Solved

TMG site to site connection

Posted on 2013-01-23
6
1,110 Views
Last Modified: 2013-01-23
I had a site to site connection working fine, but i then connected my remote TMG server to my domain and joined it to the domain.

I rebooted, set all the IP's back to the way they were and now i cant connect.

I had MainOffice and SiteA

on Main office my connection settings are

PPTP
Username - SiteA
Connection Name - SiteA

on SiteA my connection settings are

PPTP
Username - MainOffice
Connection Name - MainOffice

Here is the error messages i am recieving.

"CoId={4394C9F5-6299-4CE0-BBF7-5454FFC0F034}: The user MainOffice connected from **.**.**.** but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."

and

A Demand Dial connection to the remote interface SiteA on port VPN3-80 was successfully initiated but failed to complete successfully because of the  following error: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

and

CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM dialed a connection named SiteA which has failed. The error code returned on failure is 812.

Here is the information about connection

CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM has started dialing a VPN connection using a all-user connection profile named SiteA. The connection settings are:
Dial-in User = MainOffice
VpnStrategy = PPTP
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = MS-CHAPv2
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Phonebook Entry
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = Register primary domain suffix
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No.

I have created the local users MainOffice and SiteA on both TMG servers and given them VPN access.
0
Comment
Question by:CaptainGiblets
  • 4
  • 2
6 Comments
 
LVL 16

Expert Comment

by:PaciB
ID: 38809867
Hi,

Can you detail what you did on IP settings so that your TMG servers are now able to resolve internal domain DNS names ? Can you give us the NICs IP settings of your TMG servers ?

As they are now members of an internal AD domain your TMG servers should only use internal DNS servers to resolve any DNS name, internal or external.
TMG servers must no more use external DNS servers.

If the TMG servers must be able to resolve internal and external names, you must make things so that your internal DNS server is configured with a DNS forwarder and is able to retransmit DNS request for external names to external DNS servers.

To be more clear: Your TMG server ONLY interrogate internal DNS servers (DNS servers that host the AD domain DNS zone). If the TMG server asks for an external DNS name, the internal DNS server uses its DNS forwarder to transmit the request to external DNS servers. The external DNS servers give the answer to the internal DNS server that transmits the answer to the TMG server. The TMG server NEVER interrogate external DNS servers directly. That is how it should be done, that is how it MUST be done.

Did you made it that way ?

Have a good day.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 38810133
both my isa servers only have my internal DNS servers on their internal NIC cards.

Now my SiteA site cant resolve anything, but i expected this because it cant communicate to my internal DNS servers until the VPN connection was made, which i dont think should be affected by the DNS settings as it is set up to use my IP address and not a domain name.
0
 
LVL 16

Accepted Solution

by:
PaciB earned 500 total points
ID: 38810203
As your TMG servers are now members of a domain, using only "username" instead of "domain\username" or "server\username" might be ambigous.

Can you try precising DOMAIN\MainOffice or SERVER\MainOffice (depending of MainOffice is declared in the domain or as a local account on the TMG server), and do the same for SiteA.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Author Comment

by:CaptainGiblets
ID: 38810317
ah putting in servername\account seems to have done the trick.

however now it is saying my mainoffice IP addresses are internal rather than part of the other network so they arent being routed. Nothing that side has changed.

I still have all my TMG subnets on mainserver under a seperate network and set up to route.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 38810879
Ok i have got it all talking now, however even though i have an allow all from internal to site and vice versa im getting these error messages

"a non syn packet was dropped because it was sent by a source that does not have an established connection with the forefront TMG computer.

source internal
destination MainOffice
0
 
LVL 6

Author Closing Comment

by:CaptainGiblets
ID: 38810960
Sorted now, RPC filtering was turned on which is what was blocking som functionality.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now