In this post, we’re going to go through setting up our TMG 2010 server to support client PPTP VPN. We’ll go over why PPTP is a good choice for many businesses, the basic network setup involved, and then finally, how to actually configure our TMG server to support PPTP clients.
Much of what we will cover here is the same for other VPN protocols. You can either use this post and skip ahead to configuring the other protocols, or stay tuned…we’ll be covering L2TP/IPSEC, SSTP, and IKEv2 in upcoming posts. If this sounds like the post for you, please read on.
Finding the right balance between security and usability
I am sure that some of you are reading this and thinking I am off my nut for recommending PPTP over SSTP, L2TP/IPSec, or IKEv2. I may be off my nut, but not about this. Here is why. PPTP is the one VPN protocol that is the common denominator or universal dialect amongst all our diverse platforms. Whether you have any version of Windows, Mac OSX, Linux, iPod Touch, iPhone, or Droid, you have PPTP support, and you have it built-in (or in the case of some Linux distros, a simple package add away.) TMG offers other protocols, but they are Windows-focused. PPTP support means you can supply a secure connection to any device you have. Using MPPE with 128bit encryption and authenticating against AD using MS-CHAP2, and with a strong password policy and account lockout, should cover your bases in all but the most stringent requirements. Yes, you do NOT get mutual authentication with PPTP (unless you implement some EAP methods that will reduce the ubiquity of this solution,) but this post is more about supporting diverse clients securely, and less about just how thick the tinfoil hat is. If your situation requires 3DES or AES, and mutual authentication, skip this post and come back in a few….I should have something on that soon. If your situation includes trying to support the VP of Marketing’s Mac, and your Linux box, and your boss’s iPhone….well this post is for you. Been there, done that, wrote the post.
Prerequisites
In this post, our TMG 2010 server is directly connected to the Internet on its external NIC (live ip.addr, no other firewall in front of it) and we have an another NIC directly connected to the internal network. We’re using the DHCP service provided by another server on the internal network which is assigning VPN clients ip.addrs directly on the internal segment. In other words, a fairly vanilla setup. Also, we’re not split-tunneling. All traffic comes home once the VPN client is connected, and anything destined for the Internet will route back out. Why, you ask? There are times when I have to use an open wireless network. I’d much rather tunnel ALL of my traffic over the VPN, than only protect what I am sending home. See this post if you’d like to know more about the dangers of open wireless hotspots. I think you’ll agree that it is worth the extra bandwidth to provide more protection to our users.
Setting it up
The TMG Management Console divides this up into six sections, which makes for a pretty straightforward setup until you find that many of the steps take you to different tabs on the same dialog. We’re going to hit them the first time they pop up instead of running this strictly by the numbers. Browse down to Remote Access Policy (VPN), click it and then click on Configure Address Assignment Method to begin.
Step One-Configure Address Assignment Method
Click on the Configure Address Assignment Method, which brings up a new dialog that we begin on the second tab, which is kind of strange, but we can work with it. Here, since we are using a DHCP server on the internal network, we select the radio button for DHCP, and choose the Internal network from the drop down list for name resolution services.
If you want to set a static range, click that a radio button, select your server from the dropdown, enter your starting and ending address, and then click OK. Then clicked the Advanced button at the bottom of this tab to enter DNS and WINS server information.
Step Two-Access Networks
Click the Access Networks tab and make sure that both External and Internal networks are checked. That allows our VPN clients to connect from both our internal network (useful for testing) and the Internet.
Step Three-Authentication
Now click on the Authentication tab. To get PPTP up and running with the most secure password encryption, we’re going to only check MS-CHAPv2.
Since we are not going to use RADIUS in this post, click OK.
Step Four-Specify Windows Users
Click on Specify Windows Users and once again, land on the second tab of the dialog box. Here, you can add the AD group(s) that you want to permit to connect to your VPN. If that is everybody, select Domain Users.
Then click on the General tab, make sure the check box is set to Enable VPN client access, and enter the maximum number of concurrent connections you want to allow.
Then click the Protocols tab. Since today we are only doing PPTP, that is all you need to check.
User Mapping is for RADIUS and EAP, and we’re not using either this time. Quarantine is something to play with AFTER you get connections working so for now, resist the urge to click anything else except OK. Since a lot of what quarantine can do is limited to domain computers, we’re going to leave that for another post on another day.
Step Five-Configure your firewall policy
Click on View Firewall Policy for the VPN Clients Network to go back to your Firewall Policy. You can restrict access to the Internet for VPN clients, and if you put them on a different network segment than the internal, you can even limit their connections to the internal network. Since I am setting this up for trusted clients that already have full access to the internal network, and open access to the Internet, I just need to make sure that they TMG defined network “VPN Clients” is in the AllowAllOutbound rule that I created back here.
Make any desired changes to this for your level of comfort, and then click back on Remote Access Policy (VPN) to continue.
Step Six-View Network Rules
If you are connecting your VPN clients directly to the Internal network, they will be sharing the internal interface of your TMG. If you want to create a virtual subnet for VPN clients, you can either decide to route that traffic bi-directionally through your TMG, or you can NAT the VPN clients to the inside network. Here is where you define that. Since we are connecting VPN clients directly, we choose the Route option, which should be selected by default.
