Configuring a dial-up connection

Microsoft Forefront Threat Management Gateway supports dial-up connections to the Internet or a remote network via a modem connection, Point-to-Point Protocol over Ethernet (PPPoe) connection, or a VPN connection. You should configure a dial-up connection for a specific network.

Notes

• You can configure a non-VPN dial-up connection on one Forefront TMG network only. For example, to use dial up for Internet access, select the External network for the automatic dial-up connection.
• Forefront TMG does not support customized routes for non-VPN dial-up connections. For example, if Forefront TMG dials a non-VPN connection to a remote network that is not the default gateway, a custom route to the remote network is required.
• The local domain table (LDT) is used by Firewall clients in order to determine whether requests should be handled locally or sent to Forefront TMG. Ensure that the LDT includes internal servers, so that Forefront TMG does not have to dial out to an external DNS server, only to determine that the requested computer is actually internal.
• Ensure that internal network adapters are configured correctly. Verify that a default gateway is not configured on any of the internal network adapters. When you configure the internal network, include only the network adapter that represents the LAN. The inclusion of the network adapter that is connected to a modem does not prevent internal users from accessing the Internet, but it may open your internal network to access from the external network.
• Forefront TMG maintains a dialed connection until one of the following occurs: The Microsoft Firewall service is stopped while connected; You modify ISP properties while connected; You disable the dial-up connection; A main route for client requests to the Internet or upstream server comes back online (when dial-up is used for a back-up route).

Configuring a dial-up connection

Configuring a dial-up connection consists of the following steps:

• Create a dial-up network connection on the operating system.
• Enable a network to use the dial-up connection you created.
• For a VPN dial-up connection, create an access rule allowing the protocol from the Local Host network to the VPN server.
• Create an alert to inform you if a dial-up connection fails.

These steps are described in the following procedures.

To configure a dial-up connection in the operating system

• For instructions about creating a dial-up connection, see Make a Dial-Up or ISDN Network Connection in Windows Server 2008 help at TechNet.

To enable a network to use a dial-up connection

1. In the Forefront TMG Management console tree, click Networking.

2. On the Tasks tab, click Specify Dial-Up Preferences.

3. On the Dial-Up Preferences dialog box, do one of the following:

   • On the Dial-Up Preferences dialog box, select I will dial the connection myself to specify that you want to dial the connection manually before it is used for requests.
   • On the Dial-Up Preferences dialog box, select Allow automatic dialing to this network to specify that Forefront TMG should dial the connection in response to client requests on the network. If you want to use this connection as the default route to the Internet or the remote network, select Configure this dial-up connection as the default gateway.

4. In Use the following dial-up connection, select the network connection you created.

5. In Use this account, specify the credentials that you used when creating the network connection.

To create an access rule for a VPN dial-up connection

1. In the Forefront TMG Management console tree, click Firewall Policy.

2. On the Tasks tab, click Create Access Rule.

3. On the Rule Action page of the New Access Rule Wizard, click Allow.

4. On the Protocols page, in This rule applies to, click Selected Protocols, and then click Add.

5. In the Add Protocols dialog box, click to expand VPN and IPsec. Select the required protocol (usually PPTP or L2TP client). Click Add, and then click Close.

6. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click to expand Networks, and then click Local Host. Click Add, and then click Close.

7. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click New, and then click Computer.

8. In the New Computer Rule Element dialog box, type in the name and IP address of the VPN server.

9. Complete the rest of the pages in the wizard.

To configure an alert for dial-up failure

1. In the Forefront TMG Management console tree, click Monitoring.

2. Click the Alerts tab, and then on the Tasks tab, click Configure Alert Definitions.

3. In the Alert Definitions list, select Dial-on-demand failure, and then click Edit.

4. On the General tab, ensure that Enabled is selected.

5. On the Events tab, specify when the alert should be issued. For example, to prevent the alert from being issued multiple times, you can limit the Number of occurrences before the alert is issued value.

6. On the Actions tab, specify the action that should occur when the alert is issued.