Cisco VPN client with Forefront TMG

So this one has been bugging me for a while… and then a client asked for it – so i had to get it sorted….

So it seems with some Cisco VPN connections, i can connect, but not send any traffic when the Cico VPN client is behind a TMG server. Give the VPN client a direct connection and its fine…. so after a bit of looking, i think i have it working…

1) Set AssumeUDPEncapsulationContextOnSendRule = 2 as per http://support.microsoft.com/kb/926179

2) Run netsh tmg set global name=BlockSecuredInDefaultState value=0 persistent on the TMG server – as per http://forums.isaserver.org/m_2002104621/mpage_1/key_/tm.htm#2002104688 (then reboot)

3) Create 2 publishing rules on the TMG server, one which reverse publishes IKE and the other NAT-T

4 thoughts on “Cisco VPN client with Forefront TMG

    1. Sure.

      Create a reverse publishing rule, point it to your cisco VPN client device, and define a protocol of IKE (UDP 500)
      repeat the above for NAT-T (UDP 4500)

      Your comment would seem to indicate your clients are external trying to connect to your cisco VPN device though…. this (short) article is regarding cisco VPN clients which sit behind a TMG and need to connect to an external Cisco VPN endpoint.

        1. Ok, well if you are talking about external cisco VPN clients trying to VPN into the organisation – the answer is that you do not reverse publish a VPN endpoint – for any product, not just cisco.

          A firewall/VPN product which acts as a gateway to the internet would generally be expected to have an interface on the external (internet) side of the network to which VPN clients would connect.