setup TMG 2010 remote access VPN, have fowarded ports from router getting error 809...

Hi all,

im just setting up my TMG server for remote access vpn for users

on my router i have fowarded ports 1812 & 1813 TCP to my firewalls external interface
and have fowarded UDP 1701 to firewalls ext interface also

on TMG i have done the following  + screens...
VPN Client Properties -
General tab:enable VPN checked & 100 users
Groups tab: no groups and unable to add remove anything
Protocols tab: L2TP/IPSec is checked no others are
User Mapping tab: nothing checked all blank
Quarantine tab: nothing checked all blank

Remote Access Policy Properties
Access Networks: External checked | interal checked for testing purposes
Address assignment: DHCP and use internal card | advanced properties left as default
authentication: see screen 1
radius: see screen 2

NPS Settings & RRAS settings i havent touched yet there all default

anyone see where im going wrong?
im thinking along the lines of, do i need radius settings?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Amit BhatnagarSystems Development Principal - Security and InfrastructureCommented:
If you are using your TMG as the end point for VPN Users, then the Router only requires the correct port configuration. You also do NOT need to use 1812\1813 since they are RADIUS ports. What are you using to authenticate on TMG. Local SAM or AD. If it is AD and TMG is not a part of AD then you need to configure RADIUS that will be inside your Network. These ports are not required on your Router. Port requirements are below :

IP Protocol ID 50:
IP Protocol ID 51:
UDP Port :4500 NATT
UDP Port 1701
From the article : 

An encapsulated solution might consist of a VPN gateway located behind a filtering router using Layer 2 Tunneling Protocol (L2TP) together with IPsec. In this encapsulated scenario, you must allow IPsec Encapsulating Security Protocol (ESP) (IP protocol 50), IPsec Network Address Translator Traversal NAT-T (UDP port 4500), and IPsec Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500) through the router.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
awilderbeastAuthor Commented:
ok i followed that article but then i had to remove all the EAP options as i dont have a certificate for VPN

im getting error 809 still

ive fowarded all the ports Bammit Suggested

and on the TMG i have the following settings now

any ideas?

Do you ping external nic of TMG server from outside?
You need to create AAA infrastructure.
Authentication=AD authentication
Authorization=TMG server i.e. VPN server
Accounting=TMG server

To authorize L2TP/IPSec VPN access, you need smart card/certificate. EAP-TLS is the 100% secure option for L2TP/IPSec. Without certificate, it will not work.

I can see your screenshot, Are you using Radius Authentication? You dont need Radius. However, your Radius config isnt right. You must use certificate whatever you do. Dont use pre-shared key if you dont have macintosh client.

error 809 means you have NAT or firewall setup in between remote client and vpn server. do not forward port or dont setup NAT between router and TMG server. Make sure you can ping external NIC.

Why dont you use Microsoft VPN server or NAP server. see these links for further references

Good luck.

awilderbeastAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.