Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I configure Site-to-Site VPN between TMG and Cyberoam UTM?

Posted on 2011-03-15
9
Medium Priority
?
2,014 Views
Last Modified: 2012-05-11
Hi EE members, I'm currently doing my homework on an upcoming project which requires the deployment of a Cyberoam CR35wi UTM device at one of our remote offices, linking to the EBS2008 Security Server (running TMG Medium Business Edition) at our HQ. Currently this is configured using RASS and a more secure link is required which is where the UTM comes into the picture. You'll also note the wireless bridge being employed to provide a low-cost, high-speed link for the VPN tunnel. So far this works very well, so I won't be changing it for this particular site.

The envisaged result would look as follows:
 Target network layout
So far I've found some reading material at the Cyberoam KB site: VPN Interoperability, and would like to obtain some tips which are TMG specific.

Any feedback will be appreciated.
Regards,
Byron.
0
Comment
Question by:SEFIT
  • 4
  • 4
9 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 35147674
1. It isn't done with RRAS,...it is done with TMG,...then TMG leverages RRAS behind the scenes.  Stay out of the RRAS MMC,...don't even open it,...you're playing with fire if you do.  TMG takes over RRAS and all RRAS config is done vis the TMG MMC.

2. Because it is a mix of TMG and another 3rd Party product (rather than two TMGs) the only option for the site-to-Site Tunnel is using IPSec,...you cannot use PPTP or L2TP.

3. The communications medium is totally irrelevant.  Copper,...Fiber,...radio waves,...two-cans-and-a-string,...smoke signals,...it really makes no difference,...contectivity is just connectivity.  It does not change how the VPN is done.
0
 

Author Comment

by:SEFIT
ID: 35148004
Hi pwindell, thanks for the input. It seems I was unclear about RASS; this is used by the current remote gateway, a Server 2003 DC, and not the TMG server (I know never to go there ;) ).

You're also spot-on with the IPSec recommendation. I've been looking at the MS TechNet article for Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and Third-Party Gateways, but seeing as I'm dealing with the runt of the Forefront family I'd like to get more input from more experienced ISA/TMG users (such as yourself), especially concerning Cyberoam UTM's.

As always, any feedback is appreciated.
Regards,
Byron.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35148151
a Server 2003 DC, and not the TMG server (I know never to go there ;) ).

OK, no problem.

but seeing as I'm dealing with the runt of the Forefront family I'd like to get more input from more experienced ISA/TMG users (such as yourself), especially concerning Cyberoam UTM's.

Well,...TMG is the King of the Product Line (and the most advanced firewall product on the market) with 11 years of development history under its belt,...and with UAG being the Queen of the Product Line,... and everything else below them  in the Product Line still needing  devolpoment (IMO),...I don't know where you get the idea it is the runt of the family.  However unless you mean you are using EBS which is the runt of the Server Family, and just slightly above the SBS variant,...that I would agree with.

Experiencewise:
I'm one of the only two MVPs for ISA/TMG in the United States.  The rest are mostly in European areas.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1500 total points
ID: 35148175
Ok, yes,..I see,..the Medium Busines Edition,...now I know what you mean.
0
 

Author Comment

by:SEFIT
ID: 35148426
Ok, yes,..I see,..the Medium Busines Edition,...now I know what you mean.

Hehe, yes we're using EBS and quite so re. its particular flavour of TMG; it's like ISA 2006 with a TMG skin...
Re. EBS; I'm planning on migrating to its discrete components falling back on Cyberoam UTM's for security and content filtering, etc. Don't get me wrong, I have great respect for ISA/TMG but think it's too fussy for our needs right now. A UTM, for all its shortcomings, is far easier to plug-n-play.

Regards,
Byron.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 1500 total points
ID: 35148726
I understand :-)
I even keep a Sonicwall along side the ISA we have and use it for certain limited tasks that are just easier to deal with than doing it on the ISA.

Anyway, it being EBS with the MBE-TMG shouldn't effect how the VPN is done.  Doing the IPSec Site-to-Site should be the same from ISA2004 all the way up to the current TMG.
0
 

Author Comment

by:SEFIT
ID: 35154677
Thanks for the feedback so far pwindell, much appreciated. I'll be reviewing the material from MS TechNet and cross reference with the Cyberoam KB for an IPSec site-to-site VPN. Hopefully there won't be too many snags and any tips are always welcome :-)
0
 

Author Closing Comment

by:SEFIT
ID: 35364374
A more detailed answer was expected but the solution provided will suffice as guidance.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question