HayesJupe's Blog

March 17, 2011

Cisco VPN client with Forefront TMG

Filed under: Uncategorized — hayesjupe @ 7:51 pm

So this one has been bugging me for a while… and then a client asked for it – so i had to get it sorted….

So it seems with some Cisco VPN connections, i can connect, but not send any traffic when the Cico VPN client is behind a TMG server. Give the VPN client a direct connection and its fine…. so after a bit of looking, i think i have it working…

1) Set AssumeUDPEncapsulationContextOnSendRule = 2 as per http://support.microsoft.com/kb/926179

2) Run netsh tmg set global name=BlockSecuredInDefaultState value=0 persistent on the TMG server – as per http://forums.isaserver.org/m_2002104621/mpage_1/key_/tm.htm#2002104688 (then reboot)

3) Create 2 publishing rules on the TMG server, one which reverse publishes IKE and the other NAT-T



  1. hi.could you please explain more about step 3?
    i’m stuck in the middle and users cannot connect to vpn from outside.
    i would appreciate any answer in advance.

    Comment by Manoochehr Zangooei — November 11, 2014 @ 4:02 am | Reply

    • Sure.

      Create a reverse publishing rule, point it to your cisco VPN client device, and define a protocol of IKE (UDP 500)
      repeat the above for NAT-T (UDP 4500)

      Your comment would seem to indicate your clients are external trying to connect to your cisco VPN device though…. this (short) article is regarding cisco VPN clients which sit behind a TMG and need to connect to an external Cisco VPN endpoint.

      Comment by hayesjupe — November 12, 2014 @ 8:52 pm | Reply

      • yes.my clients are external trying to connect to my cisco VPN device .could you please tell me alittle more.i’m badly stuck.i don’y know anout reverse publish.i have searched but i got nothing important.

        Comment by Manoochehr Zangooei — November 13, 2014 @ 4:54 pm

      • Ok, well if you are talking about external cisco VPN clients trying to VPN into the organisation – the answer is that you do not reverse publish a VPN endpoint – for any product, not just cisco.

        A firewall/VPN product which acts as a gateway to the internet would generally be expected to have an interface on the external (internet) side of the network to which VPN clients would connect.

        Comment by hayesjupe — November 15, 2014 @ 6:27 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at WordPress.com.

%d bloggers like this: