ForefrontTMG/NPS MPPE encryption strength, how to allow only 128-bit?


  • Hi,


    In the "Forefront TMG Default Policy" network policy, the Basic (MPPE-40), Strong (MPPE-56) and Strongest (MPPE-128) encryption strength are all selected. Is it possible to keep only the MPPE-128 selected and have TMG/NPS drop the support for the other two?


    I can modify the NPS policy by hand to leave only the strongest checked but any modification to TMG rules and policies will reapply the two weaker encryption methods when TMG updates and applies its new configuration.



    Thursday, July 22, 2010 12:45 PM


All replies

  • Hi,


    Thank you for the post.


    The ISA firewall's default policy will always revert. You may create your own policy to select MPPE-128 before the default policy.



    Nick Gu - MSFT
    Friday, July 23, 2010 7:56 AM
  • Thanks for the suggestion Nick but I had already tried that as well. Whenever TMG reapplies its configuration, it will place its own default policy on the top of the processing order which again requires manual intervention to change the settings and renders my created policy useless.
    • Edited by Emmanuel R Friday, July 23, 2010 9:41 AM already tried*
    Friday, July 23, 2010 9:37 AM
  • You will be able to do this by using TMG NAP integration, as it was possible to do with ISA using RADIUS, as showed on this thread:



    Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
    Tuesday, August 03, 2010 12:51 AM
  • Hi Yuri. I have experienced the same behavior. The matter is that when chosing "Windows Users" as the authorized VPN users, TMG uses the local NPS policies even though there is no RADIUS configured and any time the firewall configuration is applied the NPS policies are re-created. No matter whether the default policy is disabled or put with a lower priority it always returns enabled and to the top of the list. Also, the conditions for the policy evaluation are matching the "Windows Users" specified before so there is no way to bypass it. The only workaround I have found is to specify RADIUS instead of Windows Users. Configure a Radius server with the IP address of the local server and this way you will be able to disable or even delete the default policy. Review also the default "connection request" or create a customized one to not forward the authentication request (use local authentication instead)

    Hope it helps

    // Raúl - I love this game

    • Edited by RMoros Tuesday, August 03, 2010 1:58 PM
    Tuesday, August 03, 2010 1:28 PM
  • Hi,

    Are you saying that even using NAP Integration you are observing this behavior? Because on ISA 2006 you used to be able to do that with RADIUS as specified on that thread.

    Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
    Tuesday, August 03, 2010 1:55 PM
  • It's strange to have to go through hoops to just have two boxes remain unchecked. TMG should have more customization options concerning VPN and I can see from the link above that this was also a problem in ISA ...

    RMoros, I will try that and report back.

    Yuri, I'm sorry but I do not know how to proceed or implement NAP Integration.

    Wednesday, August 04, 2010 8:06 AM
  • Here are the steps to configure TMG with NAP Integration: http://technet.microsoft.com/en-us/library/dd441083.aspx

    Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
    Wednesday, August 04, 2010 11:25 AM
  • Hi Yuri. I guess we are saying mor or less the same. The guide for NAP instructs to use a RADIUS server for authentication so the "Windows User" remains disabled and the default policy can be bypassed. Furthermore, the guide for NAP uses an external RADIUS server, so, there is no Default TMG policy. The issue appears when using the NPS local to the TMG server
    // Raúl - I love this game
    Wednesday, August 04, 2010 3:39 PM
  • Exactly. This is the way to go if you want a more granular way to control this option.
    Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
    Wednesday, August 04, 2010 5:03 PM