Solved

Forefront TMG NLB array, The TMG firwall service needs a restart to be able to connect to the published Exchange 2007

Posted on 2010-08-30
10
3,289 Views
Last Modified: 2012-05-10
I'm finding that after rebooting the 2 server TMG array servers with NLB integrated, I have to restart one or both firewall services for the Exchange services to work.  Any advice on how to fix this?
0
Comment
Question by:mbromb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
10 Comments
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33561466
IMHO
I think you need to increase the points for this one to 500 atleast for other experts to dig-in.
My $.02
0
 

Author Comment

by:mbromb
ID: 33561644
I usually increase the points if there isn't a quick answer and it gets more involved.  Apparently, it's more involved.  I've upped the points. thanks
0
 

Author Comment

by:mbromb
ID: 33561958
these events are occurring on the array servers:

ON THE ARRAY MANAGED NODE:

 Log Name:      Active Directory Web Services
 Source:        ADWS
 Date:          8/30/2010 2:17:11 PM
 Event ID:      1202
 Task Category: ADWS Instance Events
 Level:         Error
 Keywords:      Classic
 User:          N/A
 Computer:      tmg2.domain.com
 Description:
 This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
 
  Directory instance: ADAM_ISASTGCTRL
  Directory instance LDAP port: 2171
  Directory instance SSL port: 2172
 --------------------------------------------------
 
 Log Name:      Active Directory Web Services
 Source:        ADWS
 Date:          8/30/2010 2:15:48 PM
 Event ID:      1400
 Task Category: ADWS Certificate Events
 Level:         Warning
 Keywords:      Classic
 User:          N/A
 Computer:      tmg2.domain.com
 Description:
 Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
 
  Certificate name: tmg2.domain.com
 
---------------------------------------------------------------------

ON THE ARRAY MANAGER:

Log Name:      Active Directory Web Services
Source:        ADWS
Date:          8/30/2010 11:41:32 AM
Event ID:      1400
Task Category: ADWS Certificate Events
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      TMG1.domain.com
Description:
Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
 
 Certificate name: TMG1.domain.com
-----------------------------------------------------------------------------------------

0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:mbromb
ID: 33563080
It seems what is happening is that the 3 PCs I've been testing with are the ones that aren't working after a reboot.  Other PCs tested after are fine.  I've rebooted the test PCs, but it doesn't resolve it.
0
 

Author Comment

by:mbromb
ID: 33570134
Anyone have any idea?  It seems like a particular computer using OWA has affinity to a particular server and won't use the other server for OWA.  OWA then breaks and can't be used while the server is rebooted.  It won't bounce to the other server in the array, and restarting the browser doesn't help.  It may be that owa is only really working on the managed node and not at all on the manager node.  
0
 

Author Comment

by:mbromb
ID: 33578345
I've done some additional testing.  I tested using the direct IPs on the TMG listener rather than the cluster IP and it worked!  OWA can connect to either array server when using the direct IP, but can't seem to use the manager node when the cluster IP is used.  It seems that the NLB or the switch to cluster IP is not working correctly.  I'm going to work with the network team to see what they say.  Any other suggestions to test NLB?
0
 

Accepted Solution

by:
mbromb earned 0 total points
ID: 33618440
The issue:  A drain stop on the NLB  service for a node did not allow the OWA connected clients to bounce to the other TMG array node.  Other clients may not have been able to connect as well, possibly until the firewall service was restarted, or until the original server was accepting NLB connections again.

The resolution:  Adding the server specific IP addresses to the listener, along with the already in place cluster IPs, fixed it completely.  After making that change, an OWA client is asked for credentials when the array member it's connected to is put into drain stop.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Application timeout 4 46
ADFS:  Step by Step to enable MFA with ADFS 16 44
exchange 7 23
NFS v4 7 22
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question