08 February 2012

Complete TMG VPN deployment guide Part II

Continuing in the series of creating TMG based VPN to support multiple platforms I am going to cover the steps required on the TMG array.

Server Side Deployment steps

Configuring TMG VPN
TMG provides a 6 step guide for doing all the required configuration.  The 6th being optional.

From the TMG management Console select Remote Access Policy (VPN)



Step 1 - Configure Address Assignment Method
This allows you to specify how the VPN client will be issued a client IP address.  You have two options.  TMG can allocate them a client IP based on a defined static address pool that is managed by TMG.  The alternative is for TMG to act as a DHCP relay agent and allocate an IP out of an existing DHCP scope.  For this to work you obviously need to have DHCP available on the relevant network and subnet.

In an array configuration you will have to have an IP range for each node of the array.  Each node should have enough IPs to accommodate the number of allowed VPN users.
Click on the Advanced button to set DNS and WINS


Step 1-2 - Enable VPN Client access
Click Enable VPN Client access.
Click Apply to activate the change

Step 2 Specify Windows Users
Add the relevant user groups.
Note that you will not be able to directly select these group when creating the access rules.  I would suggest creating correlating TMG user sets (Toolbox - Users - New)


If you were using EAP as the authentication method you would need to use RADIUS.  This would then be used instead of the specified groups.

Step 3 - Verify VPN properties
This is where you select the protocols to be used.  For now I will only select PPTP.  Once I am happy everything is configured correctly I will come back and also enable SSTP



Step 3-2 - Remote Access Configuration
You need to enable the network from where you want VPN clients to connect from. The default is External.




Step 4 - View Firewall Policy for the VPN Clients Network

This will simply take you to the Firewall policy page.

  • From the Tasks pane click Create Access Rule
  • Specify a name
  • Select allow
  • For Initial testing -  leave the default option of "All outbound traffic"
  • Enable Malware Inspection
  • In the Sources screen Click Add - Networks - Choose VPN clients
  • For initial testing - on the destinations screen add Internal
  • In the user sets window remove all users and replace it with the user sets created in Step 2



Step 5 - View Network rules

This will simply take you to the Network Rules pages

  • If the is an existing rule for VPN edit it as follows or create a new one
  • VPN to Internal
  • Sources - VPN Clients
  • Destination - Internal
  • Network Relationship - NAT
  • Use Default IP for NAT

Apply all the setting and wait for the configuration to be applied across all array nodes.


Additional Steps
At this point you should have a TMG configuration that you can test against.  Given the design goal we will at the very least have to revisit Step 4.  Setting the VPN access rules is where the security comes in.  You can have multiple access rules so you can really apply very granular access.


Configuring SSTP
In step 3 we did not select SSTP as a protocol. To do so there are a few things we need to do first.

Request a Certificate - This is a standard SSL web server certificate so the same process applies here.  Since I am designing the VPN to accomodate non corporate Windows machines I will be using a public CA to avoid certificate issues. Request and install the certificate before proceding with creating the listener.

Create a listener

  • From the TMG Management Console
  • Select the Firewall Policies Node
  • Select Toolbox form the right hand pane
  • Expand Network Object
  • New - Web Listener
  • Name it SSTP VPN
  • Require SSL
  • Select the External Network
  • Click Select IP addresses
  • Select Specify IP addresses in the... and add the single IP you want to use
  • Click Select Certificate 
  • Choose the certificate that was installed earlier
  • Select HTTP authentication - Check Basic


You can now go back to the VPN configuration and click Verify VPN properties
Check Enable SSTP
Click Select Listener and choose the listener created earlier.






Complete TMG VPN deployment guide Part I - Planning

Complete TMG VPN deployment guide Part II - Server side deployment steps
Complete TMG VPN deployment guide Part III - Configuring VPN on Windows
Complete TMG VPN deployment guide Part IV - Configuring VPN on Mac OSX
Complete TMG VPN deployment guide Part V - Configuring VPN on iOS and Android



No comments:

Post a Comment