+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 23
Internet Related/Filtering/Firewall Thread, Possible to have TMG and VPN side by side? in Technical; We have TMG 2010 on Server 2008 R2. The TMG acts as our proxy server and has a 443 HTTPS ...
  1. #1

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Possible to have TMG and VPN side by side?

    We have TMG 2010 on Server 2008 R2. The TMG acts as our proxy server and has a 443 HTTPS listener installed.

    Is it still possible to use this same server to act as an RDP gateway (I believe this also uses port 443) to we can VPN to it from outside and let this server forward our RDP session to any internal machine? Is this something that is normally done or do we HAVE to have a separate server for VPN RDP purposes?

  2. #2
    MicrosoftTechy's Avatar
    Join Date
    Apr 2010
    Posts
    78
    Thank Post
    1
    Thanked 6 Times in 6 Posts
    Rep Power
    10
    yes you can if you have external DNS host name for example remote.yourschool.sch.uk and set up a new listener and add this in the domain list

  3. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,072
    Thank Post
    853
    Thanked 2,676 Times in 2,270 Posts
    Blog Entries
    9
    Rep Power
    769
    Yes, so long as your TMG is setup to use a https listener so that it can crack open the traffic you'll be fine. The TMG can redirect based on folders and RDP gateway so you can redirect to different servers if it needs to, we do the same with OWA and RemoteApp on one SSL connection.

  4. #4

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks both. Currently we have the normal HTTPS listener in TMG (443) which is used for accessing secure internal sites from outside. We have requested a new subdomain from our LA just for vpn purposes.

    Just to clarify, can we use the same HTTP web listener or do we have to make a new one in TMG? Our LA only allows RDP gateway over 443.

  5. #5
    MicrosoftTechy's Avatar
    Join Date
    Apr 2010
    Posts
    78
    Thank Post
    1
    Thanked 6 Times in 6 Posts
    Rep Power
    10
    I would create a new HTTPS listener for this. and call it like VPN or somthing with the subdomain name of like vpn.myschool.sch.uk ect so all traffic that comes via port 443 with the hostname vpn.myschool.sch.uk then forward to pc xxx.xxx.xxx.xxx

  6. #6

    Join Date
    Oct 2005
    Posts
    824
    Thank Post
    51
    Thanked 111 Times in 101 Posts
    Rep Power
    63
    Just a quick question - is there any particular reason you're not using TMG as your VPN?

  7. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,072
    Thank Post
    853
    Thanked 2,676 Times in 2,270 Posts
    Blog Entries
    9
    Rep Power
    769
    Quote Originally Posted by nLinked View Post
    Thanks both. Currently we have the normal HTTPS listener in TMG (443) which is used for accessing secure internal sites from outside. We have requested a new subdomain from our LA just for vpn purposes.

    Just to clarify, can we use the same HTTP web listener or do we have to make a new one in TMG? Our LA only allows RDP gateway over 443.
    So long as you are endpointing the SSL tunnel on the TMG so that you can use ruels to split the traffic to different servers based on url folders. We use rules to split off RD Gateway from OWA on different servers here via ISA. TMG was a bit of a horror show for us, five rebuilds later it never worked right and we just went back to ISA.

  8. #8

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by MicrosoftTechy View Post
    I would create a new HTTPS listener for this. and call it like VPN or somthing with the subdomain name of like vpn.myschool.sch.uk ect so all traffic that comes via port 443 with the hostname vpn.myschool.sch.uk then forward to pc xxx.xxx.xxx.xxx
    Thanks that sounds like exactly what we need. Will give it a go and update.

    Quote Originally Posted by pantscat View Post
    Just a quick question - is there any particular reason you're not using TMG as your VPN?
    We're on LGfL2 now but previously we had VPN working fine with PPTP and MSCHAP configured on TMG, but LGfL2 won't allow PPTP for security reasons, but they do offer an RDP Gateway. They said we can host our own RDP gateway on our own TMG via 443.

  9. #9

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by MicrosoftTechy View Post
    I would create a new HTTPS listener for this. and call it like VPN or somthing with the subdomain name of like vpn.myschool.sch.uk ect so all traffic that comes via port 443 with the hostname vpn.myschool.sch.uk then forward to pc xxx.xxx.xxx.xxx
    Quick question, if I try to make a new Access Rule, then the properties for the rule don't show a Listener tab so I can't assign the newly created HTTPS listener to the rule. Would a Web Publishing Rule (which does have the Listener tab) be correct in this case?

    Capture.JPG

  10. #10

    Join Date
    Oct 2005
    Posts
    824
    Thank Post
    51
    Thanked 111 Times in 101 Posts
    Rep Power
    63
    Quote Originally Posted by nLinked View Post
    We're on LGfL2 now but previously we had VPN working fine with PPTP and MSCHAP configured on TMG, but LGfL2 won't allow PPTP for security reasons, but they do offer an RDP Gateway. They said we can host our own RDP gateway on our own TMG via 443.
    Change to SSTP type VPN? That's what I'm about to try out here with Forefront... (SSTP uses port 443).

  11. #11

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by pantscat View Post
    Change to SSTP type VPN? That's what I'm about to try out here with Forefront... (SSTP uses port 443).
    That looks interesting. But this article says XP won't work with SSTP. Is that true? So XP home users won't be able to VPN in with SSTP? And in that case I suppose Linux too?

  12. #12

    Join Date
    Oct 2005
    Posts
    824
    Thank Post
    51
    Thanked 111 Times in 101 Posts
    Rep Power
    63
    You're absolutely correct. I'm only allowing "school machines" to VPN in... thus Win7 only.
    As far as I know there isn't any SSTP client support for anything other than Win7 (Win8!) and Win 2008.

  13. #13

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by pantscat View Post
    You're absolutely correct. I'm only allowing "school machines" to VPN in... thus Win7 only.
    As far as I know there isn't any SSTP client support for anything other than Win7 (Win8!) and Win 2008.
    Thanks, we have all Win7 machines inside which is fine, but what about users connecting from home? Do they also have to be Win7?

  14. #14
    MicrosoftTechy's Avatar
    Join Date
    Apr 2010
    Posts
    78
    Thank Post
    1
    Thanked 6 Times in 6 Posts
    Rep Power
    10
    new access rule

  15. #15

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by MicrosoftTechy View Post
    new access rule
    Thanks, but when I try that and go it's properties, there's no Listener tab for me to assign the newly created listener to it. Maybe I'll try one of the others and see how it goes...

    Capture.JPG

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 4
    Last Post: 3rd February 2012, 12:45 PM
  2. [HTML] <ul> side by side
    By MK-2 in forum Web Development
    Replies: 8
    Last Post: 14th July 2011, 08:28 AM
  3. Running ABTutor and NSS side by side?
    By LizaM in forum Network and Classroom Management
    Replies: 2
    Last Post: 3rd November 2009, 05:10 PM
  4. [MS Office - 2007] Office 2003/2007 side-by-side problems with Outlook 2007
    By Bruce123 in forum Office Software
    Replies: 2
    Last Post: 19th September 2009, 07:01 PM
  5. Schools willing to let me and my boss come and have a look?
    By localzuk in forum Thin Client and Virtual Machines
    Replies: 8
    Last Post: 28th April 2008, 03:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •