Hi guys, for years we were using ISA 2006EE, two node array. Recently I was playing with new TMG 2010 on my test setup and I am not able to make simple stupid VPN access work. I have Hyper-V host, I have virtual DC server with new test domain and I have one virtual TMG 2010 enterprise server with two NICs, one internal and one external, TMG is in domain. Setup was easy, everything works fine except VPN access. I have error 691, basically it says that is not able to authenticate me. In logs I see no red errors only successfull connects. Setup is exact copy of my working setup on ISA 2006, but there is one thing different on TMG, when I am trying to add Group in "Configure VPN Client access" it defaults to machine instead to my test domain. When I change to my domain and find group "Domain Users" after add I see Namespace:Windows, Group:None, Domain:BATMG1 (name of my TMG server). That is different than on ISA and obviously wrong, I am confused...Please advise/help.
TMG/ISA always defaults to the local TMG/ISA Server when you try to select users from the authentication namespace. If I understand you correctly, it is possible to select users and groups from Active Directory? Please check if the RRAS/NPS service from Windows on the TMG Server is correctly configured and started. Which client OS are the VPN clients running? Windows Vista and 7? Did you tried it with a XP client? http://support.microsoft.com/kb/926179
< Message edited by Xavier_arena -- 12.Jul.2011 2:58:28 AM >
thanks for reply. Our live ISA 2006 EE setup always defaults to domain, I just double-checked that. My test system defaults to name of TMG server. Hmmm.
Now to your questions: 1. Yes it is possible to select any group in domain and add it, but after that what I see is "no group" and instead of domain is name of server, this is really strange. 2. My setup is DC - Win Server 2008 Std R2 SP1, one LAN interface is what I call SERVER LAN. Fixed IP, forest and domain are Windows 2003 level (I am trying to simulate our domain environment). TMG is the same version Win Server 2008 Std R2 SP1 with TMG 2010 without SP1. 3.Client is the same I am using for live system (same VPN setup except is ISA 2006), it is Windows 7 Ent all last SPs patches, 4.Systems are running on Hyper-V server as guests. SERVER LAN is internal with no connection to physical LAN, EXTERNAL LAN is connected to physical LAN.
RRAS/NPS service is running OK, my client complains about authentication (login/password wrong or is not able to auth.), so I think there is something wrong with my DC (one sign is that strange behaviour while selecting groups). I will test something but any further ideas are welcome.
OK. Mystery solved. As a man who knows VMWare virtualization platform a little bit, I was assuming that Hyper-V from Microsoft has same features, that just have different names. In VMWare you can clone server installation and have new unique server almost instantly. I was using export virtual and import virtual (Copy mode) to do same in Hyper-V. It is not the same. I ended up with DC and TMG servers with indentical SIDs (ouch). So basically my fault, shortcuts are sometimes longcuts...