Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2025
  • Last Modified:

How do I configure Site-to-Site VPN between TMG and Cyberoam UTM?

Hi EE members, I'm currently doing my homework on an upcoming project which requires the deployment of a Cyberoam CR35wi UTM device at one of our remote offices, linking to the EBS2008 Security Server (running TMG Medium Business Edition) at our HQ. Currently this is configured using RASS and a more secure link is required which is where the UTM comes into the picture. You'll also note the wireless bridge being employed to provide a low-cost, high-speed link for the VPN tunnel. So far this works very well, so I won't be changing it for this particular site.

The envisaged result would look as follows:
 Target network layout
So far I've found some reading material at the Cyberoam KB site: VPN Interoperability, and would like to obtain some tips which are TMG specific.

Any feedback will be appreciated.
Regards,
Byron.
0
SEFIT
Asked:
SEFIT
  • 4
  • 4
2 Solutions
 
pwindellCommented:
1. It isn't done with RRAS,...it is done with TMG,...then TMG leverages RRAS behind the scenes.  Stay out of the RRAS MMC,...don't even open it,...you're playing with fire if you do.  TMG takes over RRAS and all RRAS config is done vis the TMG MMC.

2. Because it is a mix of TMG and another 3rd Party product (rather than two TMGs) the only option for the site-to-Site Tunnel is using IPSec,...you cannot use PPTP or L2TP.

3. The communications medium is totally irrelevant.  Copper,...Fiber,...radio waves,...two-cans-and-a-string,...smoke signals,...it really makes no difference,...contectivity is just connectivity.  It does not change how the VPN is done.
0
 
SEFITAuthor Commented:
Hi pwindell, thanks for the input. It seems I was unclear about RASS; this is used by the current remote gateway, a Server 2003 DC, and not the TMG server (I know never to go there ;) ).

You're also spot-on with the IPSec recommendation. I've been looking at the MS TechNet article for Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and Third-Party Gateways, but seeing as I'm dealing with the runt of the Forefront family I'd like to get more input from more experienced ISA/TMG users (such as yourself), especially concerning Cyberoam UTM's.

As always, any feedback is appreciated.
Regards,
Byron.
0
 
pwindellCommented:
a Server 2003 DC, and not the TMG server (I know never to go there ;) ).

OK, no problem.

but seeing as I'm dealing with the runt of the Forefront family I'd like to get more input from more experienced ISA/TMG users (such as yourself), especially concerning Cyberoam UTM's.

Well,...TMG is the King of the Product Line (and the most advanced firewall product on the market) with 11 years of development history under its belt,...and with UAG being the Queen of the Product Line,... and everything else below them  in the Product Line still needing  devolpoment (IMO),...I don't know where you get the idea it is the runt of the family.  However unless you mean you are using EBS which is the runt of the Server Family, and just slightly above the SBS variant,...that I would agree with.

Experiencewise:
I'm one of the only two MVPs for ISA/TMG in the United States.  The rest are mostly in European areas.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
pwindellCommented:
Ok, yes,..I see,..the Medium Busines Edition,...now I know what you mean.
0
 
SEFITAuthor Commented:
Ok, yes,..I see,..the Medium Busines Edition,...now I know what you mean.

Hehe, yes we're using EBS and quite so re. its particular flavour of TMG; it's like ISA 2006 with a TMG skin...
Re. EBS; I'm planning on migrating to its discrete components falling back on Cyberoam UTM's for security and content filtering, etc. Don't get me wrong, I have great respect for ISA/TMG but think it's too fussy for our needs right now. A UTM, for all its shortcomings, is far easier to plug-n-play.

Regards,
Byron.
0
 
pwindellCommented:
I understand :-)
I even keep a Sonicwall along side the ISA we have and use it for certain limited tasks that are just easier to deal with than doing it on the ISA.

Anyway, it being EBS with the MBE-TMG shouldn't effect how the VPN is done.  Doing the IPSec Site-to-Site should be the same from ISA2004 all the way up to the current TMG.
0
 
SEFITAuthor Commented:
Thanks for the feedback so far pwindell, much appreciated. I'll be reviewing the material from MS TechNet and cross reference with the Cyberoam KB for an IPSec site-to-site VPN. Hopefully there won't be too many snags and any tips are always welcome :-)
0
 
SEFITAuthor Commented:
A more detailed answer was expected but the solution provided will suffice as guidance.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now