Changing Forefront TMG VPN Certificate

Question

I need to change my TMG server from an old VPN server certificate to a new one due to changing my internal CA structure.

Where the heck do I do that? I don't see any certificate references in TMG nor in the RRAS MMC.

The references I've found on the net to this process have been vague at best.

EDIT - I am using a L2TP / IPSEC VPN.

Massimo · Accepted Answer · 2012-02-13T20:26:30.493

2

The SSTP VPN service is always associated with a HTTPS web listener; you can change the certificate it uses in its properties.

If you have lots of listeners around and/or don't know what listener the VPN service is using, you can check that in the VPN properties, in the "Protocols" tab.

Edit:

For L2TP/IPSEC, there is no option in the TMG (or ISA) management console to configure which certificate is used; you just need a valid certificate to be stored in the server's machine certificate store, which can be accessed by using the Certificates MMC.

edited Feb 13 '12 at 20:26

answered Feb 13 '12 at 20:15

Massimo

68,714
56
196
319

Good comment. I'm using a L2TP / IPSEC VPN. I'll update the question accordingly. – Tim Brigham Feb 13 '12 at 20:17
@Tim: See edit. – Massimo Feb 13 '12 at 20:26
So if I have *two* valid certificates there is no way to specify which one to use? Wow. – Tim Brigham Feb 13 '12 at 20:29
You can always remove the old one... – Massimo Feb 13 '12 at 20:39
1

This is all handled at the RRAS/IPSec layer; TMG/ISA doesn't modify certificate selection behaviour from the OS for IP protocols (only Webby ones). – TristanK Feb 13 '12 at 22:01

Changing Forefront TMG VPN Certificate

1 Answers1

Edit: