Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to make TMG 2010 more reliable with redundancy for DR site ?

Posted on 2011-03-02
11
Medium Priority
?
1,792 Views
Last Modified: 2012-06-27
Hi,

At the moment I'm using MS TMG 2010 as my firewall to publish my Exchange Server and IIS website to the internet, however it is just one VM in the DMZ network with just one network card (vNIC), what sort of redundancy method that is suitable for making this firewall VM redundant / automatically failover ?

Because it is very important in the event of disaster recovery all important email through various mobile device will still need to operate and it is impossible if this TMG 2010 VM is offline.

is it by using:
1. NLB
2. Clustering
3. Vmware HA / FT (one VM in production, the other VM in DR site ?)

Any suggestion and idea willl be appreciated.

Thanks.
0
Comment
Question by:jjoz
  • 6
  • 4
11 Comments
 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 1500 total points
ID: 35017985
you can use TMG Array: http://technet.microsoft.com/en-us/library/dd897010.aspx
else VMWare HA or Hyper-V cluster could be a solution too.
i don't think TMG support cluster but when in a array i think it relie on NLB
you can find information here too : http://technet.microsoft.com/en-us/library/ff849728.aspx
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 500 total points
ID: 35021436
I would suggest to use https://www.dnsmadeeasy.com/. they can take care of your emails in case if your tmg/exchange server goes down for maximum of 14 days.

as you have a one physical NIC, definitely, all services will go down if this NIC fails. so having an external redundancy servers would be very suitable in your case.

I use it since 2 years so far, their service never went down...
0
 
LVL 1

Author Comment

by:jjoz
ID: 35022445
@Tasmant: so in this case I shall setup the VM as stand alone no fancy stuff ? because VMware HA would be available to work in the DR site for active/passive mode ? I am thinking to deploy it in VMware as normal VM (like now) and then implmenting the TMG 2010 integrated mode.

@sulimanw: wow that's sounds great too, but in this case my company already got service contract with one of the big ISP in my country.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 1500 total points
ID: 35025450
The Sulimanw's idea is to provide an external way of email storage in case of failure of your VM.
I think it can be great, unless you want to keep the hand on all your environment.

I'm not expert on VMWare, and when I've main components like AD/DNS/Exchange/TMG, i prefer to install them on physical server, with redundant hardware (ie 2 networks cards by example).
I don't really know how your infrastructure is set up, so it's difficult to imagine a perfect solution. But in case of failure of TMG (the OS by example), i don't think your VM will be in a state available to failback. The failback will occur only if issues occurs on ESX, no?

So definitly i would prefer to setup 2 TMG in an array, or relie on Sulimanw's solution.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35026056
ah OK, While I was reading article regarding hi availability of TMG 2010, I read that I must do the multicast NLB, in my current situation my TMG 2010 is standard edition with just one vNIC on top of VMware ESX and this TMG 2010 publish my CAS for Exchange Activesync which is vital for my company.

based on your suggestion then I should look for the Enterprise edition and then set 2x vNIC on each VM per site ?
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 1500 total points
ID: 35026756
Yes you should take the enterprise edition.
I think you can use 1x vNic per site, because if you have 2 servers, you will have HA.

And you should setup redundant ISP too (you can do it with TMG too).
Because if your ISP fails, have you a way to fallback to another connection.
And what about the DNS MX definition, with another ISP, another public IP, and therefore the need to register backup MX record in public DNS with less priority.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35033978
OK, here's my summary and understanding from the above thread:

1. deployment of 1x TMG Enterprise 2010 site as single vNIC - in production site
2. deployment of 1x TMG Enterprise 2010 site as single vNIC - in DR site
3. deployment of 1x EMS on dedicated server to create and manage the above TMG 2010 in production site.
4. Configure the servers above as array of Multicast NLB configuration.

is that what I suppose to do ?
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35035572
Don't really know for the dedicated EMS server. Maybe could you use an existing server.
But this could be a solution to get HA. And you should duplicate DC, Exchange CAS/HUB/MBX too for true HA.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35035650
Yes The AD DC and exchange has been made redundant already by utilizing CCR :-)
0
 
LVL 1

Assisted Solution

by:jjoz
jjoz earned 0 total points
ID: 35065852
OK, here's my conclusion:

After doing a reading during last week and research on the internet, on TMG there is no option for active/passive automated failover across different subnet. It is always active/active (load balance within the same site).

1 x TMG Standard in each site will do the job in that case. we only really need an array if we need local HA or load balancing. So in order to proceed with the single TMG 2010 standard solution, we need to setup all of the appropriate publishing rules on TMG for the CAS Server at the DR site, and also need a certificate with the same SAN as the certificate at the main site. Then it's just a case of changing the DNS records in the event of an outage to point the DR site IP rather than main site.
0
 
LVL 1

Author Closing Comment

by:jjoz
ID: 35120725
thanks for your response
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question