Defining remote VPN clients

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to set up users and groups for remote VPN access. Defining remote VPN clients consists of the following steps:

  • Creating users and groups for remote VPN clients—Specify and configure user accounts that are allowed to connect to Forefront TMG as remote VPN clients. Users can be identified as Remote Authentication Dial-In User Service (RADIUS) users, or as Windows users.

  • Configuring domain groups for remote access—Specify the domain groups allowed VPN access.

  • Enabling user mapping for clients authenticating via RADIUS or EAP (optional)—Enable user mapping if you intend to use RADIUS or EAP authentication, and the Forefront TMG computer is a member of the domain.

Creating users and groups for remote VPN clients

Note that you configure groups and users in the Microsoft Management Console "Computer Management".

To create users and groups

  1. Click Start, click Run, type compmgmt.msc, and then press ENTER.

  2. In the Computer Management window, click Local Users and Groups, right-click Groups, and then select New Group.

  3. In New Group, type a name for the group, and then click Create, and click Close.

  4. Click Users. For each user that you want to have remote VPN access, do the following:

    1. Double-click the user to display its properties.

    2. On the Member Of tab, click Add.

    3. In Enter the object names to select, type the name of the group, and then click OK.

    4. On the Dial-in tab, select Control access through Remote Access Policy, and then click OK.

Important

Only users with the dial-in properties configured can use Forefront TMG for remote VPN client access.

Note

When you configure VPN client access to specify which local groups have remote access, you can add only the following groups:

  • HelpServicesGroup

  • IIS_WPG

  • TelnetClients

You cannot add other local built-in groups, such as Administrators, Backup Operators, or Power Users. These local groups are generic, and Forefront TMG cannot distinguish between local administrators and domain administrators.

Note

In native-mode Active Directory domains, domain accounts have dial-in access controlled by Remote Access Policy by default. In non-native mode (mixed) Active Directory domains, you must enable dial-in access for each domain user account requiring VPN access. For each account, select Allow Access on the Dial-in tab.

Configuring domain groups for remote access

Use the following procedure to allow members of domain groups to access the VPN remotely.

To allow remote access for members of domain groups

  1. In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node.

  2. In the details pane, click the VPN Clients tab.

  3. On the Tasks tab, click Configure VPN Client access.

  4. On the Groups tab, click Add.

  5. Type the names of users or groups that are allowed access to the VPN Clients network.

Enabling user mapping for clients authenticating via RADIUS or EAP (optional)

Use the following procedure to ensure that Firewall policy access rules that apply to user sets for Windows users and groups, are also applied to VPN clients authenticating to your network, via RADIUS or EAP. To do this, you must enable user mapping.

To enable user mapping

  1. In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node.

  2. In the details pane, click the VPN Clients tab.

  3. On the Tasks tab, click Configure VPN Client Access.

  4. On the User Mapping tab, click Enable User Mapping.

  5. If the user name to be mapped does not include a domain name, select When username does not contain a domain, use this domain, and type the name of the domain to use.

Note

  • If the RADIUS server and Forefront TMG are in different domains (or if one is in a workgroup), user mapping is supported only for Password Authentication Protocol authentication. Do not use user mapping if any other authentication method is configured.

  • User mapping can be used only when Forefront TMG is installed in a domain. Do not enable user mapping in a workgroup environment.

  • The user mapping feature is required only when you create a group-based firewall policy. To build a user-based policy, you can define user sets with RADIUS namespaces, instead.

Next Steps

Enabling basic remote client access

Concepts

Configuring remote client VPN access