Configuring addresses for NLB-enabled remote sites

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

When configuring addresses for NLB-enabled remote sites, note the following:

  • The address you specify for the remote tunnel endpoint must be the virtual IP address of the NLB-enabled array.

  • When you create the remote site network, specify all the addresses in the remote site.

  • For Internet Protocol security (IPsec) networks, HTTP proxy, or network address translation (NAT) traffic between sites, you must include all the dedicated IP addresses of the network adapters associated with the remote site network. The source IP addresses for HTTP proxy and NAT traffic from remote sites are subject to address translation (on the remote side), so the local site sees the traffic as if it is arriving from the primary IP address of the remote site; that is, from its dedicated IP address.

  • When the remote site network is an NLB-enabled array, the initial connection from this array of Forefront TMG servers will be to the virtual IP address of the computer. The tunnel will be established from one of the dedicated IP addresses on the remote array. For this reason, you must specify all the dedicated IP addresses as additional remote tunnel endpoints. This is supported on Routing and Remote Access (RRAS) VPN networks (PPTP and L2TP) only.


Configuring site-to-site VPN access