TMG site to site connection

Posted on 2013-01-23
Last Modified: 2013-01-23
I had a site to site connection working fine, but i then connected my remote TMG server to my domain and joined it to the domain.

I rebooted, set all the IP's back to the way they were and now i cant connect.

I had MainOffice and SiteA

on Main office my connection settings are

Username - SiteA
Connection Name - SiteA

on SiteA my connection settings are

Username - MainOffice
Connection Name - MainOffice

Here is the error messages i am recieving.

"CoId={4394C9F5-6299-4CE0-BBF7-5454FFC0F034}: The user MainOffice connected from **.**.**.** but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."


A Demand Dial connection to the remote interface SiteA on port VPN3-80 was successfully initiated but failed to complete successfully because of the  following error: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.


CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM dialed a connection named SiteA which has failed. The error code returned on failure is 812.

Here is the information about connection

CoId={4C092F8C-DBCF-49E5-8DB3-5F59F3F9893C}: The user SYSTEM has started dialing a VPN connection using a all-user connection profile named SiteA. The connection settings are:
Dial-in User = MainOffice
VpnStrategy = PPTP
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = MS-CHAPv2
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Phonebook Entry
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = Register primary domain suffix
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No.

I have created the local users MainOffice and SiteA on both TMG servers and given them VPN access.
Question by:CaptainGiblets
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 16

Expert Comment

by:Bruno PACI
ID: 38809867

Can you detail what you did on IP settings so that your TMG servers are now able to resolve internal domain DNS names ? Can you give us the NICs IP settings of your TMG servers ?

As they are now members of an internal AD domain your TMG servers should only use internal DNS servers to resolve any DNS name, internal or external.
TMG servers must no more use external DNS servers.

If the TMG servers must be able to resolve internal and external names, you must make things so that your internal DNS server is configured with a DNS forwarder and is able to retransmit DNS request for external names to external DNS servers.

To be more clear: Your TMG server ONLY interrogate internal DNS servers (DNS servers that host the AD domain DNS zone). If the TMG server asks for an external DNS name, the internal DNS server uses its DNS forwarder to transmit the request to external DNS servers. The external DNS servers give the answer to the internal DNS server that transmits the answer to the TMG server. The TMG server NEVER interrogate external DNS servers directly. That is how it should be done, that is how it MUST be done.

Did you made it that way ?

Have a good day.

Author Comment

ID: 38810133
both my isa servers only have my internal DNS servers on their internal NIC cards.

Now my SiteA site cant resolve anything, but i expected this because it cant communicate to my internal DNS servers until the VPN connection was made, which i dont think should be affected by the DNS settings as it is set up to use my IP address and not a domain name.
LVL 16

Accepted Solution

Bruno PACI earned 500 total points
ID: 38810203
As your TMG servers are now members of a domain, using only "username" instead of "domain\username" or "server\username" might be ambigous.

Can you try precising DOMAIN\MainOffice or SERVER\MainOffice (depending of MainOffice is declared in the domain or as a local account on the TMG server), and do the same for SiteA.
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.


Author Comment

ID: 38810317
ah putting in servername\account seems to have done the trick.

however now it is saying my mainoffice IP addresses are internal rather than part of the other network so they arent being routed. Nothing that side has changed.

I still have all my TMG subnets on mainserver under a seperate network and set up to route.

Author Comment

ID: 38810879
Ok i have got it all talking now, however even though i have an allow all from internal to site and vice versa im getting these error messages

"a non syn packet was dropped because it was sent by a source that does not have an established connection with the forefront TMG computer.

source internal
destination MainOffice

Author Closing Comment

ID: 38810960
Sorted now, RPC filtering was turned on which is what was blocking som functionality.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA5508-X vs Barracuda X200 2 79
VPN Server config in Modem 5 68
Ping in Fortigate 2 40
VNC stopped working when I log off the PC connected via VPN 20 27
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question