Step Seven-Test it out
Get a client on another network, and setup your connection from your client to your TMG using PPTP. If there is another edge device between your TMG and the Internet, you want to make sure that inbound TCP 1723 and bidirectional IP type 47 (GRE) are both open. If all goes well, you will be prompted for your username and password. This happens over TCP 1723 and is encrypted using MS-CHAPv2. Enter your creds and (assuming you have valid credentials for a user who is a member of a permitted group) if GRE is also open, you should be connected. Yay! If you’re not, here’s some troubleshooting tips.
You can use the live logging in TMG to focus on VPN client connections. Browse down to Logs & Reports, edit your filter to look at VPN Client sessions. I like to do this live while the client connects, but you can also look at historical records if you wish. 
Always look first for authentication errors. I can’t tell you how many hours I have wasted assuming the user had good information, only to find out they didn’t. Also look for protocol errors, and make sure the client is setup for MS-CHAPv2 to match your requirements.
If you’re having other problems, here’s the links to our VPN troubleshooting series (part one, part two, and part three.) You can check them out, or leave a comment below if you’d like some more help. Until next time, while you are tunneling data securely, enjoy the best song Springsteen’s ever done.
Bruce Springsteen – Tunnel Of Love
Uploaded by jpdc11. – Watch more music videos, in HD!
Direct link for RSS and email subscribers…http://www.dailymotion.com/video/x1ubwj_bruce-springsteen-tunnel-of-love_music
You might also enjoy:
{ 18 comments… read them below or add one }
FYI, I believe your step 2 is incorrect. The access networks specify which networks are allowed to initiate VPN connections, much like a listener. Not which networks can route to each other. For example only allowing VPN connections from the External network, which is usually the case.
Thanks Cazi! My editor is supposed to catch boneheaded screw ups like that, and I plan on yelling at him just as soon as talking to yourself is no longer considered crazy. I do like to allow connections sourcing from both internal and external networks for testing, but I will update the post to correct the mistake now.
Cheers,
Ed
Excellent walk through. The GRE bit is a godsend. My ISP looks after a hardware firewall and this was blocking VPN connections and all I could see was the GRE reference in the logging. Now I know what it is and I can tell my ISP how to fix it. Nice.
Hey Ed,
Wanted to post on the correct page
I have been having trouble getting my VPN working again after it initially working without issue. I originally followed a howto from a different site (sorry, I don’t believe I had found yours yet) and the steps taken were very similar to yours with a couple of exceptions.
First, instead of using DHCP to assign IPs I set a static range from 172.16.1.1-172.16. Second, instead of just adding VPN clients to the main outbound rule I created 3 rules:
VPN Clients to Local Host
VPN Clients to Internal
VPN Clients to External
All of these are set to allow all outbound traffic from all users.
There is a Network Rule defined to Route traffic from VPN Clients and Quarantined VPN Cleints (I do not have quarantine enabled, but what the hay) to Internal, & the Internet Access rule that is NAT from Internal, Quarantined VPN, & VPN Clients to External.
This setup was working before but has since stopped working for an unkonw reason. I cannot ping the TMG (Request timed out) once connected, I cannot ping the DNS server (Request timed out), I cannot browse the internet. Nslookups also time out with: DNS request timed out. I tried changing the address assignment to DHCP and experience the same results.
I have tried to monitor the connections through the Logging tab by adding the suggested filter of “Session Type = VPN” and I see nothing come through (This fact seems like it might help point to the problem, but I might just be crazy). The only way I can see the VPN traffic is to set a filter of “Client IP = 172.16.1.XXX” and then it shows up. I see a lot of idle time-outs show up here. Thanks in advnace
My first thought is that you need to check your network relationships to make sure they are correct. I assume that you are using a different subnet for your VPN clients than you are for your internal hosts; do the internal hosts route all outbound to the TMG so that there is a path to send traffic to VPN connected clients?
Finally, what happens if you NAT your VPN clients into the internal network? Any improvement in connectivity?
All internals live on 10.1.0.0 and have their gateway set to TMG (10.1.0.100). I will try NAT and see if there is any improvement.
NAT yields the same results.
Switch back to routed, connect a VPN client, determine the VPN client’s assigned ip.addr, and then from an internal client, ping that addr.
Let me know if you get request timed out, or destination unreachable.
From the TMG, ping that addr and let me know the result.
Internal Client: Request timed out.
TMG: Request timed out.
On vpn client:
IPv4: 172.16.1.3
Subnet Mask: 255.255.255.255
Default Gateway: 0.0.0.0 <— This seems bad
Not at all, that is what you would expect to see on your VPN connection (I’m assuming you did not paste the ipconfig details for your ‘real’ connection.
Remember, your VPN connection is Virtual…your ‘real’ connection will still communicate with things on the local LAN, including it’s gateway to get out to the Internet.
If your TMG and local network are setup correctly, and you have access rules permitting traffic from internal to VPN, you should be able to ping that 172.16.1.3 from something on your internal network. If you cannot, first confirm your network relationships, then look at your access rules.
