asked on
Microsoft Forefront Threat Management Gateway 2010 VPN Clients with only RODC
Is it true that in order to enable VPN clients on a TMG2010/Forefront Server, that the domain controller on the internal network must be writeable?
I seem to remember trying once to set up VPN clients on a network that only had a RODC and was unable to do so.
Does anyone have any information on this?
Thanks.
I seem to remember trying once to set up VPN clients on a network that only had a RODC and was unable to do so.
Does anyone have any information on this?
Thanks.
Microsoft Forefront ISA Server
Last Comment
gateguard
ASKER
There is only an RODC on the subnet with the FTMG.
One-sentence responses will be hard to work with but I'll give it a go for a bit.
Is the FTMG installed on the RODC itself or a separate server in its own right?
Is the RODC part of the Windows domain that the other FTMG is connected to?
I'll ask the obvious questions also - are you trying to establish site-to-site VPN between two locations or just client-access to a single TMG?
Have you run the TMG best practices analyser? if so, what were the results?
Is the FTMG installed on the RODC itself or a separate server in its own right?
Is the RODC part of the Windows domain that the other FTMG is connected to?
I'll ask the obvious questions also - are you trying to establish site-to-site VPN between two locations or just client-access to a single TMG?
Have you run the TMG best practices analyser? if so, what were the results?
ASKER
I'm going to post a network diagram.
ASKER
The attached PDF has a diagram along with a detailed description of the problem.
Thanks.
Thanks.
ASKER
Attaching file
vpn-connections.pdf
vpn-connections.pdf
The actual question has been answered.
Looking at the attachment that was eventually submitted there is a slight contradiction on the blue concerning domain replication between the datacentre and the office sites - if this was true replication then they would all be read-only or all read/write so it suggests there must be domain membership across this link to sync the AD unless some form of dirsync is being run?
One solution to the specific additional info provided i.e. the goal is.... (and there are several approaches) would be to use the following link. Don't like this approach to answering a question but sometimes it beats just typing it in again myself. I have NOT tried this myself but as it prepares the install with SP1 already embedded it should get round the issue.
Credits to TechNet here.
https://technet.microsoft.com/en-gb/library/ff808304.aspx
Keith
Looking at the attachment that was eventually submitted there is a slight contradiction on the blue concerning domain replication between the datacentre and the office sites - if this was true replication then they would all be read-only or all read/write so it suggests there must be domain membership across this link to sync the AD unless some form of dirsync is being run?
One solution to the specific additional info provided i.e. the goal is.... (and there are several approaches) would be to use the following link. Don't like this approach to answering a question but sometimes it beats just typing it in again myself. I have NOT tried this myself but as it prepares the install with SP1 already embedded it should get round the issue.
Credits to TechNet here.
https://technet.microsoft.com/en-gb/library/ff808304.aspx
Keith
PS - I assume you have followed this link also to build your RODC's.....
https://technet.microsoft.com/en-us/library/ff808306.aspx
https://technet.microsoft.com/en-us/library/ff808306.aspx
ASKER
Keith, thanks for you answers but I still feel we are a big disconnect here.
I have no control over and cannot build a domain controller on this network. I can only build the TMG server for VPN access into the two pieces of the network.
I know that I tried to build one previously, on the network segment that only has a RODC (and it really only does have that, and it really does get updated from changes made in the writeable DC on the other network, really, I swear, so I don't know if that's replication or not and if it's not I heartily apologize for using the word replication but if a user Dave changes his pw on the domain -- which is done on the writeable -- he can later log into the segment with the RODC even of the link to the writeable is down, of that I am 110% sure)...
... and when I build a TMG server in the top segment (the one with the writeable) there is no problem using AD logins but when I built it on the bottom segment (with the RODC) I got an error saying something about you can't authenticate using a RODC (and I kick myself a thousand times for not taking out my phone and photographing that error).
But my question is this and only this: can I use AD authentication in a TMG vpn server on a segment that with only a RODC?
I think the answer is no but I have to convince the powers that be in our organization that the answer is no (or maybe I'm wrong, maybe the answer is yes, I can make it work with an RODC), but anyway, that's my question.
I'm losing hope of getting it answered here, and I'm not sure why, or what is the cause of the disconnect (I'm sure it's my fault) and if you can't answer it I'm just going to give you an A and all the points and close this thing and be done with it.
It's gone on too long.
Let me put it to you this way:
1. I want to use TMG
2. I want to build a VPN server
3. I want VPN users logging in from the outside to use their domain logins to connect
4. The segment I am putting it on only has access to a RODC
Can I do this? Yes or no? In your opinion.
Thanks and I really do appreciate all the time you've put into this and I blame myself 110% for all the confusion in this question.
All I can say is, I'll try to do better next time.
Thanks again.
I have no control over and cannot build a domain controller on this network. I can only build the TMG server for VPN access into the two pieces of the network.
I know that I tried to build one previously, on the network segment that only has a RODC (and it really only does have that, and it really does get updated from changes made in the writeable DC on the other network, really, I swear, so I don't know if that's replication or not and if it's not I heartily apologize for using the word replication but if a user Dave changes his pw on the domain -- which is done on the writeable -- he can later log into the segment with the RODC even of the link to the writeable is down, of that I am 110% sure)...
... and when I build a TMG server in the top segment (the one with the writeable) there is no problem using AD logins but when I built it on the bottom segment (with the RODC) I got an error saying something about you can't authenticate using a RODC (and I kick myself a thousand times for not taking out my phone and photographing that error).
But my question is this and only this: can I use AD authentication in a TMG vpn server on a segment that with only a RODC?
