Microsoft Forefront Threat Management Gateway 2010 VPN Clients with only RODC

Is it true that in order to enable VPN clients on a TMG2010/Forefront Server, that the domain controller on the internal network must be writeable?

I seem to remember trying once to set up VPN clients on a network that only had a RODC and was unable to do so.

Does anyone have any information on this?

Thanks.
gateguardAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
This is answerable in several ways - although the main answer is no, it will depend on other information that you may provide to explain your specific environment more.

The answer is no because FTMG can be installed on a standalone server and therefore a domain controller is not required at all. You could use an LDAP service to provide authentication for the VPN instead of AD so the presence of a DC - read/write or RODC - on the network would not matter.

If you have set the FTMG to authenticate through your active directory then the next question is what do you mean by 'network'? For example, do you have multiple sites and a remote site has an RODC and FTMG installed, but there is a read/write DC on the main site or is this a single site, single subnet and you only have a RODC (maybe you keep the read/write DC shutdown for the most part - I've seen it once)?
0
gateguardAuthor Commented:
There is only an RODC on the subnet with the FTMG.
0
Keith AlabasterEnterprise ArchitectCommented:
One-sentence responses will be hard to work with but I'll give it a go for a bit.
Is the FTMG installed on the RODC itself or a separate server in its own right?
Is the RODC part of the Windows domain that the other FTMG is connected to?
I'll ask the obvious questions also - are you trying to establish site-to-site VPN between two locations or just client-access to a single TMG?
Have you run the TMG best practices analyser? if so, what were the results?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

gateguardAuthor Commented:
I'm going to post a network diagram.
0
gateguardAuthor Commented:
The attached PDF has a diagram along with a detailed description of the problem.

Thanks.
0
gateguardAuthor Commented:
Attaching file
vpn-connections.pdf
0
Keith AlabasterEnterprise ArchitectCommented:
The actual question has been answered.

Looking at the attachment that was eventually submitted there is a slight contradiction on the blue concerning domain replication between the datacentre and the office sites - if this was true replication then they would all be read-only or all read/write so it suggests there must be domain membership across this link to sync the AD unless some form of dirsync is being run?

One solution to the specific additional info provided i.e. the goal is.... (and there are several approaches) would be to use the following link. Don't like this approach to answering a question but sometimes it beats just typing it in again myself. I have NOT tried this myself but as it prepares the install with SP1 already embedded it should get round the issue.

Credits to TechNet here.
https://technet.microsoft.com/en-gb/library/ff808304.aspx

Keith
0
Keith AlabasterEnterprise ArchitectCommented:
PS - I assume you have followed this link also to build your RODC's.....
https://technet.microsoft.com/en-us/library/ff808306.aspx
0
gateguardAuthor Commented:
Keith, thanks for you answers but I still feel we are a big disconnect here.

I have no control over and cannot build a domain controller on this network.  I can only build the TMG server for VPN access into the two pieces of the network.

I know that I tried to build one previously, on the network segment that only has a RODC (and it really only does have that, and it really does get updated from changes made in the writeable DC on the other network, really, I swear, so I don't know if that's replication or not and if it's not I heartily apologize for using the word replication but if a user Dave changes his pw on the domain -- which is done on the writeable -- he can later log into the segment with the RODC even of the link to the writeable is down, of that I am 110% sure)...

... and when I build a TMG server in the top segment (the one with the writeable) there is no problem using AD logins but when I built it on the bottom segment (with the RODC) I got an error saying something about you can't authenticate using a RODC (and I kick myself a thousand times for not taking out my phone and photographing that error).

But my question is this and only this: can I use AD authentication in a TMG vpn server on a segment that with only a RODC?

I think the answer is no but I have to convince the powers that be in our organization that the answer is no (or maybe I'm wrong, maybe the answer is yes, I can make it work with an RODC), but anyway, that's my question.

