put my configuration in the table bellow so you can create an image of what’s going on.
|Site A (Main office)||Site B (Branch office)|
|TMG name: TMG-Site1
Public IP: 184.108.40.206
Internal IP: 192.168.100.254/24
|TMG name: TMG-Site2
Public IP: 220.127.116.11
Internal IP: 192.168.50.254/24
To start we need to make sure we have connection between our TMG 2010 servers; do a PING and see if it responds.
Now open the TMG console from the main office and go to Remote Access Policy (VPN). Here we have a couple of things to set up; first click the Configure Address Assignment Method link so we can set up how TMG will assign IP addresses to VPN clients.
We can choose to use a DHCP server, or a static IP address pool. Right now I don’t have a DHCP server for this network, so I’m going to choose the static IP address assignment. Click the Add button, select the server from the drop-down-box, then type the IP address range you want to assign to VPN clients. Click OK when you’re done, then OK again to close the Remote Access Policy (VPN) Properties window.
Back on the TMG console click the Enable VPN Client Access link. If you don’t do it, the other TMG server (branch office) will not be able to connect. Click the Apply button to save the changes to the configuration store.
Now go to the Remote Sites tab and click the Create VPN Site-to-Site Connection link.
Give the connection a distinctive name and click Next.
Choose Point-to-Point Tunneling Protocol (PPTP) and continue the wizard.
After clicking Next, a pop-up opens telling us that a user account must be present on the system with dial-in permissions and that it needs to have the same name as the site we are creating now.
Click OK on the message and open Server Manager. Go to the Local Users and Groups section, right-click Users and choose New User.
The name of the user must match the name of the site, Site1-to-Site2 in this case. Provide a strong password and check the User cannot change password and Password never expires boxes then click the Create button.
Open the account properties, go to the Dial-in tab and select the Allow Access radio button under Network Access Permission section.
Back on the Create Site-to-Site Connection Wizard, type the FQDN or the IP address of the remote site.
This is a bit misleading, but here we must provide an account name and credentials that exists on the remote site so the connection can be established. Since the TMG server is not part of any domain I will leave the Domain box empty. The account does not exist right now on the other TMG server, but we need to create it. Because I don’t want to have multiples accounts created on a server for one VPN connection I’m going to call this account Site2-to-Site1; this will be the VPN connection name that we are going to create on the branch TMG, later on. You will see when we start configuring the Site2 TMG.
Log in to the branch office TMG server, open Server Manager and create the user account.
Click the Add Range button and type the IP address range of the remote site. If you have multiple IP ranges you need to type them all.
If you are using NLB for the remote site type the IP address of the load balancer, if not clear the box and continue the wizard.
The VPN connection requires a network rule, and here the rule can be created automatically for us. Just click Next to continue.
A Network Access Rule also needs to be created between the site-to-site VPN and the internal network. Most of the times you will allow only the minimum required traffic, but for this example I will allow all the traffic.
Click Finish to create the site-to-site VPN connection. If a message pops-up that the Routing and Remote Access service needs to be restarted, just click OK to continue; but be careful because if you have users connected trough VPN they will be disconnected once the RRAS service restarts.
Don’t forget to hit the Apply button so changes can be saved in the TMG configuration store.
The main office TMG is configured. It’s time to go and take care of the branch office server. Everything we’ve done ’till now needs to be done again with some small name and IP changes. Open the Site 2 TMG console and set the address IP assignment first, then enable the VPN client access. The IP address assignment needs to be on a different subnet. When you’re done click the Apply button to save the changes.
Give the VPN connection a name; I’m going to call this Site2-to-Site1.
At the Remote Site Gateway page, type the public IP address or FQDN of the TGM from the main office.
This is where it gets tricky again. I’ve explain it above so I’m not going to review it. The account name (Site1-to-Site2) already exist on the main office because we created it during the VPN connection wizard.
After you’re done with the wizard, apply the changes to the configuration store then wait a couple of minutes until the connections initialize. Only then the site-to-site VPN connection will work. If you don’t want to wait you can force them by opening the Routing and Remote Access console > Network Interfaces, right-click the VNP interface and choose Connect.
It’s time to test and see if is really working. From the main office client ping the client from the branch office, and vice versa.
Create a share on one of the clients and access the share from the other side. That should work to, if not it means you did not allow access trough access rules, or the firewall on the client is blocking the traffic.
Want content like this delivered right to your
22 thoughts on “Configuring a PPTP Site to Site VPN with TMG 2010”
Hello Mr. Adrian
I beginner in this area, may you help me solving one problem?
I need to know if i can use PPTP site to site to connect my 5 branch to my headquarter?
If yes how can i do?
