Hi all- Well, the good news is the problem is solved. The bad news is, it was not a routing problem. Sorry, Jim. (I never really believed that anyway, since I could do everything-ping, RDP, open shared folders, etc.-across the VPN, except get DPM to communicate.) I ended up calling MS Support. They spent about four hours working on it, figuring out what the problem was, and then another hour or so implementing the fix. The problem was the RPC filter. If we disabled the filter, the problem went away. But obviously we didn't want to disable the RPC filter. But there was no indication of a problem in the TMG console when monitoring the traffic in Logs & Reports. So the MS tech captured the traffic while we tried to sync. He figured out that he needed to edit the RPC filter and add in a bunch of UUIDs. Then we had to stop and restart the VPN. Finally everything worked. I can't tell you why nothing appeared in the TMG console when monitoring. Anyway, it's working now. Thanks, Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, March 19, 2012 4:18 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Can't get my DPM servers to communicate over TMG-based VPN Rob, Glad you find the book useful... Have you tried using a netcap tool to see if the traffic from DPM1 is reaching DPN2 and vice versa? 99 times out of 10, if nothing is obviously being blocked by TMG, it's a routing issue. Jim From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]> On Behalf Of Rob Moore Sent: Monday, March 19, 2012 11:25 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Can't get my DPM servers to communicate over TMG-based VPN Any idea why my two DPM servers (the primary here in the home site and the secondary at a remote site) won't communicate over my TMG VPN? I can RDP to the remote DPM server, I can ping both ways on the VPN, but when I try to get the remote DPM server to talk with the primary DPM server, the secondary DPM says the primary agent is "Unavailable." I can't see any errors on TMG, but I may not be monitoring the right thing. I set the VPN up according to Jim's book, Microsoft Forefront Threat Management Gateway (TMG) Administrator's Companion. The VPN seems to be working. Thanks, Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Helpdesk: 800-500-AFSC