ISP Redundancy made easy

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  This includes:

•Lost reputation
•Inability for personnel to communicate over IM
•Inability of personnel to research
•Ultimately – lost productivity and profitability

This really depends on the industry and the specific industries reliance on Internet Connectivity.  Online traders for example would require a significantly more reliable Internet Experience than say, your local school.

Attempts to get around ISP failures include trying to fool your ISA server through multiple metric default gateways (  However, this only gives one ISP all of the traffic and the other get’s nothing.  In the event of a failure of the primary ISP, manual intervention is required as ISA only does what you tell it (Default gateway means ‘default’).

Another way to try and avoid this is to give equal metric Default Gateways.  This doesn’t work either.  When one of your ISPs goes down, you have 50% Internet Connectivity.  Not exactly a solution…

So, that said, with the exception of the Malware Detection built into Threat Management Gateway 2010 (TMG), the ISP redundancy feature of TMG is brilliant!  Business value in 60 minutes.

Here’s how I have set it up at a few customers:

•2 Data Centres (one is primary and the other is DR)
•2 Cisco ASA Firewalls (one in each Data Centre)
•2 ISP connections
•1 1gbps connection between each Data Centre
•2 Microsoft TMG 2010 Enterprise Servers

Summary of config:

•Create a TMG Array (similar to an ISA Array – shared config)
•Use NLB on the internal NICs so that users browser settings always point to a single IP Address.  If one TMG server goes down – no worries – the other takes over all traffic
•On each TMG Server, 2 external NICs are required – one for each ISP
•On both TMG servers, connect to both ISPs.  We do this by creating a separate VLAN for each ISP and having both ASA firewalls and the respective TMG Server NICs as ports of the respective VLAN
•Under the network configuration tab, enable ISP Redundancy

Lots of detail missing here, but I think this is enough to conceptually understand the ISP Redundancy feature of TMG.

Have a look at this TechNet Article on enabling ISP Redundancy for TMG:

Hope this helps,


Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.