Enabling remote client access over a VPN connection

This topic describes how to enable remote access for clients using a virtual private network (VPN) connection. For more information about Virtual Private Networking, see Overview of virtual private networks (VPN). Configuring remote client access consists of the following tasks:

  • Creating users and groups for remote VPN clients, including identifying and configuring user accounts that are allowed to connect to Microsoft Forefront Threat Management Gateway as remote VPN clients. Users can be identified as RADIUS users or as Windows users.
  • Enabling and configuring remote access for VPN clients, including enabling VPN client access on the Forefront TMG computer, setting the maximum number of simultaneous remote client connections, and selecting which VPN tunneling protocols to use when connecting to Forefront TMG : PPTP and/or L2TP.
  • Enabling user mapping (optional). If you are using RADIUS or EAP authentication and the Forefront TMG is a member of the domain, enable user mapping for VPN remote access clients that are authenticated by RADIUS or EAP.
  • Verifying VPN connectivity.
  • Enabling Quarantine Control (optional).

Create users and groups for remote VPN clients

Where to start: Click Start, click Run, type compmgmt.msc, and then press ENTER. This command opens the Computer Manager window.

  1. In Computer Management, click Local Users and Groups, right-click Groups, and then select New Group.

  2. In New Group, type a name for the group, and then click Create, and click Close.

  3. Click Users. For each user that you want to have remote VPN access, perform the following actions:

    1. Double-click the user to display its properties.

    2. On the Member Of tab, click Add.

    3. In Enter the object names to select, type the name of the group, and then click OK.

    4. On the Dial-in tab, select Control access through Remote Access Policy, and then click OK.


      Only users with the dial-in properties configured can use Forefront TMG for remote VPN client access.
      When you configure VPN client access to specify which local groups have remote access, you can add only the following groups:

    • HelpServicesGroup

    • IIS_WPG

    • TelnetClients


      You cannot add other local built-in groups, such as Administrators, Backup Operators, or Power Users. These local groups are generic, and Forefront TMG cannot distinguish between local administrators and domain administrators.
      In native-mode Active Directory domains, domain accounts have dial-in access controlled by Remote Access Policy by default. In non-native mode (mixed) Active Directory domains, you must enable dial-in access for each domain user account requiring VPN access. For each account, select Allow Access on the Dial-in tab.

Enable and configure remote access for VPN clients

Where to start: In the Forefront TMG Management console tree, click Virtual Private Networks (VPN), and in the details pane, click the VPN Clients tab.

  1. On the Tasks tab, click Enable VPN Client Access to open the VPN Clients Properties dialog box.

  2. On the General tab, click Enable VPN Client Access.


    When you enable VPN client access, a system policy rule named Allow VPN clients to firewall is enabled.
    After enabling remote client VPN access, a default network rule is enabled to establish a routing relationship between the Internal network and the two VPN clients networks (VPN Clients and Quarantined VPN Clients).
    You should create access rules to allow appropriate access to VPN clients. For example, you can create a rule to allow access from the VPN Clients network to the Internal network on all protocols or for specific protocols.

  3. In Maximum number of VPN clients allowed, type the maximum number of VPN clients that can connect simultaneously. Note that a maximum of 1,000 VPN clients can connect simultaneously.

  4. On the Protocols tab, select one or more of the following:

    • Enable PPTP

    • Enable L2TP/IPsec


      If you enable remote VPN clients to connect to Forefront TMG using the L2TP tunneling protocol, you will require a certificate.

  5. On the Groups tab, click Add, and add the VPN Clients group that you created in the procedure "Create users and groups for remote VPN clients". Click OK to close the VPN Clients Properties dialog box.


    You cannot add the Windows built-in user groups as VPN users. Built-in domain groups may be used (even in a situation where the Forefront TMG server is also the domain controller).

Enable user mapping (optional)

Enable user mapping in order to apply default firewall policy access rules to users authenticating via RADIUS or EAP.

  1. On the User Mapping tab, click Enable User Mapping.

  2. If the user name to be mapped does not include a domain name, select When username does not contain a domain, use this domain. Then, in Domain Name, type the name of the domain to use.


    If the Remote Authentication Dial-In User Service (RADIUS) server and Forefront TMG are in different domains (or if one is in a workgroup), user mapping is supported only for Password Authentication Protocol (PAP) and Shiva Password Authentication Protocol (SPAP) authentication methods. Do not use user mapping if any other authentication method is configured.
    User mapping can be used only when Forefront TMG is installed in a domain. Do not enable user mapping in a workgroup environment.
    The user mapping feature is required only when you create a group-based firewall policy. To build a user-based policy, you can define user sets with RADIUS namespaces instead.

Verify VPN connectivity

To verify VPN connectivity, you can monitor remote access usage and authentication attempts via the Sessions viewer.

  • On the Tasks tab, click Monitor VPN Clients. The Sessions viewer displays the data for VPN clients connecting Forefront TMG.

Enable quarantine control (optional)

You may want to quarantine each VPN client when it connects in order to ensure that it complies with your security policy. VPN clients that do not comply will be allowed to connect to resources on the Internal network from which they can retrieve the software or updates needed to achieve compliance but will not be allowed general access to corporate resources. For more information, see Configuring NAP based quarantine and Configuring RQS/RQC based quarantine control.