Configuring NPS connection request policies
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
Connection request policies (CRPs) are conditions and settings that validate requests for network access and govern where this validation is performed. In this scenario, a single CRP is used to authenticate the client for VPN access.
To configure connection request policies
On the computer on which you have installed NPS, click Start, click Run, type nps.msc, and then press ENTER to open the NPS management console. Leave this window open for the following NPS configuration tasks.
In the tree, click Connection Request Policies.
Under Policy Name, right-click the default CRP policy, and then click Disable.
Right-click Connection Request Policies, and then click New.
In the Specify Connection Request Policy Name and Connection Type window, in the Policy name box, type VPN connections.
Under Type of network access server, select Remote Access Server (VPN-Dial up), and then click Next.
In the Specify Conditions window, click Add.
Double-click Client IPv4 Address, and then on the Client IPv4 Address dialog box, enter the internal IP address of Forefront TMG.
On the Client IPv4 Address dialog box, click OK, and then click Next.
In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected, and then click Next.
In the Specify Authentication Methods window, select Override network policy authentication settings.
Under EAP Types, click Add. On the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP), and then click OK.
Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2), and then click OK.
Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
Select the appropriate server certificate. The server certificate is typically installed automatically when joining the domain.
Verify that Enable Quarantine checks is selected, and then click OK.
Add the following desired authentication methods: Smart Card or other certificate, and Secured password (EAP-MSCHAP v2).
If you configured a network policy for clients not capable of NAP, select the appropriate authentication protocol that you are using (or intend to use) for those clients, for example, Microsoft Encrypted Authentication version 2 (MS-CHAP-v2).
When you are finished, click Next twice, and then click Finish.