Techrunner
asked on
TMG 2010 ISP Redudancy
Hello,
I want to configure TMG ISP-R. I have 2 different ISP's. ( ISP 1 and ISP 2)
My current setup.
TMG with 2 NIC ( Internal and External ). Configured as only proxy.
Internal NIC Configuration:
IP : 192.168.1.2
SM: 255.255.255.0
DNS: 192.168.2.2
192.168.2.3
External NIC
IP: 1.1.1.1
SM: 255.255.255.248
G/W: 1.1.1.2
Our TMG is member of the windows domain. I have forwarder configured on Internal DNS pointing to ISP 1 DNS.
Please help me to configure ISP-R Feature and also DNS failover.
Thanks
I want to configure TMG ISP-R. I have 2 different ISP's. ( ISP 1 and ISP 2)
My current setup.
TMG with 2 NIC ( Internal and External ). Configured as only proxy.
Internal NIC Configuration:
IP : 192.168.1.2
SM: 255.255.255.0
DNS: 192.168.2.2
192.168.2.3
External NIC
IP: 1.1.1.1
SM: 255.255.255.248
G/W: 1.1.1.2
Our TMG is member of the windows domain. I have forwarder configured on Internal DNS pointing to ISP 1 DNS.
Please help me to configure ISP-R Feature and also DNS failover.
Thanks
Cliff Galiher
The wizards do this with very little complication. You will need to add another external NIC for your redundant connection, but from there just run the wizard and answer the questions,
ASKER
Thanks. Well this is a very little information
- How about the DNS configuration ? My internal DNS server is forwarding the DNS requests to ISP 1
- How I can achieve also DNS failover
My current ISP1 setup
Internet----Router----ASA-
|
|
|
TMG
- How about the DNS configuration ? My internal DNS server is forwarding the DNS requests to ISP 1
- How I can achieve also DNS failover
My current ISP1 setup
Internet----Router----ASA-
|
|
|
TMG
With redundant ISP connections, DNS wouldn't fail over, you'd either use ISP agnostic DNS forwarders or you'd add forwarders for both ISPs to your internal DNS server. Then, because TMG handles the ISP routing, traffic would flow as expected, INCLUDING your DNS queries,
You are right, it is very little Information. But very little information was provided in the question as well. The wizard is VERY robust. Until you've tried it, and have a SPECIFIC problem or question, the answer will remain as generic as the question,
You are right, it is very little Information. But very little information was provided in the question as well. The wizard is VERY robust. Until you've tried it, and have a SPECIFIC problem or question, the answer will remain as generic as the question,
cgaliher is right...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can I do this way.
- Configure Internal DNS forwarder to point TMG Internal IP
- Install DNS service on TMG and configure ISP 1 & 2 DNS servers as forwarders.
Thanks
- Configure Internal DNS forwarder to point TMG Internal IP
- Install DNS service on TMG and configure ISP 1 & 2 DNS servers as forwarders.
Thanks
You could do that.
You might still need to configure a static route though, but on the TMG instead, to point to the ISP1 DNS servers via the ASA.
You might still need to configure a static route though, but on the TMG instead, to point to the ISP1 DNS servers via the ASA.
ASKER
Thanks
- DNS will not be configured on TMG's External Interfaces but will be on internal interface instead.
- Internal DNS will forward the request back to TMG.
- TMG will forward the request to ISP's DNS.
But it will not affect DNS performance ?
- DNS will not be configured on TMG's External Interfaces but will be on internal interface instead.
- Internal DNS will forward the request back to TMG.
- TMG will forward the request to ISP's DNS.
But it will not affect DNS performance ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Craigbeck I really appreciate and I like the way you explain the things.
Hey no problem - that's what I'm here for!
Thanks, Samir :-)
Thanks, Samir :-)
ASKER
Hi craigbeck,
I have installed TMG as fresh.
I on the getting started - Network setup wizard.
I have three options among them should I select Back to Back firewall or 3 leg perimeter
Little confused ?
Thanks
I have installed TMG as fresh.
I on the getting started - Network setup wizard.
I have three options among them should I select Back to Back firewall or 3 leg perimeter
Little confused ?
Thanks
You just want to use the edge firewall option.
ASKER
Thanks
I installed and configured TMG with ISP-R.
Also added the DNS static routes pointing to specific ISP
Web proxy client can access internet.
Failover is good.
Just observed something I change the DNS static route for ISP1 and also change the forwarder but then web client statrting recieving "Network Access Error Page of TMG"
Then I tried pinging to DNS server from TMG then it started working Please can you help why is that so.
I installed and configured TMG with ISP-R.
Also added the DNS static routes pointing to specific ISP
Web proxy client can access internet.
Failover is good.
Just observed something I change the DNS static route for ISP1 and also change the forwarder but then web client statrting recieving "Network Access Error Page of TMG"
Then I tried pinging to DNS server from TMG then it started working Please can you help why is that so.
ASKER
One more thing
I am trying to understand the link detection interval time but couldn't understand it from the articles available on the internet
I need to understand and how I can change the default
For example when Primary ISP link goes down it should go through Secondary Link within 10 seconds
Once the primary link resume back it and it should resume to it within 10 sec.
