Solved

How do I configure Site-to-Site VPN between TMG and Cyberoam UTM?

Posted on 2011-03-15
9
1,932 Views
Last Modified: 2012-05-11
Hi EE members, I'm currently doing my homework on an upcoming project which requires the deployment of a Cyberoam CR35wi UTM device at one of our remote offices, linking to the EBS2008 Security Server (running TMG Medium Business Edition) at our HQ. Currently this is configured using RASS and a more secure link is required which is where the UTM comes into the picture. You'll also note the wireless bridge being employed to provide a low-cost, high-speed link for the VPN tunnel. So far this works very well, so I won't be changing it for this particular site.

The envisaged result would look as follows:
 Target network layout
So far I've found some reading material at the Cyberoam KB site: VPN Interoperability, and would like to obtain some tips which are TMG specific.

Any feedback will be appreciated.
Regards,
Byron.
0
Comment
Question by:SEFIT
  • 4
  • 4
9 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 35147674
1. It isn't done with RRAS,...it is done with TMG,...then TMG leverages RRAS behind the scenes.  Stay out of the RRAS MMC,...don't even open it,...you're playing with fire if you do.  TMG takes over RRAS and all RRAS config is done vis the TMG MMC.

2. Because it is a mix of TMG and another 3rd Party product (rather than two TMGs) the only option for the site-to-Site Tunnel is using IPSec,...you cannot use PPTP or L2TP.

3. The communications medium is totally irrelevant.  Copper,...Fiber,...radio waves,...two-cans-and-a-string,...smoke signals,...it really makes no difference,...contectivity is just connectivity.  It does not change how the VPN is done.
0
 

Author Comment

by:SEFIT
ID: 35148004
Hi pwindell, thanks for the input. It seems I was unclear about RASS; this is used by the current remote gateway, a Server 2003 DC, and not the TMG server (I know never to go there ;) ).

You're also spot-on with the IPSec recommendation. I've been looking at the MS TechNet article for Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and Third-Party Gateways, but seeing as I'm dealing with the runt of the Forefront family I'd like to get more input from more experienced ISA/TMG users (such as yourself), especially concerning Cyberoam UTM's.

As always, any feedback is appreciated.
Regards,
Byron.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35148151
a Server 2003 DC, and not the TMG server (I know never to go there ;) ).

OK, no problem.

but seeing as I'm dealing with the runt of the Forefront family I'd like to get more input from more experienced ISA/TMG users (such as yourself), especially concerning Cyberoam UTM's.

Well,...TMG is the King of the Product Line (and the most advanced firewall product on the market) with 11 years of development history under its belt,...and with UAG being the Queen of the Product Line,... and everything else below them  in the Product Line still needing  devolpoment (IMO),...I don't know where you get the idea it is the runt of the family.  However unless you mean you are using EBS which is the runt of the Server Family, and just slightly above the SBS variant,...that I would agree with.

Experiencewise:
I'm one of the only two MVPs for ISA/TMG in the United States.  The rest are mostly in European areas.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 500 total points
ID: 35148175
Ok, yes,..I see,..the Medium Busines Edition,...now I know what you mean.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:SEFIT
ID: 35148426
Ok, yes,..I see,..the Medium Busines Edition,...now I know what you mean.

Hehe, yes we're using EBS and quite so re. its particular flavour of TMG; it's like ISA 2006 with a TMG skin...
Re. EBS; I'm planning on migrating to its discrete components falling back on Cyberoam UTM's for security and content filtering, etc. Don't get me wrong, I have great respect for ISA/TMG but think it's too fussy for our needs right now. A UTM, for all its shortcomings, is far easier to plug-n-play.

Regards,
Byron.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 35148726
I understand :-)
I even keep a Sonicwall along side the ISA we have and use it for certain limited tasks that are just easier to deal with than doing it on the ISA.

Anyway, it being EBS with the MBE-TMG shouldn't effect how the VPN is done.  Doing the IPSec Site-to-Site should be the same from ISA2004 all the way up to the current TMG.
0
 

Author Comment

by:SEFIT
ID: 35154677
Thanks for the feedback so far pwindell, much appreciated. I'll be reviewing the material from MS TechNet and cross reference with the Cyberoam KB for an IPSec site-to-site VPN. Hopefully there won't be too many snags and any tips are always welcome :-)
0
 

Author Closing Comment

by:SEFIT
ID: 35364374
A more detailed answer was expected but the solution provided will suffice as guidance.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now