Site to Site VPN connection to Windows Azure with Forefront TMG 2010

Jun 23

Written by:
Sunday, June 23, 2013 10:57 AM  RssIcon

Instead of Microsoft Forefront TMG 2010 as your local VPN endpoint, you could also use the integrated “Remote Access” Server 2012 Server Role (which combines DirectAccess and Routing and Remote Access) For more info about this Remote Access role see:

In this article I only describe the TMG 2010 (VPN Endpoint) implementation.

1st you need access to your Windows Azure portal


all necessary changes are within the “networks” – category.

Afterwards you have to configure the VPN settings on your (local) Forefront TMG 2010 Server





I followed this article for this post and my implementation:

Enable Cross-Premises Connectivity to Windows Azure with TMG 2010:


These are my environment specific settings and related pictures:



AzureNet01   <---->   GibelNet01

Net Range  
AzureVNet01 –  
Gateway Subnet –  


DNS Servers and Local Network:

DNS: 192.168.yy.zz  (= IP of my internal on premises DNS Server in the private IP Subnet)

Gateway Subnet:

Local Network:

VPN Device IP Address: 82.136.100.xx (external network interface of TMG Server)

Address Space: 192.168.yy.0

select: Static Routing (not dynamic routing) when you create your Gateway


On Premises

Privat Subnet: 192.168.yy.0

Private DNS Server: 192.168.yy.zz

TMG External IP: 82.136.100.xx (Public IP from provider)


My virtual (on a HyperV host) TMG Server has 2 Interfaces an EXTERNAL and an INTERNAL. ( 2 leg – implementation). My TMG Server is not member of my AD domain. (workgroup installation)








Windows Azure blog:

Official Azure tutorials:
- Create a Virtual Network for Site-to-Site Cross-Premises Connectivity:

- Site to Site VPN config over Management Portal:

Other Infos for TMG 2010 to Azure Site to Site VPN:

Channel9 - Videos: