Solved

How to make TMG 2010 more reliable with redundancy for DR site ?

Posted on 2011-03-02
11
1,762 Views
Last Modified: 2012-06-27
Hi,

At the moment I'm using MS TMG 2010 as my firewall to publish my Exchange Server and IIS website to the internet, however it is just one VM in the DMZ network with just one network card (vNIC), what sort of redundancy method that is suitable for making this firewall VM redundant / automatically failover ?

Because it is very important in the event of disaster recovery all important email through various mobile device will still need to operate and it is impossible if this TMG 2010 VM is offline.

is it by using:
1. NLB
2. Clustering
3. Vmware HA / FT (one VM in production, the other VM in DR site ?)

Any suggestion and idea willl be appreciated.

Thanks.
0
Comment
Question by:jjoz
  • 6
  • 4
11 Comments
 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 375 total points
Comment Utility
you can use TMG Array: http://technet.microsoft.com/en-us/library/dd897010.aspx
else VMWare HA or Hyper-V cluster could be a solution too.
i don't think TMG support cluster but when in a array i think it relie on NLB
you can find information here too : http://technet.microsoft.com/en-us/library/ff849728.aspx
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 125 total points
Comment Utility
I would suggest to use https://www.dnsmadeeasy.com/. they can take care of your emails in case if your tmg/exchange server goes down for maximum of 14 days.

as you have a one physical NIC, definitely, all services will go down if this NIC fails. so having an external redundancy servers would be very suitable in your case.

I use it since 2 years so far, their service never went down...
0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
@Tasmant: so in this case I shall setup the VM as stand alone no fancy stuff ? because VMware HA would be available to work in the DR site for active/passive mode ? I am thinking to deploy it in VMware as normal VM (like now) and then implmenting the TMG 2010 integrated mode.

@sulimanw: wow that's sounds great too, but in this case my company already got service contract with one of the big ISP in my country.
0
 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 375 total points
Comment Utility
The Sulimanw's idea is to provide an external way of email storage in case of failure of your VM.
I think it can be great, unless you want to keep the hand on all your environment.

I'm not expert on VMWare, and when I've main components like AD/DNS/Exchange/TMG, i prefer to install them on physical server, with redundant hardware (ie 2 networks cards by example).
I don't really know how your infrastructure is set up, so it's difficult to imagine a perfect solution. But in case of failure of TMG (the OS by example), i don't think your VM will be in a state available to failback. The failback will occur only if issues occurs on ESX, no?

So definitly i would prefer to setup 2 TMG in an array, or relie on Sulimanw's solution.
0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
ah OK, While I was reading article regarding hi availability of TMG 2010, I read that I must do the multicast NLB, in my current situation my TMG 2010 is standard edition with just one vNIC on top of VMware ESX and this TMG 2010 publish my CAS for Exchange Activesync which is vital for my company.

based on your suggestion then I should look for the Enterprise edition and then set 2x vNIC on each VM per site ?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 11

Accepted Solution

by:
Tasmant earned 375 total points
Comment Utility
Yes you should take the enterprise edition.
I think you can use 1x vNic per site, because if you have 2 servers, you will have HA.

And you should setup redundant ISP too (you can do it with TMG too).
Because if your ISP fails, have you a way to fallback to another connection.
And what about the DNS MX definition, with another ISP, another public IP, and therefore the need to register backup MX record in public DNS with less priority.
0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
OK, here's my summary and understanding from the above thread:

1. deployment of 1x TMG Enterprise 2010 site as single vNIC - in production site
2. deployment of 1x TMG Enterprise 2010 site as single vNIC - in DR site
3. deployment of 1x EMS on dedicated server to create and manage the above TMG 2010 in production site.
4. Configure the servers above as array of Multicast NLB configuration.

is that what I suppose to do ?
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
Don't really know for the dedicated EMS server. Maybe could you use an existing server.
But this could be a solution to get HA. And you should duplicate DC, Exchange CAS/HUB/MBX too for true HA.
0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
Yes The AD DC and exchange has been made redundant already by utilizing CCR :-)
0
 
LVL 1

Assisted Solution

by:jjoz
jjoz earned 0 total points
Comment Utility
OK, here's my conclusion:

After doing a reading during last week and research on the internet, on TMG there is no option for active/passive automated failover across different subnet. It is always active/active (load balance within the same site).

1 x TMG Standard in each site will do the job in that case. we only really need an array if we need local HA or load balancing. So in order to proceed with the single TMG 2010 standard solution, we need to setup all of the appropriate publishing rules on TMG for the CAS Server at the DR site, and also need a certificate with the same SAN as the certificate at the main site. Then it's just a case of changing the DNS records in the event of an outage to point the DR site IP rather than main site.
0
 
LVL 1

Author Closing Comment

by:jjoz
Comment Utility
thanks for your response
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now