How to make TMG 2010 more reliable with redundancy for DR site ?


At the moment I'm using MS TMG 2010 as my firewall to publish my Exchange Server and IIS website to the internet, however it is just one VM in the DMZ network with just one network card (vNIC), what sort of redundancy method that is suitable for making this firewall VM redundant / automatically failover ?

Because it is very important in the event of disaster recovery all important email through various mobile device will still need to operate and it is impossible if this TMG 2010 VM is offline.

is it by using:
1. NLB
2. Clustering
3. Vmware HA / FT (one VM in production, the other VM in DR site ?)

Any suggestion and idea willl be appreciated.

Who is Participating?
TasmantConnect With a Mentor Commented:
Yes you should take the enterprise edition.
I think you can use 1x vNic per site, because if you have 2 servers, you will have HA.

And you should setup redundant ISP too (you can do it with TMG too).
Because if your ISP fails, have you a way to fallback to another connection.
And what about the DNS MX definition, with another ISP, another public IP, and therefore the need to register backup MX record in public DNS with less priority.
TasmantConnect With a Mentor Commented:
you can use TMG Array:
else VMWare HA or Hyper-V cluster could be a solution too.
i don't think TMG support cluster but when in a array i think it relie on NLB
you can find information here too :
Suliman Abu KharroubConnect With a Mentor IT Consultant Commented:
I would suggest to use they can take care of your emails in case if your tmg/exchange server goes down for maximum of 14 days.

as you have a one physical NIC, definitely, all services will go down if this NIC fails. so having an external redundancy servers would be very suitable in your case.

I use it since 2 years so far, their service never went down...
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

jjozAuthor Commented:
@Tasmant: so in this case I shall setup the VM as stand alone no fancy stuff ? because VMware HA would be available to work in the DR site for active/passive mode ? I am thinking to deploy it in VMware as normal VM (like now) and then implmenting the TMG 2010 integrated mode.

@sulimanw: wow that's sounds great too, but in this case my company already got service contract with one of the big ISP in my country.
TasmantConnect With a Mentor Commented:
The Sulimanw's idea is to provide an external way of email storage in case of failure of your VM.
I think it can be great, unless you want to keep the hand on all your environment.

I'm not expert on VMWare, and when I've main components like AD/DNS/Exchange/TMG, i prefer to install them on physical server, with redundant hardware (ie 2 networks cards by example).
I don't really know how your infrastructure is set up, so it's difficult to imagine a perfect solution. But in case of failure of TMG (the OS by example), i don't think your VM will be in a state available to failback. The failback will occur only if issues occurs on ESX, no?

So definitly i would prefer to setup 2 TMG in an array, or relie on Sulimanw's solution.
jjozAuthor Commented:
ah OK, While I was reading article regarding hi availability of TMG 2010, I read that I must do the multicast NLB, in my current situation my TMG 2010 is standard edition with just one vNIC on top of VMware ESX and this TMG 2010 publish my CAS for Exchange Activesync which is vital for my company.

based on your suggestion then I should look for the Enterprise edition and then set 2x vNIC on each VM per site ?
jjozAuthor Commented:
OK, here's my summary and understanding from the above thread:

1. deployment of 1x TMG Enterprise 2010 site as single vNIC - in production site
2. deployment of 1x TMG Enterprise 2010 site as single vNIC - in DR site
3. deployment of 1x EMS on dedicated server to create and manage the above TMG 2010 in production site.
4. Configure the servers above as array of Multicast NLB configuration.

is that what I suppose to do ?
Don't really know for the dedicated EMS server. Maybe could you use an existing server.
But this could be a solution to get HA. And you should duplicate DC, Exchange CAS/HUB/MBX too for true HA.
jjozAuthor Commented:
Yes The AD DC and exchange has been made redundant already by utilizing CCR :-)
jjozConnect With a Mentor Author Commented:
OK, here's my conclusion:

After doing a reading during last week and research on the internet, on TMG there is no option for active/passive automated failover across different subnet. It is always active/active (load balance within the same site).

1 x TMG Standard in each site will do the job in that case. we only really need an array if we need local HA or load balancing. So in order to proceed with the single TMG 2010 standard solution, we need to setup all of the appropriate publishing rules on TMG for the CAS Server at the DR site, and also need a certificate with the same SAN as the certificate at the main site. Then it's just a case of changing the DNS records in the event of an outage to point the DR site IP rather than main site.
jjozAuthor Commented:
thanks for your response
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.