Solved

How to make TMG 2010 more reliable with redundancy for DR site ?

Posted on 2011-03-02
11
1,777 Views
Last Modified: 2012-06-27
Hi,

At the moment I'm using MS TMG 2010 as my firewall to publish my Exchange Server and IIS website to the internet, however it is just one VM in the DMZ network with just one network card (vNIC), what sort of redundancy method that is suitable for making this firewall VM redundant / automatically failover ?

Because it is very important in the event of disaster recovery all important email through various mobile device will still need to operate and it is impossible if this TMG 2010 VM is offline.

is it by using:
1. NLB
2. Clustering
3. Vmware HA / FT (one VM in production, the other VM in DR site ?)

Any suggestion and idea willl be appreciated.

Thanks.
0
Comment
Question by:jjoz
  • 6
  • 4
11 Comments
 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 375 total points
ID: 35017985
you can use TMG Array: http://technet.microsoft.com/en-us/library/dd897010.aspx
else VMWare HA or Hyper-V cluster could be a solution too.
i don't think TMG support cluster but when in a array i think it relie on NLB
you can find information here too : http://technet.microsoft.com/en-us/library/ff849728.aspx
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 125 total points
ID: 35021436
I would suggest to use https://www.dnsmadeeasy.com/. they can take care of your emails in case if your tmg/exchange server goes down for maximum of 14 days.

as you have a one physical NIC, definitely, all services will go down if this NIC fails. so having an external redundancy servers would be very suitable in your case.

I use it since 2 years so far, their service never went down...
0
 
LVL 1

Author Comment

by:jjoz
ID: 35022445
@Tasmant: so in this case I shall setup the VM as stand alone no fancy stuff ? because VMware HA would be available to work in the DR site for active/passive mode ? I am thinking to deploy it in VMware as normal VM (like now) and then implmenting the TMG 2010 integrated mode.

@sulimanw: wow that's sounds great too, but in this case my company already got service contract with one of the big ISP in my country.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 375 total points
ID: 35025450
The Sulimanw's idea is to provide an external way of email storage in case of failure of your VM.
I think it can be great, unless you want to keep the hand on all your environment.

I'm not expert on VMWare, and when I've main components like AD/DNS/Exchange/TMG, i prefer to install them on physical server, with redundant hardware (ie 2 networks cards by example).
I don't really know how your infrastructure is set up, so it's difficult to imagine a perfect solution. But in case of failure of TMG (the OS by example), i don't think your VM will be in a state available to failback. The failback will occur only if issues occurs on ESX, no?

So definitly i would prefer to setup 2 TMG in an array, or relie on Sulimanw's solution.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35026056
ah OK, While I was reading article regarding hi availability of TMG 2010, I read that I must do the multicast NLB, in my current situation my TMG 2010 is standard edition with just one vNIC on top of VMware ESX and this TMG 2010 publish my CAS for Exchange Activesync which is vital for my company.

based on your suggestion then I should look for the Enterprise edition and then set 2x vNIC on each VM per site ?
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 375 total points
ID: 35026756
Yes you should take the enterprise edition.
I think you can use 1x vNic per site, because if you have 2 servers, you will have HA.

And you should setup redundant ISP too (you can do it with TMG too).
Because if your ISP fails, have you a way to fallback to another connection.
And what about the DNS MX definition, with another ISP, another public IP, and therefore the need to register backup MX record in public DNS with less priority.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35033978
OK, here's my summary and understanding from the above thread:

1. deployment of 1x TMG Enterprise 2010 site as single vNIC - in production site
2. deployment of 1x TMG Enterprise 2010 site as single vNIC - in DR site
3. deployment of 1x EMS on dedicated server to create and manage the above TMG 2010 in production site.
4. Configure the servers above as array of Multicast NLB configuration.

is that what I suppose to do ?
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35035572
Don't really know for the dedicated EMS server. Maybe could you use an existing server.
But this could be a solution to get HA. And you should duplicate DC, Exchange CAS/HUB/MBX too for true HA.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35035650
Yes The AD DC and exchange has been made redundant already by utilizing CCR :-)
0
 
LVL 1

Assisted Solution

by:jjoz
jjoz earned 0 total points
ID: 35065852
OK, here's my conclusion:

After doing a reading during last week and research on the internet, on TMG there is no option for active/passive automated failover across different subnet. It is always active/active (load balance within the same site).

1 x TMG Standard in each site will do the job in that case. we only really need an array if we need local HA or load balancing. So in order to proceed with the single TMG 2010 standard solution, we need to setup all of the appropriate publishing rules on TMG for the CAS Server at the DR site, and also need a certificate with the same SAN as the certificate at the main site. Then it's just a case of changing the DNS records in the event of an outage to point the DR site IP rather than main site.
0
 
LVL 1

Author Closing Comment

by:jjoz
ID: 35120725
thanks for your response
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question