Enabling remote client access over a VPN connection

  • Article

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

This topic describes how to enable remote access for clients using a virtual private network (VPN) connection. For more information about Virtual Private Networking, see Overview of Virtual Private Networks (VPN). Configuring remote client access consists of the following tasks:

  • Enabling and configuring remote access for VPN clients—Describes how to enable VPN client access on the Forefront TMG computer

  • Assigning IP addresses to remote VPN clients—

  • Selecting a VPN protocol for remote client access—

  • Assigning an authentication method to remote VPN clients—

  • Verifying VPN connectivity—

  • Enabling quarantine control (optional)—

Enabling and configuring remote access for VPN clients

To assign IP addresses to remote VPN client connections

  1. In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node, and in the details pane, click the VPN Clients tab.

  2. On the Tasks tab, click Enable VPN Client Access to open the VPN Clients Properties dialog box.

  3. On the General tab, click Enable VPN Client Access.

    Note

    • When you enable VPN client access, a system policy rule named Allow VPN clients to firewall is enabled.

    • After enabling remote client VPN access, a default network rule is enabled to establish a routing relationship between the Internal network and the two VPN client networks (VPN Clients and Quarantined VPN Clients).

    • You should create access rules to allow appropriate access to VPN clients. For example, you can create a rule to allow access from the VPN Clients network to the Internal network on all protocols or for specific protocols.

  4. In Maximum number of VPN clients allowed, type the maximum number of VPN clients that can connect simultaneously. Note that a maximum of 1,000 VPN clients can connect simultaneously.

  5. On the Protocols tab, select one or more of the following:

    • Enable PPTP

    • Enable L2TP/IPsec

      Note

      If you enable remote VPN clients to connect to Forefront TMG using the L2TP tunneling protocol, you will require an SSL certificate.

  6. On the Groups tab, click Add, and add the VPN Clients group that you created in the procedure "Create users and groups for remote VPN clients" (see Defining remote VPN clients). Click OK to close the VPN Clients Properties dialog box.

    Note

    You cannot add the Windows built-in user groups as VPN users. Built-in domain groups may be used (even in a situation where the Forefront TMG server is also the domain controller).

Assigning IP addresses to remote VPN clients

The following procedure describes how to configure IP address assignment to remote clients when they connect to the VPN.

To assign IP addresses to remote VPN client connections

  1. In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node.

  2. In the details pane, click the VPN Clients tab.

  3. On the Tasks tab, click Define Address Assignments.

  4. On the Address Assignment tab, select one of the following options:

    • Static address pool. Select this option if you want to assign static addresses to the remote VPN clients.

    • Dynamic Host Configuration Protocol (DHCP). Select this option if you want to assign addresses to the remote VPN clients dynamically.

  5. If you select Static address pool, do the following:

    1. Click Add.

    2. In arrays of more than one array member, in Select the server, select the array member for which you are defining the static address pool.

    3. In Start address, type the first address in the range of addresses to assign to the VPN clients.

    4. In End address, type the last address in the range of addresses to assign to the VPN clients.

  6. In Use the following network to obtain DHCP, DNS and WINS services, select the network on which the name resolution servers are located.

  7. Click Advanced.

  8. In Name Resolution, select one of the following:

    • Obtain DNS server addresses using DHCP configuration. Select this option if VPN clients should obtain the DNS server by using a DHCP configuration.

    • Use the following DNS server addresses. Select this option to provide the static IP address of the DNS server that VPN clients should use for name resolution. If you select this option, in Primary, type the IP address of a DNS server located on the Internal network that the VPN clients can use to resolve names on the Internal network. In Backup, type the IP address of a DNS server located on the Internal network that the VPN clients can use to resolve names on the Internal network, when the primary DNS server is not available.

  9. Set WINS server address configuration by selecting one of the following:

    • Obtain WINS server addresses using DHCP configuration. Select this option if VPN clients should obtain the WINS server by using a DHCP configuration.

    • Use the following WINS server addresses. Select this option to provide the static IP address of the WINS server that VPN clients should use for name resolution. If you select this option**,** in Primary, type the IP address of a WINS server located on the Internal network that the VPN clients can use to resolve names on the Internal network. In Backup, type the IP address of a WINS server located on the Internal network that the VPN clients can use to resolve names on the Internal network, when the primary DNS server is not available.

      Note

      • Routing and Remote Access users are not supported.

      • The remote IP address range specified in the wizard must exactly match the network definition and subnet mask on the remote site.

      • DHCP cannot be used on arrays with more than one member server.

      • Addresses assigned through Active Directory (on the Dial-in tab of the user properties in Computer Management) cannot be used on arrays with more than one member server.

      • You can configure Forefront TMG to use a DHCP server to assign IP addresses for VPN remote clients only for single-server arrays. Use static pool address assignment whenever there are multiple array members, by selecting the option Use the following DNS server addresses.

Assigning an authentication method to remote VPN clients

The following procedure describes how to set an authentication method for remote VPN clients.

To assign an authentication method to remote VPN clients

  1. In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node.

  2. On the Tasks tab, click Select Authentication Methods.

  3. Select the appropriate check boxes for the authentication protocols that Forefront TMG will use to authenticate remote VPN clients.

    Note

    EAP authenticated users are authenticated by RADIUS servers. Firewall policy rules that apply to users will only be applied to these users if you also configure user mapping. For configuration informations, see Defining remote VPN clients.

Verifying VPN connectivity

To verify VPN connectivity, you can monitor remote access usage and authentication attempts via the Sessions viewer.

  • On the Tasks tab, click Monitor VPN Clients. The Sessions viewer displays the data for VPN clients connecting Forefront TMG.

Enabling quarantine control (optional)

You may want to quarantine each VPN client when it connects in order to ensure that it complies with your security policy. VPN clients that do not comply will be allowed to connect to resources on the Internal network from which they can retrieve the software or updates needed to achieve compliance but will not be allowed general access to corporate resources. For more information, see Enabling NAP-based quarantine control and Configuring RQS and RQC based quarantine control.

Concepts

Configuring remote client VPN access

Copyright © 2009 by Microsoft Corporation. All rights reserved.