Here are a few screenshots of my current configuration: http://imgur.com/a/UNTvK
The top are the firewall policies pertaining to VPN clients. There is also an allowalloutbound rule below those.
Second is the Web Access tab dealing with VPN Clients.
Third is the Network Rules tab.
Rules are parsed top to bottom. I dont see anything wrong with your rules but I dont see ALL of your rules, so must suspect something higher up is blocking. See my rule #7 above? Create that and make it rule #1. Connect via VPN and try again. If you still cannot hit anything, you either have routing borked or there’s something else in the way like a client software firewall, IPS agent, etc.
You could also try the logging as I show above to see what the log results tell you…it might be very illuminating. If it’s not, then I suspect client side shenanigans, or a borked TMG.
Before I flatten and rebuild I would just disable VPN and start that config from scratch.
I recreated all the VPN rules and settings. I still cannot ping anything internally but I did flip my log query around to show anything destined to the VPN client and it shows:
Denied Connection TMG 1/5/2012 8:24:39 PM
Log type: Firewall service
Status: A packet was dropped because its destination IP address is unreachable.
Rule: None – see Result Code
Source: Internal (10.1.0.106:53)
Destination: VPN Clients (172.16.0.4:56078)
Protocol: Unidentified IP Traffic (UDP:56078)
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.1.0.106
That was me trying to perform an nslookup on google.com from the VPN client. 10.1.0.106 is the DNS server.
Just for kicks here are my routes:
===========================================================================
Interface-List
-23………………………RAS-(Dial-In)-Interface
-11…00-17-a4-8e-21-4b-……Broadcom-NetXtreme-Gigabit-Ethernet-#2
-10…00-17-a4-8e-21-4c-……Broadcom-NetXtreme-Gigabit-Ethernet
–1………………………Software-Loopback-Interface-1
-12…00-00-00-00-00-00-00-e0-Teredo-Tunneling-Pseudo-Interface
===========================================================================
IPv4-Route-Table
===========================================================================
Active-Routes:
Network-Destination——–Netmask———-Gateway——-Interface–Metric
———-0.0.0.0———-0.0.0.0——99.12.216.1—-99.12.XXX.XXX—-276
———10.1.0.0——255.255.0.0———On-link——–10.1.0.100—-276
——-10.1.0.100–255.255.255.255———On-link——–10.1.0.100—-276
—–10.1.255.255–255.255.255.255———On-link——–10.1.0.100—-276
——99.12.216.0—-255.255.252.0———On-link—–99.12.XXX.XXX—-276
—–99.12.XXX.XXX–255.255.255.255———On-link—-99.12.XXX.XXX—-276
—-99.12.219.255–255.255.255.255———On-link—–99.12.XXX.XXX—-276
——–127.0.0.0——–255.0.0.0———On-link———127.0.0.1—-306
——–127.0.0.1–255.255.255.255———On-link———127.0.0.1—-306
–127.255.255.255–255.255.255.255———On-link———127.0.0.1—-306
——-172.16.0.1–255.255.255.255———On-link——–172.16.0.1—-306
——–224.0.0.0——–240.0.0.0———On-link———127.0.0.1—-306
——–224.0.0.0——–240.0.0.0———On-link—–99.12.XXX.XXX—-276
——–224.0.0.0——–240.0.0.0———On-link——–10.1.0.100—-276
——–224.0.0.0——–240.0.0.0———On-link——–172.16.0.1—-306
–255.255.255.255–255.255.255.255———On-link———127.0.0.1—-306
–255.255.255.255–255.255.255.255———On-link—–99.12.XXX.XXX—-276
–255.255.255.255–255.255.255.255———On-link——–10.1.0.100—-276
–255.255.255.255–255.255.255.255———On-link——–172.16.0.1—-306
===========================================================================
Persistent-Routes:
–Network-Address———-Netmask–Gateway-Address–Metric
———-0.0.0.0———-0.0.0.0——99.12.216.1–Default-
===========================================================================
IPv6-Route-Table
===========================================================================
Active-Routes:
-If-Metric-Network-Destination——Gateway
–1—-306-::1/128——————On-link
-10—-276-fe80::/64—————-On-link
-11—-276-fe80::/64—————-On-link
-11—-276-fe80::903d:17e4:37d2:fae5/128
————————————On-link
-10—-276-fe80::f81d:b45d:936e:4d69/128
————————————On-link
–1—-306-ff00::/8—————–On-link
-10—-276-ff00::/8—————–On-link
-11—-276-ff00::/8—————–On-link
===========================================================================
Persistent-Routes:
–None
So what I see is that a query got from the VPN client to the internal DNS server, but the the response was dropped for not having a route from INTERNAL to VPN. You need to set up that network relationship so that your internal network can communicate to your VPN clients as a routed (not NATed) network. Remember your pictures? I think you need an internal network to VPN Clients relationship; the converse of your VPN Clients to Internal Network.
BTW, can you ping a VPN connected client from the TMG itself?
Rebooted the server… like magic it’s working again. I suspect recreating all the VPN rules did help.
Thanks again for all the help
Great to hear you’re good to go.
Cheers,
Ed