I have a TMG 2010 Server that acts as a 3-Leg Firewall (External, DMZ, Internal).  I have 2 sets of remote VPN clients, both using separate subnets (One Staticly assigned IPs via AD, one handled through TMG/RRAS static pool).  In both cases, my VPN subnet does not belong to ANY of my 3-Leg networks.  

  My question is due to the fact that twice over the past few weeks, the VPN clients are unreachable, both traffic from VPN clients to DMZ and DMZ to VPN clients.  I will receive the "associated address does not belong to any of the interfaces on TMG" error.  In both cases I have been able to resolve with a reboot.

  So, in the case of having VPN clients on their own subnets, how and where should I add their subnets to the TMG interfaces? 

Hi,

Please check Site-to-Site VPN Connection in the article below.

A site-to-site VPN connection connects two separate private networks. Forefront TMG provides a connection to the network to which the Forefront TMG is attached.

Overview of virtual private networks (VPN)

https://technet.microsoft.com/en-us/library/bb838946.aspx

Best Regards,

Joyce

I appreciate you trying to respond, but your answer has no relevance to my question.

Let me rephrase;

Default setup of TMG VPN clients would have the VPN clients being assigned IP addresses from one of the 2 networks sitting behind it (DMZ or Internal).  That is not the case here as I have clients that are assigned IPs that DO NOT reside in the DMZ or Internal network.  In the instance when the VPN client assigned addresses DO NOT reside in the Internal or DMZ, should i still define my VPN clients subnet on one of the network adapters within TMG network setup?

Let me rephrase;

Default setup of TMG VPN clients would have the VPN clients being assigned IP addresses from one of the 2 networks sitting behind it (DMZ or Internal).  That is not the case here as I have clients that are assigned IPs that DO NOT reside in the DMZ or Internal network.  In the instance when the VPN client assigned addresses DO NOT reside in the Internal or DMZ, should i still define my VPN clients subnet on one of the network adapters within TMG network setup?

No, you should NOT configure the subnet of your VPN Clients on a protected interface within TMG. As far as I know TMG doesn't even allow you, because it does not allower overlapping addresses.

One thing I don't get is how you can define two different (static) address pools and make a difference. You should only be able to use a static address pool or DHCP. But I could be wrong. The fact that you loose connectivity is more scenario for a TMG Array.