Forefront TMG - setting up a basic load balanced configuration

For the record, this is my *first* time using Microsoft Forefront TMG, and it's been years since I've looked at ISA Server, or any software-based proxy/firewall solution.

Anyhow, we're attempting to do some cache/load-balance testing with some internal websites.  Ultimately, we're looking to test against (8) web servers, but I'm having trouble even getting traffic routed to a single server.  The setup is as follows:

Forefront TMG Server:
Name:  ForefrontTest
Ext IP:
Int IP:

Web Server:
Server1:  Win1 /

The Forefront server has (2) NICs -- one for external access (client-facing), and one for internal access (web server facing).  Forefront is up and running, and I've walked through this document to publish multiple web sites over a basic HTTP connection.  Honestly, I'm not doing anything particularly fancy here.

My Listener is set to use the Ext IP (  The Firewall Policy is coming FROM "anywhere" and TO "", which is our single web server, in this case.  I've also created a Public Name -- "lbtest" -- so that clients on the 10.1.1.x subnet can hit the Forefront server and get routed to the web server.  The "lbtest" name has a DNS "A" record of the Forefront EXT IP,  Otherwise, there is no authentication needed, no specific users, no specific times, etc..  It's pretty wide open.  If a client requests "http://lbtest", it should route to the Forefront server EXT IP address, which should then be picked up by Forefront and routed to the web server (  Also, the internal Forefront configuration tests all appear to pass.

So, what am I missing here?  I try to hit http://lbtest from my box and it goes nowhere.  I'm guessing that it's something fairly straightforward, but I can't for the life of me figure it out.


Who is Participating?
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Not really getting on very well together are we. The point I am driving at is we are trying to address your issue effectively via email so I have to ask the basic questions. Many issues are just fundamental setup issues so checking that 10.1.1.x and 10.1.7.x are not set using a mask of (the defaul mask for this Class A network) is a simple check. FTMG will continually fail if the same network is used on both the internal and external interface - believe me, people do try it.

Again, the use of the wizard to publish the internal site is not mandatory - for example, you may have created a route relationship between the internal/external interface in which case you would have to use an access rule, not the publishing wizard. To gain an insight to your environment I have to ask what may well seem obtuse and obvious questions but it saves me time having to 'guess' what may be happening.

FTMG is currently on SP1 with the latest rollup being rollup 3.
It might be prudent to run up the best practice analyser.

An obvious question, if the tests are being carried out from outside, the dns a record for nlbtest does resolve to the expected IP address? Equally obviously, internal users will not be able to access the external FTMG ip address.

Only useful info would be an ipconfig /all out put from the FTMG box
Keith AlabasterEnterprise ArchitectCommented:
You are using FTMG Enterprise version and using the Integrated NLB?
Confirm you are using different subnet masks for internal and external - i.e. you are not using a /8 mask here?
Miguel Angel Perez MuñozCommented:
What DW has webserver?
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

chumpletAuthor Commented:
We're using Forefront TMG (version 7.0.7734.100).  Not using the integrated NLB, as far as I know.  We're not load balancing network cards, but rather taking requests (to the EXT IP address) and routing them to clients (INT IP range).  As stated above, the EXT IP range is 10.1.1.x and the INT IP range is 10.1.7.x, so "yes"... different subnets.
Keith AlabasterEnterprise ArchitectCommented:
These are only different subnets if you have an appropriate mask in place - both of yours are part of the same class A network.
Have you used the publish a web server wizard or have you tried to do this via an access rule?
chumpletAuthor Commented:
I'm not sure what you're driving at with the subnetting questions.  I have one NIC on the "external" labeled 10.1.1.x network, and another NIC on the "internal" labeled 10.1.7.x network.  I have used the "Publish Web Sites" wizard, of course.  The Listener is listening on the external network, and the Firewall Policy I've created is (supposedly) taking traffic FROM "anywhere" and routing it TO our "WIN1" server -- via HTTP.

Should I attach some screenshots to help show my config?  If so, which areas/tabs should I snapshot?
chumpletAuthor Commented:
I'm not meaning to come across as snarky.  I appreciate your help, and I *do* understand that "blind support" is difficult at best.

I believe that I have the subnetting properly configured, but the Best Practices Analyzer will help with that.  Great suggestion!  I'll also update to the latest version and see how that goes.

Will report back soon....
chumpletAuthor Commented:
Wow!  So, I ran the Best Practices Analyzer (which *reports*, but doesn't do anything) and decided that I should really update the system first.  I downloaded Forefront TMG SP1 and the Update 1 for SP1, installed both, and rebooted -- for good measure.  The server comes back on-line and then I simply hit the same URL I've been hitting (from my client machine) and guess what... I'm getting pages from the back-end server!  Honestly, I don't know if it was simply a reboot issue *OR* if it needed one of those updates, but it seems to be working now.  Thanks for your help!

Different issue, I suppose, but I'm able to test against a single server in the back-end *OR* multiple servers in the back-end.  The single-server method is VERY fast, but the multi-server setup seems extraordinarily slow.  Hmmm.  A different support incident, I guess.

I'd be happy to award you the points, even if the "fix" seems pretty random :)
Keith AlabasterEnterprise ArchitectCommented:
The points are just for fun so don't worry about those. Also, I'm laid up in bed after an appendicitus operation currently so I am a tad 'touchy' as well :)  Snarkey - what a great word. Never heard of it but I like it a lot lol.

What is the specification of the FTMG server being used? Is this a physical or virtual implementation?
I guess network performance and bandwidth are not factors?
One of the biggest performance issues that FTMG is prone to is AD/dns service availability although AD should not be an issue here as you are only using http and for all users so no authentication requests are going back to the DC every second. How about dns services - are these well served?

Have you fired up the FTMG performance counters to see if there are any bottlenecks either at the disk or network level?
chumpletAuthor Commented:
Ouch.  Sorry to hear about the appendicitus.  I had an emergency appendectomy years ago.  No fun at all, and it helped started my marriage out with $20k in debt (no insurance).  Good times!

As for FTMG, we're not actually using it for it's intended purpose(s).  In this case, I have FTMG virtualized on one Hyper-V Server -- connected to our corp network with one NICE, and a test network with a second NIC -- and then cabled over to a second Hyper-V Server with (8) virtual PCs running IIS.  I'm really only testing the load balancing portion, so mal-ware sniffing, etc. is of no use to me.

Anyhow, after my last comment regarding single-server perf vs. multi-server perf, I ran the Best Practices Analyzer again and realized that a DNS issue was causing the multi-server config to timeout regularly.  Since these are all workgroup-based instances, I simply added each of the (8) virtual PCs into the HOSTS files on the FTMG server.  Cleared it up automagically, and everything is running super-smoothly now.  Awesome!

Aside from that reboot-seems-to-fix-what-ails-me issue, I'm actually rather enjoying using FTMG.  My load-balancer experience is mostly limited to Coyote Point (hardware) load-balancers, and my firewall experience is with Juniper/Netscreen devices.  FTMG does a pretty good job, and is fairly easy for me to understand -- again, save for the fixed-after-reboot confusion that started this whole thread.

Thanks again :)
Keith AlabasterEnterprise ArchitectCommented:
Welcome :) I wouldn't be quite so confident about the reboot only but if it is working for you then great. For future reference, you may want to have a look at an article i wrote on the dns, network card settings etc for ISA and FTMG. Get these wrong and it never 'quite' gets there if you get my drift. Isn't the BPA a great tool? I have 100's of ISA and FTMG installs but it has still saved my bacon sometimes.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.