About site-to-site settings

  • Article

When you create a site-to-site virtual private network (VPN) connection, Microsoft Forefront Threat Management Gateway provides a summary of the local site-to-site settings. Based on the local settings and the need to mirror local site settings on the remote site, Forefront TMG also provides recommended settings for the remote site. This summary is available for Internet Protocol security (IPsec), Point-to-Point Tunneling Protocol (PPTP), and Layer Two Tunneling Protocol (L2TP) over IPsec site-to-site connections.

IPSec settings

The following setting information is provided for IPsec site-to-site connections in the summary for the local site-to-site settings, and it also makes reference to the settings of the other end of the tunnel:

  • Local Tunnel Endpoint. The local IP address through which the VPN connection is made. This IP address is the recommended remote tunnel endpoint for the remote site.
  • Remote Tunnel Endpoint. The remote IP address through which the VPN connection is made. This IP address is the recommended local tunnel endpoint for the remote site.
  • IKE Phase I and Phase II Parameters. The parameters used to negotiate the IPsec tunnel settings. These settings are the recommended IPsec settings for the remote site. It is particularly important that the authentication method be identical for both the remote and local sites. If a preshared key is used, it must be identical for both ends of the tunnel.
  • Remote Network myIPSec IP Subnets. myIPSec represents the name you configured for the remote network. This is the address range you provided for the remote site, converted to subnet format, which is standard for IPsec connections.
  • Local Network IP Subnets. The address ranges of all of the other Forefront TMG networks, converted to subnet format.

Note

If you did not create a network rule establishing the relationship between the remote networks and at least one other Forefront TMG network (typically, the Internal network), traffic to and from the remote network will be dropped, and a warning will appear on the summary page. Similarly, if you do not create an access rule allowing traffic to and from the remote network, traffic will be blocked by Forefront TMG.

PPTP and L2TP settings

The following setting information is provided for PPTP and L2TP site-to-site connections in the summary for the local site-to-site settings, and it also makes reference to the settings of the other end of the tunnel:

  • Remote Gateway Address. For the local site, this is the address on the remote site to which Forefront TMG connects. On the remote site, the Remote Gateway Address should be an IP address, or a Domain Name System (DNS) name that resolves to an IP address on this Forefront TMG computer.
  • VPN Network Authentication Protocols (outgoing). These are the protocols used to authenticate to the remote site. One of these protocols must be part of the remote site's General VPN Settings authentication protocols. In the recommended settings for the remote site, these appear as the General VPN Settings Authentication Protocols.
  • General VPN Settings Authentication Protocols (incoming). The local site must be configured to accept one of the outgoing authentication methods of the remote site. In the recommended settings for the remote site, these appear as the VPN Network Authentication Protocols.
  • Outgoing Authentication Method (L2TP over IPsec only). This can be a preshared secret or a certificate. At least one of these methods has to be an Incoming Authentication Method on the remote site.
  • Incoming Authentication Method (L2TP over IPsec only). This can be a preshared secret, a certificate, or both. One of these methods must be used by the remote site as its Outgoing Authentication Method.
  • Local User. A user with dial-in properties must be configured on the local network for the remote network to initiate a connection to the local network. The name of the user account and the name of the site-to-site network must be identical. Forefront TMG indicates the name of the user that you must create on the local site, based on the name of the site-to-site connection. When you configure settings for the remote site, you must use the same user name to connect to the local site. This is provided under Required settings for the other end of this tunnel in the Remote Site User listing.
  • Remote User. In a scenario where you allow the local site to initiate connections to the remote site, this is the user name that the local site uses to authenticate to the remote site. The user name must match the name of the network on the remote site. The name of the user account and the name of the network on the remote site must be identical. Forefront TMG indicates the name of the user that you must create on the remote site, based on the name you provided for the remote site user. When you configure settings for the remote site, you must have a network and a local user with the same name. This is provided under Required settings for the other end of this tunnel in the Local User listing.
  • Site-to-Site Network IP Address. In the local settings list, the addresses of the remote site network are provided. In the listing for the other end of the tunnel, Forefront TMG indicates that you must provide network addresses with which the remote site has a network relationship. This can be either a route relationship or a NAT relationship where the remote site is the source and the local site is the destination. Forefront TMG lists the IP addresses that meet these requirements, in Required site-to-site settings for the other end of this tunnel, under Routable Local IP Addresses.