Recursos para Profesionales de TI >

Página principal de foros >

Read Only - Forefront Edge Security - Internet Access >

TMG and outbound PPTP

TMG and outbound PPTP

martes, 21 de septiembre de 2010 11:23

0

Hello,

I have a strange issue in allowing outbound PPTP using TMG (SP1).
I want to allow outbound PPTP connections from a segment where clients are SecureNet clients and a NAT relationship exists between the segment and the external interface.

I noticed connections are working fine only:
- if VPN Client access on the TMG is disabled
OR
- if VPN client access is enabled and PPTP vpn access is checked in the VPN Client Properties > Protocols tab.
In each other case, the clients gets stuck on the 'Verifying username and password' dialog box and eventually times out with error 619.

Note I don't want to set up a vpn towards the TMG server, only allow outbound PPTP connections.
I remember a setting 'Enable IP Routing' in ISA 2006 which was required for outbound PPTP but can't find this anymore within TMG.

Anyone noticed the same behavior or any explanation for this?

Many thanks,
Wim

Todas las respuestas

miércoles, 22 de septiembre de 2010 8:17

Moderador

0

Hi,

Thank you for the post.

How do you create the access rule? Do you allow “All Users” on the Users tab? What is your network topology? Do you have back to back firewall? Do you enable TMG Client on the problematic machine? If yes, disable it, PPTP client VPN only work with SecureNET clients.

Regards,
Nick Gu - MSFT
miércoles, 22 de septiembre de 2010 8:21

0

Hi Nick,

The access rule is indeed configured for All Users - All Outbound.
The TMG is the only firewall in place, and users are SecureNET clients (no client active on the machine's).
The network segment where the clients are in, is directly connected to the TMG (TMG interface is the default gateway).

Thanks,
Wim
jueves, 23 de septiembre de 2010 15:18

Usuario que responde

0
Wim,

I have a TMG 2010 machine with SP1 set up in a test environment. Using a SecureNAT Windows XP client I am able to use PPTP successfully even when the TMG machine is configured to accept PPTP VPN connections.

Did you go in and manually change anything in RRAS? This is a no-no and you should let TMG configure it.

So when you disable VPN client access on TMG it works? Enable it and it stops working? Did this work as expected before SP1 that you know of?

Keith
- Marcado como respuesta Keith AblutonMicrosoft Employee, Editor lunes, 27 de septiembre de 2010 16:44
jueves, 23 de septiembre de 2010 15:37

0

Hi keith,

Apart from adding a DHCP Relay interface on the RRAS, I didn't changed anything myself.
It only works if I disable VPN client access on TMG
or
I enable VPN client access on TMG AND enable PPTP (selecting fi only L2TP/Ipsec doesn't work)

I installed SP1 right immediately during deploy so I don't know if the issue was appearing without the Service Pack.

Thanks,
Wim
lunes, 27 de septiembre de 2010 15:00

0

Keith,

I set up a test lab trying to simulate the problem.
When comparing the lab with the production environment, I noticed that not all IP addresses were listed at the IPv4 interfaces list within the RRAS Management Console.

I then disabled the configured DHCP Relay interfaces, disabled vpn client access again, rebooted the TMG, switched on vpn client access with only the L2TP/Ipsec protocol selected and reconfigured the dhcp relay interfaces.
All IP addresses were now displayed just fine.

After a final reboot, and testing again, outgoing PPTP VPN access was working just fine.
So it seems the RRAS service was causing me problems, and re-initiating that one solved the problem.

Thanks for your support in this,

Wim
lunes, 27 de septiembre de 2010 16:45

Usuario que responde

0

Wim,

Thanks for your update on this.

Regards,

Keith Abluton

¿Necesita ayuda con los foros? (P+F)