I think the answer is no but I have to convince the powers that be in our organization that the answer is no (or maybe I'm wrong, maybe the answer is yes, I can make it work with an RODC), but anyway, that's my question.
I'm losing hope of getting it answered here, and I'm not sure why, or what is the cause of the disconnect (I'm sure it's my fault) and if you can't answer it I'm just going to give you an A and all the points and close this thing and be done with it.
It's gone on too long.
Let me put it to you this way:
1. I want to use TMG
2. I want to build a VPN server
3. I want VPN users logging in from the outside to use their domain logins to connect
4. The segment I am putting it on only has access to a RODC
Can I do this? Yes or no? In your opinion.
Thanks and I really do appreciate all the time you've put into this and I blame myself 110% for all the confusion in this question.
All I can say is, I'll try to do better next time.
Thanks again.
OK maybe - as I am old and about to retire - I have got blasé in the way I answer questions on TMG or vague in the manner in which I ask you for additional info. Let me try and get on the same page with you. As an aside, if I don't answer the question, I don't want your points but I understand the frustration :)
This link states that you can do what is being asked but there are requirements that must be adhered to in a) the creation of the RODC and b) the preparation of the TMG install media so that it includes the FTMG SP1 update c) the TMG needs to be installed ON the RODC you have prepared plus d) some accounts need to have been created on the read/write DC and replicated to the Office site.
https://technet.microsoft.com/en-us/library/ff808305.aspx
The sections at the bottom of this link explain each of the relevant steps.
If the above is not possible - due to limitations imposed - then an alternative is to install FTMG as a standalone server in a workgroup rather than domain-joined. Taking this route negates the relevance of whether there are local RODC's or read/write DC's and allows the build to take place. As far as authentication goes you will need to use the LDAPs method rather than integral domain integration - although I think that LDAP is only supporting web type connections and I need to check this through.
I've fired an email to a couple of contacts in the original FTMG development team and - assuming they are not dead, retired or have simply forgotten me after all this time, I would hope to get a response in the next day or so to confirm my thoughts.
Keith
This link states that you can do what is being asked but there are requirements that must be adhered to in a) the creation of the RODC and b) the preparation of the TMG install media so that it includes the FTMG SP1 update c) the TMG needs to be installed ON the RODC you have prepared plus d) some accounts need to have been created on the read/write DC and replicated to the Office site.
https://technet.microsoft.com/en-us/library/ff808305.aspx
The sections at the bottom of this link explain each of the relevant steps.
If the above is not possible - due to limitations imposed - then an alternative is to install FTMG as a standalone server in a workgroup rather than domain-joined. Taking this route negates the relevance of whether there are local RODC's or read/write DC's and allows the build to take place. As far as authentication goes you will need to use the LDAPs method rather than integral domain integration - although I think that LDAP is only supporting web type connections and I need to check this through.
I've fired an email to a couple of contacts in the original FTMG development team and - assuming they are not dead, retired or have simply forgotten me after all this time, I would hope to get a response in the next day or so to confirm my thoughts.
Keith
ASKER
Ok. Thanks again, Keith.
Just to give you a little more background information, when I originally tried to do this and was thwarted by error messages we were told that if we put our RODC in a locked room they (our controlling authority) would build a new writeable DC for our office. I did as they said and now they are saying, you know what, you don't need a writeable DC. We never heard that TMG VPN servers won't work with RODC's. So though I am confident I can recreate the error by reinstalling, I was looking for some official documentation saying it simply can't be done.
Anyway, I'll wait to see what you come up with and I wish you the best with your future plans.
Just to give you a little more background information, when I originally tried to do this and was thwarted by error messages we were told that if we put our RODC in a locked room they (our controlling authority) would build a new writeable DC for our office. I did as they said and now they are saying, you know what, you don't need a writeable DC. We never heard that TMG VPN servers won't work with RODC's. So though I am confident I can recreate the error by reinstalling, I was looking for some official documentation saying it simply can't be done.
Anyway, I'll wait to see what you come up with and I wish you the best with your future plans.
One question back so far - please confirm the replication mechanism between Data Centre and Office in respect to domain controllers. Does the Data centre hold ALL of the DC's (regardless of function) and then just replicate the RODC's to the Office site and then these work on their own for use by the users/services in the Office location or do the RODC's in Office have realtime access to the DC's in Data Centre?
Second question.... at what point are you getting the error message (and yes exact wording would be helpful).
You will be pleased to know that the authors of the Microsoft Forefront Management Gateway Admin Companion are looking at this as well now. Caused quite a stir as none of us have seen an error similar to your description before in these circumstances :)
You will be pleased to know that the authors of the Microsoft Forefront Management Gateway Admin Companion are looking at this as well now. Caused quite a stir as none of us have seen an error similar to your description before in these circumstances :)
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
An interesting suggestion was just made also, as the RODC's are replicated from Data Centre to Office, can the data Centre FTMG server also be replicated and then reconfigured just for its external IP address?
ASKER
Keith, I'm going to go ahead and accept this answer and just try rebuilding the VPN server. I value this whole thread as a great resource on the subject and appreciate all your input very much.
Thank you, sincerely.
Thank you, sincerely.
The answer is no because FTMG can be installed on a standalone server and therefore a domain controller is not required at all. You could use an LDAP service to provide authentication for the VPN instead of AD so the presence of a DC - read/write or RODC - on the network would not matter.
If you have set the FTMG to authenticate through your active directory then the next question is what do you mean by 'network'? For example, do you have multiple sites and a remote site has an RODC and FTMG installed, but there is a read/write DC on the main site or is this a single site, single subnet and you only have a RODC (maybe you keep the read/write DC shutdown for the most part - I've seen it once)?