locked
VPN connection from TMG to an external network! RRS feed

  • Question

  • Hello, 

    We have a TMG 2010 server. Domain users cannot connect to an external network using OpenVPN. When users try to connect with TMG Client "Unidentified IP Traffic (UDP:11195)"; and they try to connect without TMG Client (IE proxy settings) "10060 Error" is shown and destination address is not reachable.

    What should I do? Are VPN settings in TMG Management related to this problem? Are these VPN settings used for remote clients who want to access to the TMG?

    Thank you,


    TT

    • Edited by neyim123 Monday, December 26, 2011 3:58 PM
    Monday, December 26, 2011 3:53 PM

Answers

  • If you don't have the VIP of TMG as default gateway, then you don't have a SecureNAT client.

    SecureNAT client = default gateway is TMG.

    Second, you don't mention if you have defined the protocols needed for this? If you allow all traffic that just means traffic for all defined protocols, not actually all IP traffic regardless.

    The link for the above article seems to discuss howto publish OpenVPN not to access an OpenVPN server on the Internet. I have not used this application but first step would be to identify what ports are needed and define protocols for those ports and then add those protocols to the firewall policy.

    The initially quoted error message indicates that not all protocols are defined.


    Hth, Anders Janson Enfo Zipper
    Tuesday, December 27, 2011 9:59 AM

All replies

  • Hi,

    did you read the following articles? IMHO they are very helpful:
    http://www.carbonwind.net/ISA/OpenVPNandISA/OpenVPNandISApart1.htm


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Monday, December 26, 2011 5:05 PM
  •  

    Hi,

     

    Thank you for the post.

     

    Please make sure to set the Client as SecureNet , that is the Default Gateway for this client should be pointing to TMG Server Internal IP. Then specify UPD connection on port 1194 with send/receive option in the protocol definition see if it works.

     

    Regards,


    Nick Gu - MSFT
    Tuesday, December 27, 2011 5:08 AM
    Moderator
  • Thank you @Mark and @Nick

    We have not configured default gateway as TMG. Default gateway is 192.168.1.1, we have two TMG's (174, 175) with virtual IP (15). Event so each user seems to be connected as SecureNAT and other client types (Web Proxy and TMG Client). I mean all users have all three client connections at the same time. Can this be the source of problem? This is not the appropriate post but bypass also does't work. It may be related to this situation.

    Regards,


    TT
    Tuesday, December 27, 2011 7:21 AM
  • If you don't have the VIP of TMG as default gateway, then you don't have a SecureNAT client.

    SecureNAT client = default gateway is TMG.

    Second, you don't mention if you have defined the protocols needed for this? If you allow all traffic that just means traffic for all defined protocols, not actually all IP traffic regardless.

    The link for the above article seems to discuss howto publish OpenVPN not to access an OpenVPN server on the Internet. I have not used this application but first step would be to identify what ports are needed and define protocols for those ports and then add those protocols to the firewall policy.

    The initially quoted error message indicates that not all protocols are defined.


    Hth, Anders Janson Enfo Zipper
    Tuesday, December 27, 2011 9:59 AM