[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


TMG site to site connection

Posted on 2013-01-23
Medium Priority
Last Modified: 2013-01-23
I had a site to site connection working fine, but i then connected my remote TMG server to my domain and joined it to the domain.

I rebooted, set all the IP's back to the way they were and now i cant connect.

I had MainOffice and SiteA

on Main office my connection settings are

Username - SiteA
Connection Name - SiteA

on SiteA my connection settings are

Username - MainOffice
Connection Name - MainOffice

Here is the error messages i am recieving.

"CoId={4394C9F5-6299-4CE0-BBF7-5454FFC0F034}: The user MainOffice connected from **.**.**.** but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."


A Demand Dial connection to the remote interface SiteA on port VPN3-80 was successfully initiated but failed to complete successfully because of the  following error: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.


CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM dialed a connection named SiteA which has failed. The error code returned on failure is 812.

Here is the information about connection

CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM has started dialing a VPN connection using a all-user connection profile named SiteA. The connection settings are:
Dial-in User = MainOffice
VpnStrategy = PPTP
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = MS-CHAPv2
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Phonebook Entry
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = Register primary domain suffix
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No.

I have created the local users MainOffice and SiteA on both TMG servers and given them VPN access.
Question by:CaptainGiblets
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 16

Expert Comment

by:Bruno PACI
ID: 38809867

Can you detail what you did on IP settings so that your TMG servers are now able to resolve internal domain DNS names ? Can you give us the NICs IP settings of your TMG servers ?

As they are now members of an internal AD domain your TMG servers should only use internal DNS servers to resolve any DNS name, internal or external.
TMG servers must no more use external DNS servers.

If the TMG servers must be able to resolve internal and external names, you must make things so that your internal DNS server is configured with a DNS forwarder and is able to retransmit DNS request for external names to external DNS servers.

To be more clear: Your TMG server ONLY interrogate internal DNS servers (DNS servers that host the AD domain DNS zone). If the TMG server asks for an external DNS name, the internal DNS server uses its DNS forwarder to transmit the request to external DNS servers. The external DNS servers give the answer to the internal DNS server that transmits the answer to the TMG server. The TMG server NEVER interrogate external DNS servers directly. That is how it should be done, that is how it MUST be done.

Did you made it that way ?

Have a good day.

Author Comment

ID: 38810133
both my isa servers only have my internal DNS servers on their internal NIC cards.

Now my SiteA site cant resolve anything, but i expected this because it cant communicate to my internal DNS servers until the VPN connection was made, which i dont think should be affected by the DNS settings as it is set up to use my IP address and not a domain name.
LVL 16

Accepted Solution

Bruno PACI earned 2000 total points
ID: 38810203
As your TMG servers are now members of a domain, using only "username" instead of "domain\username" or "server\username" might be ambigous.

Can you try precising DOMAIN\MainOffice or SERVER\MainOffice (depending of MainOffice is declared in the domain or as a local account on the TMG server), and do the same for SiteA.
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!


Author Comment

ID: 38810317
ah putting in servername\account seems to have done the trick.

however now it is saying my mainoffice IP addresses are internal rather than part of the other network so they arent being routed. Nothing that side has changed.

I still have all my TMG subnets on mainserver under a seperate network and set up to route.

Author Comment

ID: 38810879
Ok i have got it all talking now, however even though i have an allow all from internal to site and vice versa im getting these error messages

"a non syn packet was dropped because it was sent by a source that does not have an established connection with the forefront TMG computer.

source internal
destination MainOffice

Author Closing Comment

ID: 38810960
Sorted now, RPC filtering was turned on which is what was blocking som functionality.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question