TMG site to site connection

Posted on 2013-01-23
Last Modified: 2013-01-23
I had a site to site connection working fine, but i then connected my remote TMG server to my domain and joined it to the domain.

I rebooted, set all the IP's back to the way they were and now i cant connect.

I had MainOffice and SiteA

on Main office my connection settings are

Username - SiteA
Connection Name - SiteA

on SiteA my connection settings are

Username - MainOffice
Connection Name - MainOffice

Here is the error messages i am recieving.

"CoId={4394C9F5-6299-4CE0-BBF7-5454FFC0F034}: The user MainOffice connected from **.**.**.** but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."


A Demand Dial connection to the remote interface SiteA on port VPN3-80 was successfully initiated but failed to complete successfully because of the  following error: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.


CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM dialed a connection named SiteA which has failed. The error code returned on failure is 812.

Here is the information about connection

CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM has started dialing a VPN connection using a all-user connection profile named SiteA. The connection settings are:
Dial-in User = MainOffice
VpnStrategy = PPTP
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = MS-CHAPv2
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Phonebook Entry
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = Register primary domain suffix
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No.

I have created the local users MainOffice and SiteA on both TMG servers and given them VPN access.
Question by:CaptainGiblets
  • 4
  • 2
LVL 16

Expert Comment

ID: 38809867

Can you detail what you did on IP settings so that your TMG servers are now able to resolve internal domain DNS names ? Can you give us the NICs IP settings of your TMG servers ?

As they are now members of an internal AD domain your TMG servers should only use internal DNS servers to resolve any DNS name, internal or external.
TMG servers must no more use external DNS servers.

If the TMG servers must be able to resolve internal and external names, you must make things so that your internal DNS server is configured with a DNS forwarder and is able to retransmit DNS request for external names to external DNS servers.

To be more clear: Your TMG server ONLY interrogate internal DNS servers (DNS servers that host the AD domain DNS zone). If the TMG server asks for an external DNS name, the internal DNS server uses its DNS forwarder to transmit the request to external DNS servers. The external DNS servers give the answer to the internal DNS server that transmits the answer to the TMG server. The TMG server NEVER interrogate external DNS servers directly. That is how it should be done, that is how it MUST be done.

Did you made it that way ?

Have a good day.

Author Comment

ID: 38810133
both my isa servers only have my internal DNS servers on their internal NIC cards.

Now my SiteA site cant resolve anything, but i expected this because it cant communicate to my internal DNS servers until the VPN connection was made, which i dont think should be affected by the DNS settings as it is set up to use my IP address and not a domain name.
LVL 16

Accepted Solution

PaciB earned 500 total points
ID: 38810203
As your TMG servers are now members of a domain, using only "username" instead of "domain\username" or "server\username" might be ambigous.

Can you try precising DOMAIN\MainOffice or SERVER\MainOffice (depending of MainOffice is declared in the domain or as a local account on the TMG server), and do the same for SiteA.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 38810317
ah putting in servername\account seems to have done the trick.

however now it is saying my mainoffice IP addresses are internal rather than part of the other network so they arent being routed. Nothing that side has changed.

I still have all my TMG subnets on mainserver under a seperate network and set up to route.

Author Comment

ID: 38810879
Ok i have got it all talking now, however even though i have an allow all from internal to site and vice versa im getting these error messages

"a non syn packet was dropped because it was sent by a source that does not have an established connection with the forefront TMG computer.

source internal
destination MainOffice

Author Closing Comment

ID: 38810960
Sorted now, RPC filtering was turned on which is what was blocking som functionality.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 800 Internet Uptime 3 103
VPN speed and 3rd party service 13 45
RDP through VPN setup 9 51
DNS and NSLOOKUP 21 57
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now