I'm losing hope of getting it answered here, and I'm not sure why, or what is the cause of the disconnect (I'm sure it's my fault) and if you can't answer it I'm just going to give you an A and all the points and close this thing and be done with it.

It's gone on too long.

Let me put it to you this way:
1. I want to use TMG
2. I want to build a VPN server
3. I want VPN users logging in from the outside to use their domain logins to connect
4. The segment I am putting it on only has access to a RODC

Can I do this?  Yes or no?  In your opinion.

Thanks and I really do appreciate all the time you've put into this and I blame myself 110% for all the confusion in this question.

All I can say is, I'll try to do better next time.

Thanks again.
0
Keith AlabasterEnterprise ArchitectCommented:
OK  maybe - as I am old and about to retire - I have got blasé in the way I answer questions on TMG or vague in the manner in which I ask you for additional info. Let me try and get on the same page with you. As an aside, if I don't answer the question, I don't want your points but I understand the frustration :)

This link states that you can do what is being asked but there are requirements that must be adhered to in a) the creation of the RODC and b) the preparation of the TMG install media so that it includes the FTMG SP1 update c) the TMG needs to be installed ON the RODC you have prepared plus d) some accounts need to have been created on the read/write DC and replicated to the Office site.

https://technet.microsoft.com/en-us/library/ff808305.aspx
The sections at the bottom of this link explain each of the relevant steps.

If the above is not possible - due to limitations imposed - then an alternative is to install FTMG as a standalone server in a workgroup rather than domain-joined. Taking this route negates the relevance of whether there are local RODC's or read/write DC's and allows the build to take place. As far as authentication goes you will need to use the LDAPs method rather than integral domain integration - although I think that LDAP is only supporting web type connections and I need to check this through.

I've fired an email to a couple of contacts in the original FTMG development team and - assuming they are not dead, retired or have simply forgotten me after all this time, I would hope to get a response in the next day or so to confirm my thoughts.

Keith
0
gateguardAuthor Commented:
Ok.  Thanks again, Keith.

Just to give you a little more background information, when I originally tried to do this and was thwarted by error messages we were told that if we put our RODC in a locked room they (our controlling authority) would build a new writeable DC for our office.  I did as they said and now they are saying, you know what, you don't need a writeable DC.  We never heard that TMG VPN servers won't work with RODC's.  So though I am confident I can recreate the error by reinstalling, I was looking for some official documentation saying it simply can't be done.

Anyway, I'll wait to see what you come up with and I wish you the best with your future plans.
0
Keith AlabasterEnterprise ArchitectCommented:
One question back so far - please confirm the replication mechanism between Data Centre and Office in respect to domain controllers. Does the Data centre hold ALL of the DC's (regardless of function) and then just replicate the RODC's to the Office site and then these work on their own for use by the users/services in the Office location or do the RODC's in Office have realtime access to the DC's in Data Centre?
0
Keith AlabasterEnterprise ArchitectCommented:
Second question.... at what point are you getting the error message (and yes exact wording would be helpful).

You will be pleased to know that the authors of the Microsoft Forefront Management Gateway Admin Companion are looking at this as well now. Caused quite a stir as none of us have seen an error similar to your description before in these circumstances :)
0
Keith AlabasterEnterprise ArchitectCommented:
Third question - have the RODC's been locked down in any way in regards to windows firewall settings? i.e. ports blocked?

Initial comments are that actually this should work. The option I gave above regarding installation onto the RODC should also apply to a separate server assuming it is already part of the domain and ready to accept an FTMG deployment.

Working on it but answers to the questions would be helpful please.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
An interesting suggestion was just made also, as the RODC's are replicated from Data Centre to Office, can the data Centre FTMG server also be replicated and then reconfigured just for its external IP address?
0
gateguardAuthor Commented:
Keith, I'm going to go ahead and accept this answer and just try rebuilding the VPN server.  I value this whole thread as a great resource on the subject and appreciate all your input very much.

Thank you, sincerely.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.