The ForeFront TMG doesn't allow out-of-the-box to push routes for specific subnets to VPN clients.
If you configure it to assign IP addresses out of predefined pool, then TMG relies on VPN client that it will:
- either define TMG to function as default gateway - all non-local traffic will be sent over VPN,
- or add an entry to routing table based on class (A, B or C) to which the assigned IP address belongs. For instance, if granted address is 10.3.4.5, then Windows VPN client can add route to the whole class A subnet - 10.0.0.0/8 - towards VPN.
If we don't want either of these options, then the only way is to configure TMG to request addresses for its VPN clients from DHCP.
That's how it's done - it's pretty counter-intuitive:
1. In TMG Management console, go to "Remote Access Policy (VPN)" and then click on "Configure address assignment method".
Specify a pool of addresses, which you want to distribute to the clients:
The very first address of this range - in this case, 10.50.9.10 - will be used as address of DHCP relay agent (the GIADDR field in DHCP request).
This is important, because DHCP server uses GIADDR to recognize, settings from which scope should be used sent with the response (including the static route options).
We need to configure it with the address of our DHCP server and add "Internal" to its list of interfaces. This Internal interface isn't related to Internal network in TMG Management console, appearing on the screenshot above. It represents VPN clients.
3. Now let's set up DHCP server itself. We need to define a scope with the same pool of addressses we defined on TMG itself. Now we can play with Scope Options, adding different settings we wish to push to VPN clients - including option 121, "Classless Static Routes":
4. And the last thing - configure the Windows VPN client itself.
By default, it's configured to forward all traffic to unknown networks via the VPN connection. To take advantage of split routing, we need to change that:
- unmark the "Use default gateway on remote network" option - we don't want to add route for 0.0.0.0/0.
- mark the "Disable class based route addition" - we don't want route for the whole 10.0.0.0/8 subnet.
Now what is going to happen after VPN user connects and authenticates is:
- TMG will select some address from its static address pool - let's say, 10.5.9.11.
- It will send "DHCP Inform" request to the DHCP server - 10.50.80.12. In this request, it will specify two important parameters:
- requested IP address - 10.5.9.11,
- address of the DHCP relay agent (the GIADDR field) - which is the first address in the pool, 10.5.9.10.
- The DHCP server will use the GIADDR field to find relevant scope and make sure that the requested address is available. Then it will reply with "DHCP Ack" message, which will carry the options defined to this scope - including the "Classless Static Routes" option.
- TMG will relay this packet to the client.
- The client will add the received route to its forwarding table:
IPv4 Route Table
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.30.10.10 10.30.50.25 10
10.30.0.0 255.255.192.0 On-link 10.30.50.25 266
10.30.10.14 255.255.255.255 On-link 10.30.50.25 11
10.30.50.25 255.255.255.255 On-link 10.30.50.25 266
10.30.63.255 255.255.255.255 On-link 10.30.50.25 266
10.50.0.0 255.255.0.0 On-link 10.50.9.13 11
10.50.9.0 255.255.255.0 On-link 10.50.9.13 11
10.50.9.13 255.255.255.255 On-link 10.50.9.13 266
10.50.9.255 255.255.255.255 On-link 10.50.9.13 266
10.50.255.255 255.255.255.255 On-link 10.50.9.13 266
Note the route to 10.50.0.0/16.