Tuesday, April 12, 2011

TMG Site-to-Site VPN

I recently deployed a TMG site-to-site VPN from our Head Office to a Hosted Environment where the majority of our production servers / services are located.

I followed the instructions on TechNet (http://technet.microsoft.com/en-us/library/bb838949.aspx) to the letter but ran into some peculiar difficulties which are not documented anywhere I searched.

Below are a list of a few tips and tricks to get the VPN up and stable:

1. You need to create a user for dial-in access as the configuration utilises the Microsoft Routing and Remote Access Service. I recommend that you create a user on each side of the tunnel with the identical name as this eliminates the confusion on which user to configure in which setup. If you running AD create local accounts on each TMG server.

2. Ensure any Firewalls configured between the two TMG servers are either disabled or allow all inbound traffic. This is particularly important if you are configuring via DSL routers.

3. Some ISP’s do not enable Generic Routing Encapsulation (GRE) on their network. Your VPN will not work if the ISP does not support this.

4. It is better to configure your VPN wizard with the IP address of the other side rather than using a DNS lookup as the timing difference causes the connection to fail in highly utilised network environments.

5. Once you have configured the VPN wizard on both TMG servers you need to access the RRAS MMC interface and start the demand-dial interface which TMG should have created. If it has not  created the interface you can manually create one or else stop and restart the service. This might take a few tries to get right and this is the most ‘fun’ you will have during the configuration.

6. When you are first setting up the VPN you may be forced to restart the RRAS service often. It is a good idea to restart the servers once all is configured to ensure the VPN comes up on its own once the servers reconnect.

That about covers the ‘undocumented’ issues I ran into while configuring the VPN and I hope this post helps someone out there.


No comments: