Symptoms
Consider the following scenarios.
Scenario 1
-
A server that is running Microsoft Forefront Threat Management Gateway 2010 is configured for a VPN site-to-site connection and uses IPsec Tunnel mode.
-
The Forefront TMG 2010 server is also configured to use network address translation (NAT) between two networks such as an internal network and an external network.
-
Clients on the internal network try to access a Point-to-Point Tunneling Protocol (PPTP) virtual private network (VPN) server on the external network.
Scenario 2
-
A server that is running Microsoft Forefront Threat Management Gateway (TMG) 2010 is configured for a VPN site-to-site connection and uses IPsec Tunnel mode.
-
The Forefront TMG 2010 server is also configured to publish a Point-to-Point Tunneling Protocol (PPTP) virtual private network (VPN) server.
-
Clients try to access the PPTP VPN server through the Forefront TMG 2010 server.
In these scenarios, the establishment of the client's PPTP connection may be unsuccessful because Forefront TMG 2010 drops the PPTP server's Generic Routing Encapsulation (GRE) packets.
Cause
The issue occurs because of incorrect handling of GRE packets in NAT mode when an IPSec-based site-to-site VPN is configured in Forefront TMG.
Resolution
To resolve this problem, install the hotfix package that is described in the following article in the Microsoft Knowledge Base:
2735208 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