I have TMG 2010 Enterprise and in my headquarter i have VPN on my ASA 5505
Yes, you can do it but unfortunately I don’t have experience with an ASA appliance. Here is a blog post that might help you out.
Hello my friend
I’ve done all these steps and my problem is that when I connect from one side or the other side I’m on for two unreachable made only from one side do you think the problem is can I connect Rvbrqrar
Can you be more specific?
Hi, I have setup a PPTP Site-to-site VPN on TMG 2010. It connects to the VPN and on the TMG server itself I can ping any server on the remote network, BUT, client machines using the TMG as default gateway don’t see (ping) any server (just pinging by IP address, not a name resolution issue).
It seems to be a routing problem, but I still don’t found the cause. Any pointers or tools I could use to diagnose?
You have to create a firewall rule to allow ICMP to pass trough the VPN connection.
Thanks for your repose Adrian! It’s not a filter rule issue, as I see the “Initiated Connection” on the TMG live log, going from my desktop machine to the remote IP address.
The VPN is being initiated by the TMG (site-to-site PPTP), so my guess here is that the ping response (or any protocol response) is being received by the TMG VPN endpoint and then forwards the response packet to the wrong network card.
Of course, this is just a guess, I can’t confirm it yet. I also fixed the binding order of the network cards (putting the LAN card first) but it didn’t helped.
I have installed NetMon on the TMG server, but so far It wasn’t beinf able to see any lost packets or any traffic coming from my desktop machine going to the remote VPN server.
Any ideas would be appreciated!
I managed to solve it. As suspected, it was a routing problem, but not on my network (or the TMG). I realized that remote machines might not have the VPN Server as their default Gateway, and therefore their responses are being sent to the wrong endpoint.
So, in order to make it work I just made the TMG network rule being NAT instead of ROUTE, and therefore all requests coming to a remote server would appear to be coming from the VPN IP and the routing would work.
Thanks for sharing, and I’m glad you worked it out.
I have config same rule it’s not working
I am send snap shot through mail.
You tried to use system rules to RDP into the server. Those are not working like that; instead go ahead and create an Access Rule like I’ve told you and you should be OK.
Thanks yaar I got lot of information from your side
I am some issue in VPN TMG 2010 after connecting from VPN i can access internal website but i con’t able access Romte Desktop for internal server please help me about this issue.
You need to create an Access Rule (from the Firewall Policy), select the RDP (Terminal Services) Server protocol during the wizard, then select your External Network on the Access Rule Sources page, then select your computer from the Access Rule Destination pages. Here you need to define the computer on which you want to RDP into. Click New > Computer and type it’s IP address in the box. Finish the wizard. Let me know how it works.
i configured as per this document and worked for me but some problem
After VPN Connection i can ping the Private Network IP between two TMG but not able to ping another machine in the same Subnet
Plese help me
On the same subnet ? Make sure you don’t have a firewall on the machine. This applies also if you want to ping a machine from the first site to the second site. Put some more info here and I will try to help you. Cheers…
Sorry man its worked ,because the gateway of machine is different ,because i tested in another two machine and the gateway of working computer is different once the gateway of test machine added its start working ,once again give you big thanks for this document ,i tried site to site vpn using but there is only one-side communication working so tried to search TMG site to site VPN and My Production environment is Working now
Great it worked out :-).
I test it from other systems, the error was same, 🙁
but I find solution, it was my fault, after I created an VPN access rule in firewall polices problem finished, just now I have Other problem,
I config PPTP assign IP by DHCP, and when my client take IP it is not reng of VM local address, 🙁
Exactly I read this article and done step by step,
and VPN connection trying to register my client, it mean is VPN working and Authenticating clients, but in end of process to give IP address and register it give above error.
Try from another client, a fresh installed one will be best (a VM) and see if the problem is reproducing. If not, you have a problem on this client.
I have problem in simple PPTP VPN server,
here is my network design:
1- I have window 7 on my laptop
2- I have Installed Win2008R2 on Virtual Box via DHCP scope
3- windows have 2 LAN card (one with NAT : 192.168.90.10 and one is Bridge: 192.168.55.80)
4- The bridge LAN card have internet from my main ISA server
5- I installed TMG 2010SP2 ENT on Win2008 Virtual box
6- The VPN Server PPTP configured on this TMG
7- I maked VPN connection on my own windows7 (Laptop)
8- VPN connection trying connect to external LAN (192.168.55.80)
9- Connection after authorizing me show (Register your computer to network…)
10- But register process not successfully and show me this error message :
11- : Error 720: A connection to the remote computer could not be established. you might need to change the network settings for this connection
can you Help me?
You need to configure your TMG server as a remote access VPN server in order for clients to be able to connect. Here is an article that can help you with this.