08 February 2012

Complete TMG VPN deployment guide Part I

Direct Access has to a large part reduced or eliminated the requirement for traditional VPNs for corporate controlled devices.  However, the world has changed a lot over the last two years.  Corporate IT departments now have to accommodate and provide services to devices other than the traditional "Corporate Windows Machine." These include but are not limited to Mac, iOS, Android, Linux etc.  One of the most request services is the ability to VPN into the corporate network.

Deployment guidance
In this series I will walk through the configuration options and steps required to build a TMG based VPN solution.  There are three phases.


  • Define design goals
  • Choosing a VPN protocol
  • Choosing Authentication

Server side deployment steps
  • Configuring Address assignment method
  • Configuring VPN Users
  • Configuring VPN Protocols
  • Configuring VPN Access Networks
  • Configuring VPN access rules
  • Configuring VPN network relationship rules

Client side deployment steps

  • Configuring VPN on Windows
  • Configuring VPN on Mac OSX
  • Configuring VPM on iOS
  • Configuring VPN on Android

Define design goals

  • The VPN will provide a level of network access that exceeds internet publised resources.
  • The VPN will be limited to restricted network segments, ranges and protocols on the internal network
  • Client connectivity needs to support the widest possible range or clients and devices.

Choosing a VPN protocol
TMG support three VPN protocols

Point to Point Tunneling Protocol has been around for a very long time.  It was the first VPN protocol supported by Windows 95.  It was developed by a vendor group that included Microsoft, Ascend Communications, 3Com and others.  It has the advantage of being natively supported by almost all platforms. Data is trasfered over a GRE (Generic Routing Encapsulation) and is encrypted with MPPE (Microsoft Point to Point Encryption)  PPTP supports multiple authentication types with MPPE enabled when using MSCHAP v2 or EAP-TLS)
The specification for PPTP can be found in RFC 2637

Firewall requirements - Incoming connection needs to allowed on TCP port 1723 and needs to allow Protocol ID 47

Layer 2 Tunneling Protocol over IPsec is based on two older tunneling protocols, PPTP and Cisco's L2F (Layer 2 Forwarding Protocol) Support is available on many platforms but the implementation vary.  L2TP does not provide encryption so it relies on IPsec.  Because of this PKI and certificate infrastructure is required and you are limited to using EAP as the authentication type
The specification for L2TP can be found in RFC 2661

Firewall requirements - IKE UDP port 500, NAT-T UDP port 5500, L2TP UDP 1701

Secure Sockets Tunneling Protocol is a newer for of Client Access VPN.  It transport data through a SSL channel.  It is only available on Windows from Vista on wards.  Unlike PPTP or L2TP/IPsec SSTP cannot be used for Site to Site VPNs.  SSTP support MSCHAP v2 or EAP-TLS authnetication.
The draft specification for SSTP can be found here

Firewall Requirements - HTTPS port 443

The significant advantage of SSTP and other SSL based VPNs are that since the firewall requirements are the same as "normal web traffic" clients can generally connect form any and through any network including other corporate networks behind proxy servers.

Choosing Authentication
TMG supports multiple authentication methods.  Not all of the are sure, so we will only consider the two below.

Microsoft Encrypted authnetication version 2 allows for simple authentication using a username and password.

Extensible authentication protocol has the advantage of utelising smart card or certificates to provide a more secure authentication method.  The drawback however is that you need supporting PKI infrastructure and clients that support certificate based authentication.  Furthermore EAP users belong the the RADIUS name space and require user mapping to apply user-based access rules.

Decided configuration
Since TMG allow multiple VPN connectivity and authentication option you can actually mix and match your deployment to a degree.

To support the largest possible client base I am going to deploy PPTP with MSCHAP v2.
To support Windows Client form behind corporate networks and proxies I am also going to deploy SSTP.  Since not all of them will be corporate machines with corporate PKI certificates I am going to also stick with MSCHAP v2

Concerns and Mitigating factors
There has been numerous articles about weakness in the MSCHAP v2 authentication method that can be exploited to gain credentials.  This does not mean that it is easy to crack and exploit MSCHAP v2, it just means it is possible given enough resource and dedication.  The same can be said for most other security measures.  The mitigation here is that the amount of the network being exposed is smaller than can be gained by physically gaining access to a network point.

Complete TMG VPN deployment guide Part I - Planning
Complete TMG VPN deployment guide Part II - Server side deployment steps
Complete TMG VPN deployment guide Part III - Configuring VPN on Windows
Complete TMG VPN deployment guide Part IV - Configuring VPN on Mac OSX
Complete TMG VPN deployment guide Part V - Configuring VPN on iOS and Android


frero said...

i have a problem for PPTP connexion through TMG firwall
if I create a rule alow all protocol it's OK
i i create a rule allow only the VPN protocol it's dont work
"excuse me for my bad English .. i a m french..

Etienne Liebetrau said...

Hi Frero

Avez-vous tenté de mettre sur la relation entre le réseau VPN et NAT interne plutôt que le contraire de route et vice-

Have you tried setting the network relationship between VPN and internal to NAT instead of route and vice versa

Post a Comment