I am having trouble configuring a site to site VPN using Forefront TMG (MBE) and a couple of Draytek Routers. Our system is as follows:
Windows Essential Business Server (EBS2008) network in our head office. EBS2008 comes as 3 servers, one server is for Forefront TMG and I have it configured as a backend firewall. In front of this is a Draytek 3300V which has 3 broadband connections. Each has a public IP address.
Forefront TMG internal NIC = 192.168.1.1
Forefront TMG external NIC = 172.16.1.2
Draytek LAN IP 172.16.1.1
At the site office I have a Draytek 2110 which is dynamically assigned its public IP from the ISP. The internal network behind is 192.168.2.X
I have created a site to site VPN between these 2 draytek routers, it runs fine.
The draytek at the site office has modified its routing table and added 172.16.1.X via the VPN. Additionally, another setting has allowed me to also add 192.168.1.X also via this VPN
This then seems correct to me.
The draytek at the head office has also modified its routing table and added 192.168.2.X via the VPN. I have also added a static route in this device to route 192.168.1.X traffic back to the forefront gateway 172.16.1.2
So at this point from inside my head office LAN I can ping any device at the site office. From the site back to the head office, I can ping any device on the perimeter LAN 172.16.1.X which includes the forefront external NIC, When I try and ping the forefront Internal NIC I get a request time out. However when I watch the Forefront LOG, I can see the request come in. It does error out but at least I can see an incoming connection trying to be made and therefore I believe all the routing associated with the drayteks is correct and nothing else is needed. If I place a PC into this perimeter network (172.16.1.X) I can ping the internal NIC of forefront, I read somewhere this was made possible to check networking.
From here on I have followed this guide (and this is where I'm having the trouble)
From the web page above I having made the changes on Forefront as per item #4 a) steps i. through
iii. (here below is the TXT from the web page
4. Choices with site to site VPN configurations (if applicable)
Site to Site VPNs are commonly used to provide connectivity to remote branches. The branch network is connected using a VPN tunnel into the VPN device (typically the front end firewall) – with EBS Security Server installed behind the existing front end firewall, you have 2 choices:
a. A simple option is to continue to terminate VPN at the front end firewall and configure EBS Security Server to route traffic between the branch networks and your internal network. The steps involved are:
i. Create an “Address Range” object for each branch subnet.
ii. Add a Network rule of type “route” and place it above default NAT rule.
iii. Add an array access rule allowing traffic between branch network address range and
internal network .
After applying steps i. & ii. above, I can still ping any IP at the remote site from inside the head office network. However after applying step iii. I can no longer ping any device at the remote network from in side the head office. I can however ping any device at the remote office from the forefront machine itself (probably because the forefront PC gateway in the external NIC and not the internal NIC).
From within the head office network, although I can't ping any device any longer, I can pull up the logon page of the remote office draytek router, I can also pull up an IIS7 default page where IIS is installed on one of the servers down at the remote office. I cant connect to any of the servers with MSTSC or connect with UNC naming, they all just time out. All can still be done from the forefront server but no others inside the head office network.
The only other item I can think to include also is that the remote site is'nt actually a remote site. Its not apart of our local domain. The remote site is an SBS domain and its a separate company which I need to make a few connection to.
The above is all pretty long and drawn out, Ive done this to try and be as thorough as possible.
Thanks in advance for any assistance