• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1203
  • Last Modified:

TMG site to site connection

I had a site to site connection working fine, but i then connected my remote TMG server to my domain and joined it to the domain.

I rebooted, set all the IP's back to the way they were and now i cant connect.

I had MainOffice and SiteA

on Main office my connection settings are

PPTP
Username - SiteA
Connection Name - SiteA

on SiteA my connection settings are

PPTP
Username - MainOffice
Connection Name - MainOffice

Here is the error messages i am recieving.

"CoId={4394C9F5-6299-4CE0-BBF7-5454FFC0F034}: The user MainOffice connected from **.**.**.** but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."

and

A Demand Dial connection to the remote interface SiteA on port VPN3-80 was successfully initiated but failed to complete successfully because of the  following error: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

and

CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM dialed a connection named SiteA which has failed. The error code returned on failure is 812.

Here is the information about connection

CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM has started dialing a VPN connection using a all-user connection profile named SiteA. The connection settings are:
Dial-in User = MainOffice
VpnStrategy = PPTP
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = MS-CHAPv2
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Phonebook Entry
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = Register primary domain suffix
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No.

I have created the local users MainOffice and SiteA on both TMG servers and given them VPN access.
0
CaptainGiblets
Asked:
CaptainGiblets
  • 4
  • 2
1 Solution
 
Bruno PACIIT ConsultantCommented:
Hi,

Can you detail what you did on IP settings so that your TMG servers are now able to resolve internal domain DNS names ? Can you give us the NICs IP settings of your TMG servers ?

As they are now members of an internal AD domain your TMG servers should only use internal DNS servers to resolve any DNS name, internal or external.
TMG servers must no more use external DNS servers.

If the TMG servers must be able to resolve internal and external names, you must make things so that your internal DNS server is configured with a DNS forwarder and is able to retransmit DNS request for external names to external DNS servers.

To be more clear: Your TMG server ONLY interrogate internal DNS servers (DNS servers that host the AD domain DNS zone). If the TMG server asks for an external DNS name, the internal DNS server uses its DNS forwarder to transmit the request to external DNS servers. The external DNS servers give the answer to the internal DNS server that transmits the answer to the TMG server. The TMG server NEVER interrogate external DNS servers directly. That is how it should be done, that is how it MUST be done.

Did you made it that way ?

Have a good day.
0
 
CaptainGibletsAuthor Commented:
both my isa servers only have my internal DNS servers on their internal NIC cards.

Now my SiteA site cant resolve anything, but i expected this because it cant communicate to my internal DNS servers until the VPN connection was made, which i dont think should be affected by the DNS settings as it is set up to use my IP address and not a domain name.
0
 
Bruno PACIIT ConsultantCommented:
As your TMG servers are now members of a domain, using only "username" instead of "domain\username" or "server\username" might be ambigous.

Can you try precising DOMAIN\MainOffice or SERVER\MainOffice (depending of MainOffice is declared in the domain or as a local account on the TMG server), and do the same for SiteA.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
CaptainGibletsAuthor Commented:
ah putting in servername\account seems to have done the trick.

however now it is saying my mainoffice IP addresses are internal rather than part of the other network so they arent being routed. Nothing that side has changed.

I still have all my TMG subnets on mainserver under a seperate network and set up to route.
0
 
CaptainGibletsAuthor Commented:
Ok i have got it all talking now, however even though i have an allow all from internal to site and vice versa im getting these error messages

"a non syn packet was dropped because it was sent by a source that does not have an established connection with the forefront TMG computer.

source internal
destination MainOffice
0
 
CaptainGibletsAuthor Commented:
Sorted now, RPC filtering was turned on which is what was blocking som functionality.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now