Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I configure Site-to-Site VPN between TMG and Cyberoam UTM?

Posted on 2011-03-15
9
Medium Priority
?
2,000 Views
Last Modified: 2012-05-11
Hi EE members, I'm currently doing my homework on an upcoming project which requires the deployment of a Cyberoam CR35wi UTM device at one of our remote offices, linking to the EBS2008 Security Server (running TMG Medium Business Edition) at our HQ. Currently this is configured using RASS and a more secure link is required which is where the UTM comes into the picture. You'll also note the wireless bridge being employed to provide a low-cost, high-speed link for the VPN tunnel. So far this works very well, so I won't be changing it for this particular site.

The envisaged result would look as follows:
 Target network layout
So far I've found some reading material at the Cyberoam KB site: VPN Interoperability, and would like to obtain some tips which are TMG specific.

Any feedback will be appreciated.
Regards,
Byron.
0
Comment
Question by:SEFIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 35147674
1. It isn't done with RRAS,...it is done with TMG,...then TMG leverages RRAS behind the scenes.  Stay out of the RRAS MMC,...don't even open it,...you're playing with fire if you do.  TMG takes over RRAS and all RRAS config is done vis the TMG MMC.

2. Because it is a mix of TMG and another 3rd Party product (rather than two TMGs) the only option for the site-to-Site Tunnel is using IPSec,...you cannot use PPTP or L2TP.

3. The communications medium is totally irrelevant.  Copper,...Fiber,...radio waves,...two-cans-and-a-string,...smoke signals,...it really makes no difference,...contectivity is just connectivity.  It does not change how the VPN is done.
0
 

Author Comment

by:SEFIT
ID: 35148004
Hi pwindell, thanks for the input. It seems I was unclear about RASS; this is used by the current remote gateway, a Server 2003 DC, and not the TMG server (I know never to go there ;) ).

You're also spot-on with the IPSec recommendation. I've been looking at the MS TechNet article for Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and Third-Party Gateways, but seeing as I'm dealing with the runt of the Forefront family I'd like to get more input from more experienced ISA/TMG users (such as yourself), especially concerning Cyberoam UTM's.

As always, any feedback is appreciated.
Regards,
Byron.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35148151
a Server 2003 DC, and not the TMG server (I know never to go there ;) ).

OK, no problem.

but seeing as I'm dealing with the runt of the Forefront family I'd like to get more input from more experienced ISA/TMG users (such as yourself), especially concerning Cyberoam UTM's.

Well,...TMG is the King of the Product Line (and the most advanced firewall product on the market) with 11 years of development history under its belt,...and with UAG being the Queen of the Product Line,... and everything else below them  in the Product Line still needing  devolpoment (IMO),...I don't know where you get the idea it is the runt of the family.  However unless you mean you are using EBS which is the runt of the Server Family, and just slightly above the SBS variant,...that I would agree with.

Experiencewise:
I'm one of the only two MVPs for ISA/TMG in the United States.  The rest are mostly in European areas.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1500 total points
ID: 35148175
Ok, yes,..I see,..the Medium Busines Edition,...now I know what you mean.
0
 

Author Comment

by:SEFIT
ID: 35148426
Ok, yes,..I see,..the Medium Busines Edition,...now I know what you mean.

Hehe, yes we're using EBS and quite so re. its particular flavour of TMG; it's like ISA 2006 with a TMG skin...
Re. EBS; I'm planning on migrating to its discrete components falling back on Cyberoam UTM's for security and content filtering, etc. Don't get me wrong, I have great respect for ISA/TMG but think it's too fussy for our needs right now. A UTM, for all its shortcomings, is far easier to plug-n-play.

Regards,
Byron.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 1500 total points
ID: 35148726
I understand :-)
I even keep a Sonicwall along side the ISA we have and use it for certain limited tasks that are just easier to deal with than doing it on the ISA.

Anyway, it being EBS with the MBE-TMG shouldn't effect how the VPN is done.  Doing the IPSec Site-to-Site should be the same from ISA2004 all the way up to the current TMG.
0
 

Author Comment

by:SEFIT
ID: 35154677
Thanks for the feedback so far pwindell, much appreciated. I'll be reviewing the material from MS TechNet and cross reference with the Cyberoam KB for an IPSec site-to-site VPN. Hopefully there won't be too many snags and any tips are always welcome :-)
0
 

Author Closing Comment

by:SEFIT
ID: 35364374
A more detailed answer was expected but the solution provided will suffice as guidance.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question