Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Forefront TMG, Exchange 2007 published

Posted on 2010-08-31
14
862 Views
Last Modified: 2012-05-10
I'm setting up a Forefront TMG 2 node NLB integrated array with Exchange 2007 published.  Are Exchange services supposed to be uninterrupted if one of the servers is rebooted?  What about if the firewall services is restarted on one of the nodes?
0
Comment
Question by:mbromb
  • 7
  • 5
  • 2
14 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33570673
if you restart the firewall service on one node service will be interrupted
you should use the wlbs utility to suspend the node while you perform maintenance

you'll want to make sure you use server farms for the exchange cas servers
0
 

Author Comment

by:mbromb
ID: 33570721
To be clear, if I restart the firewall service on one node, service will be interrupted for services being used on that node only, correct (i.e. owa, ActiveSync)?  I need to look into the difference between drain stop and suspend. What about rebooting a node that OWA users are connected to?  Does this fall under your maintenance comment?  Should the steps be, Suspend, perform an update or other maintenance, reboot and then start the NLB service again?



All rules are using the Exchange CAS farm.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33570789
yes, you got it
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:mbromb
ID: 33570827
What about an OWA user that gets disconnected when one of the servers goes down for an extended time?  shouldn't they be able to connect back to OWA, on the other node, by logging back in or restarting their browser?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33570951
as long as the node is down, the key here is the state of the NLB cluster
services on the server can go down, but as long as the node is a member of the NLB array there could be an outage
0
 

Author Comment

by:mbromb
ID: 33571054
I'm a little confused by your answer.  So, If I need to take a node down for an extended time, what do I have to do to allow an OWA user that was or is connected to that node, to be able to connect using the sevices on the node that's still up, or will be going down?  It seems that NLB should recocgnize a downed node and redirect the client to the node that is available, even if they have to log back in.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33571107
NLB will recognize a downed node if you use the wlbs query to suspend it

i was just adding that if the firewall service went down your users could hit that node and experience an outage
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33571114
that is the firewall service goes down while the node is still a member of the nlb cluster
0
 

Author Comment

by:mbromb
ID: 33571171
Gotcha.  When I suspend, or do a drain/stop on the node an OWA session is connected to, the OWA session stops working until I bring the NLB service back up.  It seems like the manager node is not taking on OWA sessions.  So it seems like something is wrong.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33571189
You need to be clear on your terminology.

No Exchange services will be lost by rebooting one of the firewall nodes - why would it? You are not rebooting the Exchange server.

Connected clients through the rebooted FTMG server will get disconnected requiring users to reconnect and to restablish their end-to end connections.
0
 

Author Comment

by:mbromb
ID: 33571352
I was always talking about the services provided by the TMG array.  I'm speaking of the published exchange services that the TMG is providing.   Correct, I'm not touching the Exchange servers.  This only has to do with the client and the TMG servers.  All clients are using TMG to get to Exchange except MAPI/POP/IMAP clients.

So, what I'm saying is that when I do a drain/stop or suspend on the TMG integrated NLB service while a client is connected using OWA, the client is disconnected and cannot reconnect untill the TMG integrated NLB service is set back to Running.  I also notice that when the client logs out of OWA the TMG server continues to show the session.  If I disconnect all sessions from the client computer, then drain/stop the TMG server it was previously connected to the client can't connect back with OWA at all.  It seems that the other TMG node is not taking on OWA sessions, or that client computer is somehow forever locked into using a particular node.  i hope some of this makes sense. I'm trying to be clear.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33571416
You are defeating the object of the drain or I am missing the thrust of your comments. The purpose of the drain is to let current sessions complete whatever they are doing (regardless of how long it may be) and then terminate - termination will not be immediately after the user disconnects but is based on timeouts - and to block any new connections from being made. If you forcibly disconnect users first then there is no point running the drain/stop afterwards.

Conversely a suspend is exactly that - you have suspended the service.
0
 

Author Comment

by:mbromb
ID: 33571503
I'm finding that other computers that have not previously connected to OWA on the TMG servers are not able to connect to OWA if the TMG managed node is in drain/stop, suspended or stopped.  This fact and the fact that previously OWA connected clients that have been removed forcibly or just logged off cannot reconnect until the managed node is available again, indicates to me that something is wrong with the Manager node, or I just don't understand how this is supposed to work.  the manager node does not seem to be taking on OWA connections.  

I've upped the points.  Thank you for sticking with me.
0
 

Accepted Solution

by:
mbromb earned 0 total points
ID: 33618621
The issue:  A drain stop on the NLB  service for a node did not allow the OWA connected clients to bounce to the other TMG array node.  Other clients may not have been able to connect as well, possibly until the firewall service was restarted, or until the original server was accepting NLB connections again.

The resolution:  Adding the server specific IP addresses to the listener, along with the already in place cluster IPs, fixed it completely.  After making that change, an OWA client is asked for credentials when the array member it's connected to is put into drain stop.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In-place Upgrading Dirsync to Azure AD Connect
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question