Thanks for your help
I am trying to understand the link detection interval time but couldn't understand it from the articles available on the internet
I need to understand and how I can change the default
For example when Primary ISP link goes down it should go through Secondary Link within 10 seconds
Once the primary link resume back it and it should resume to it within 10 sec.
Thanks for your help
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I have saved following text as vbs file and tried to run from the desktop but there was no response.
set root=CreateObject("FPC.Roo
set arr=root.GetContainingArra
set ExtNet=arr.NetworkConfigur
set ISPRCfg=ExtNet.ISPRedundan
ISPRCfg.MinimalResumeTime = 60
ISPRCfg.TestIntervalLinkAv
ISPRCfg.TestIntervalLinkUn
ISPRCfg.FailuresToUnavaila
ISPRCfg.SuccessesToAvailab
ISPRCfg.Save
I have saved following text as vbs file and tried to run from the desktop but there was no response.
set root=CreateObject("FPC.Roo
set arr=root.GetContainingArra
set ExtNet=arr.NetworkConfigur
set ISPRCfg=ExtNet.ISPRedundan
ISPRCfg.MinimalResumeTime = 60
ISPRCfg.TestIntervalLinkAv
ISPRCfg.TestIntervalLinkUn
ISPRCfg.FailuresToUnavaila
ISPRCfg.SuccessesToAvailab
ISPRCfg.Save
The VBS script doesn't contain anything that would ask you to confirm the changes, so it will likely just run and exit without giving you any feedback.
You should be able to search the registry for those values to see if they have been applied.
You should be able to search the registry for those values to see if they have been applied.
ASKER
Hi,
I tried changing timing to 45 seconds and verified that those registry values are applied on registry but still take 120 seconds to failover to ISP 2. Any guess ?
set root=CreateObject("FPC.Roo
set arr=root.GetContainingArra
set ExtNet=arr.NetworkConfigur
set ISPRCfg=ExtNet.ISPRedundan
ISPRCfg.MinimalResumeTime = 45
ISPRCfg.TestIntervalLinkAv
ISPRCfg.TestIntervalLinkUn
ISPRCfg.FailuresToUnavaila
ISPRCfg.SuccessesToAvailab
ISPRCfg.Save
Thanks
I tried changing timing to 45 seconds and verified that those registry values are applied on registry but still take 120 seconds to failover to ISP 2. Any guess ?
set root=CreateObject("FPC.Roo
set arr=root.GetContainingArra
set ExtNet=arr.NetworkConfigur
set ISPRCfg=ExtNet.ISPRedundan
ISPRCfg.MinimalResumeTime = 45
ISPRCfg.TestIntervalLinkAv
ISPRCfg.TestIntervalLinkUn
ISPRCfg.FailuresToUnavaila
ISPRCfg.SuccessesToAvailab
ISPRCfg.Save
Thanks
The failurestounavailable value is 2, so it will wait a minimum of 90s (2*45) to fail over.
ASKER
Hi
I have changed the above values to 1 but still it takes 120 seconds to failover and failback.
I have changed the above values to 1 but still it takes 120 seconds to failover and failback.
Did you restart the server or TMG services?
ASKER
Yes Sir I reboot the server after running the vb script
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tyried doing this now the its taking 45 seconds.
set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 15
ISPRCfg.TestIntervalLinkAvailable = 10
ISPRCfg.TestIntervalLinkUnavailable = 10
ISPRCfg.FailuresToUnavailable = 1
ISPRCfg.SuccessesToAvailable = 1
ISPRCfg.SaveASKER
Thanks craigbeck for your support
I am really appreciating your help.
Thanks a lot.
I am really appreciating your help.
Thanks a lot.
ASKER
Sir,
Suddenly I started facing a problem that web proxy client started receiving a pop up Authentication Required.
I tried nslookup on TMG server for my domain domain but cannot resolved.
This is my DNS configuration
- DNS service installed on TMG server and configured with forwarders to ISP's DNS servers
- Internal NIC configured with 127.0.0.1 ( Primary) and Internal DNS server ( alternative)
Please any help.
Thanks for your time.
Suddenly I started facing a problem that web proxy client started receiving a pop up Authentication Required.
I tried nslookup on TMG server for my domain domain but cannot resolved.
This is my DNS configuration
- DNS service installed on TMG server and configured with forwarders to ISP's DNS servers
- Internal NIC configured with 127.0.0.1 ( Primary) and Internal DNS server ( alternative)
Please any help.
Thanks for your time.
You have probably enabled authentication on the Web Proxy service.
Have a look here...
http://www.isaserver.org/articles-tutorials/configuration-security/Authenticating-Outbound-Web-Traffic-TMG-Firewall-Protected-Networks.html
Have a look here...
http://www.isaserver.org/articles-tutorials/configuration-security/Authenticating-Outbound-Web-Traffic-TMG-Firewall-Protected-Networks.html
ASKER
Thanks I open a new ticket.
https://www.experts-exchange.com/questions/28337158/TMG-ISP-Redudancy-and-DNS.html
Please have a look I'll update the comment there
https://www.experts-exchange.com/questions/28337158/TMG-ISP-Redudancy-and-DNS.html
Please have a look I'll update the comment there