locked
Site to Site VPN with TMG and Cisco ASA RRS feed

  • Question

  • I currently have a main office and branch offices that are all connected with site-to-site VPN's using Cisco ASA's.  I would like to add in a TMG between each ASA and their internal network and still have a site-to-site VPN.  The basic config I have in mind is:

    Corp network (192.168.1.x) <--> TMG <--> ASA <--> INTERNET <--> ASA <--> TMG <--> Branch network (192.168.2.x).

    I was considering trying to keep the site-to-site vpn from ASA to ASA, but am open to doing it between the TMG's.  I'm having a little trouble figuring out some of the routing issues on paper, and was looking for advice.  I want the TMG added for all the features it brings to the table, but would like to keep the ASA for extra security and peace of mind.  I'd also still like the Corp network and Branch network to be able to fully communicate with each other as they do now.

    I've seen articles about connecting an ASA to a TMG, but nothing quite like the setup I'm trying.  Any suggestions?

    Friday, May 13, 2011 8:54 PM

Answers

  • From http://technet.microsoft.com/en-us/library/dd441072.aspx

     

    Creating a VPN remote site connection

    Published: November 15, 2009

    Updated: February 1, 2011

    Applies To: Forefront Threat Management Gateway (TMG)

    The Create VPN Site-to-Site Connection wizard helps you configure Forefront TMG to create a Virtual Private Network (VPN) connection from a remote site to your corporate network.

    In the wizard, you can perform the following tasks:

    • Specify a VPN traffic protocol.

    • Assign IP addresses to the remote VPN client connection.

    • Specify the account used to authenticate at the remote site.

    • Configure authentication for the remote site.

    • Specify an IPsec authentication method.

    • Specify IP address ranges of the remote site network.

    • Create a network rule to route traffic to and from the remote network.

    • Create a access rule to allow traffic to and from the remote network

    After you run the wizard, you can configure additional settings to enable the VPN connection.

    The following procedure describes how to configure a site-to-site VPN on Forefront TMG.

    Creating a VPN remote site connection

    To create a VPN site-to site network

    1. In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).

    2. In the details pane, click the Remote Sites tab.

    3. In the Tasks tab, click Create VPN Site-to-Site Connection.

    4. In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, and note the following:

      1. On the Welcome page, in the Site-to-Site network name text box, you must type the exact name of the remote network’s gateway.

      2. Note the following about the Internet Protocol security (IPsec) tunneling protocol:

        • When you create or modify a remote site network that uses IPsec, you must restart the Microsoft Firewall service so that the IPsec filters can be modified to reflect the new configuration. This process can take up to several minutes, depending on the number of subnets included in the address ranges for the network. To minimize the effect, it is recommended that you define IP address ranges that are aligned in subnet boundaries.

        • If you stop or restart the IPsec PolicyAgent service, all dynamic IPsec configuration information is lost, including the Forefront TMG VPN site-to-site IPsec configuration settings, and the VPN clients are disconnected. To restore the settings, start the PolicyAgent service or restart the Firewall service.

      3. If the Forefront TMG server is a member of an array, on the Connection Owner page, click the array member that will serve as the VPN tunnel endpoint in the array. If Network Load Balancing (NLB) is enabled for the array, you do not have to specify a connection owner; it will be assigned automatically.

      4. If you are using certificate authentication with the VPN protocol L2TP/IPSec, the Forefront TMG servers on both sides of the VPN are required to have digital certificates from the same Certification Authority. Note that certificate authentication is the recommended, and most secure, protocol method.

      5. When entering an address range for the remote VPN server on the Network Addresses page, you must match the exact network definition and subnet mask of the remote site.

    5. To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.

     


    Brennan Crowe
    Monday, June 20, 2011 4:48 PM
    Answerer

All replies

  • From http://technet.microsoft.com/en-us/library/dd441072.aspx

     

    Creating a VPN remote site connection

    Published: November 15, 2009

    Updated: February 1, 2011

    Applies To: Forefront Threat Management Gateway (TMG)

    The Create VPN Site-to-Site Connection wizard helps you configure Forefront TMG to create a Virtual Private Network (VPN) connection from a remote site to your corporate network.

    In the wizard, you can perform the following tasks:

    • Specify a VPN traffic protocol.

    • Assign IP addresses to the remote VPN client connection.

    • Specify the account used to authenticate at the remote site.

    • Configure authentication for the remote site.

    • Specify an IPsec authentication method.

    • Specify IP address ranges of the remote site network.

    • Create a network rule to route traffic to and from the remote network.

    • Create a access rule to allow traffic to and from the remote network

    After you run the wizard, you can configure additional settings to enable the VPN connection.

    The following procedure describes how to configure a site-to-site VPN on Forefront TMG.

    Creating a VPN remote site connection

    To create a VPN site-to site network

    1. In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).

    2. In the details pane, click the Remote Sites tab.

    3. In the Tasks tab, click Create VPN Site-to-Site Connection.

    4. In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, and note the following:

      1. On the Welcome page, in the Site-to-Site network name text box, you must type the exact name of the remote network’s gateway.

      2. Note the following about the Internet Protocol security (IPsec) tunneling protocol:

        • When you create or modify a remote site network that uses IPsec, you must restart the Microsoft Firewall service so that the IPsec filters can be modified to reflect the new configuration. This process can take up to several minutes, depending on the number of subnets included in the address ranges for the network. To minimize the effect, it is recommended that you define IP address ranges that are aligned in subnet boundaries.

        • If you stop or restart the IPsec PolicyAgent service, all dynamic IPsec configuration information is lost, including the Forefront TMG VPN site-to-site IPsec configuration settings, and the VPN clients are disconnected. To restore the settings, start the PolicyAgent service or restart the Firewall service.

      3. If the Forefront TMG server is a member of an array, on the Connection Owner page, click the array member that will serve as the VPN tunnel endpoint in the array. If Network Load Balancing (NLB) is enabled for the array, you do not have to specify a connection owner; it will be assigned automatically.

      4. If you are using certificate authentication with the VPN protocol L2TP/IPSec, the Forefront TMG servers on both sides of the VPN are required to have digital certificates from the same Certification Authority. Note that certificate authentication is the recommended, and most secure, protocol method.

      5. When entering an address range for the remote VPN server on the Network Addresses page, you must match the exact network definition and subnet mask of the remote site.

    5. To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.

     


    Brennan Crowe
    Monday, June 20, 2011 4:48 PM
    Answerer
  • Please look at Richard Hicks blog on connecting TMG to Cisco ASA via VPN - http://tmgblog.richardhicks.com/2011/01/
    Brennan Crowe
    Monday, June 20, 2011 5:38 PM
    Answerer