Consider the following scenario:
- You configure a Microsoft Forefront Threat Management Gateway (TMG) 2010 server as an IPsec site-to-site tunnel endpoint.
- You establish the IPsec tunnel, and then clients access resources on both sides of the VPN tunnel.
- You try to access the internal IP address of the Forefront TMG 2010 server by using a client on the remote network of the endpoint.
This issue occurs because the IPsec security context for the locally destined packet is removed before it is evaluated by the incoming transport layer.
To resolve this issue, follow these steps:
- Install the software update that is described in the following Microsoft Knowledge Base (KB) article:2498770 Software Update 1 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
- Make sure that the packets are not dropped by running the following command at a command prompt on each Forefront TMG server:netsh tmg set global name=DontDropIPSECDetunneledTrafficToLocalhost value=1 persistentNote To revert to the default settings, run the following command:netsh tmg set global name=DontDropIPSECDetunneledTrafficToLocalhost value=0 persistent
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates