Saturday, April 29, 2017

How to configure split routing in TMG

Note: I know that the whole ForeFront family is no longer supported by Microsoft (alas!). But TMG is a great product, it's still in use and there are companies still selling & supporting it. So I feel that sharing this info still can be useful for someone.

​​​​​​​​​​​​​​The ForeFront TMG doesn't allow out-of-the-box to push routes for specific subnets to VPN clients.
If you configure it to assign IP addresses out of predefined pool, then TMG relies on VPN client that it will:
  • either define TMG to function as default gateway - all non-local traffic will be sent over VPN,
  • or add an entry to routing table based on class (A, B or C) to which the assigned IP address belongs. For instance, if granted address is, then Windows VPN client can add route to the whole class A subnet - - towards VPN.
​If we don't want either of these options, then the only way is to configure TMG to request addresses for its VPN clients from DHCP.

That's how it's done - it's pretty counter-intuitive:

1. In TMG Management console, go to "Remote Access Policy (VPN)" and then click on "Configure address assignment method".
Specify a pool of addresses, which you want to distribute to the clients:
The very first address of this range - in this case, - will be used as address of DHCP relay agent (the GIADDR field in DHCP request).
This is important, because DHCP server uses GIADDR to recognize, settings from which scope should be used sent with the response (including the static route options).

2. Now we need to launch the "Routing and Remote Access" console, expand the local TMG host node , expand IPv4, right-click General, select "New routing protocol..." and add DHCP relay agent.
We need to configure it with the address of our DHCP server and add "Internal" to its list of interfaces. This Internal interface isn't related to Internal network in TMG Management console, appearing on the screenshot above. It represents VPN clients.

3. Now let's set up DHCP server itself. We need to define a scope with the same pool of addressses we defined on TMG itself. Now we can play with Scope Options, adding different settings we wish to push to VPN clients - including option 121, "Classless Static Routes":

N.B. The address in "Router" field can be anything, as long as it falls inside the subnet range. It doesn't really matter - when the route is pushed into VPN client's forwarding table, the "Gateway" will be set to "On-link", since its point-to-point connection.

4. And the last thing - configure the Windows VPN client itself.
By default, it's configured to forward all traffic to unknown networks via the VPN connection. To take advantage of split routing, we need to change that:
  • unmark the "Use default gateway on remote network" option - we don't want to add route for
  • mark the "Disable class based route addition" - we don't want route for the whole subnet.

Now what is going to happen after VPN user connects and authenticates is:
  • ​TMG will select some address from its static address pool - let's say,
  • It will send "DHCP Inform" request to the DHCP server - In this request, it will specify two important parameters:
    • requested IP address -,
    • address of the DHCP relay agent (the GIADDR field) - which is the first address in the pool,
  • ​The DHCP server will use the GIADDR field to find relevant scope and make sure that the requested address is available. Then it will reply with "DHCP Ack" mess​age, which will carry the options defined to this scope - including the "Classless Static Routes" option.
  • TMG will relay this packet to the client.
  • The client will add the received route to its forwarding table:
    IPv4 Route Table
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric 
           On-link    266 
         On-link     11 
         On-link    266          On-link    266 
           On-link     11 
           On-link     11 
          On-link    266 
         On-link    266         On-link    266​ 
Note the route to

The DHCP_Inform_and_Ack.pcap file contains example of packets exchange between the relay agent (TMG) and the DHCP server.

No comments:

Post a Comment