Solved

Forefront TMG - setting up a basic load balanced configuration

Posted on 2011-03-10
11
1,299 Views
Last Modified: 2012-05-11
For the record, this is my *first* time using Microsoft Forefront TMG, and it's been years since I've looked at ISA Server, or any software-based proxy/firewall solution.

Anyhow, we're attempting to do some cache/load-balance testing with some internal websites.  Ultimately, we're looking to test against (8) web servers, but I'm having trouble even getting traffic routed to a single server.  The setup is as follows:

Forefront TMG Server:
Name:  ForefrontTest
Ext IP:  10.1.1.152
Int IP:  10.1.7.10

Web Server:
Server1:  Win1 / 10.1.7.11

The Forefront server has (2) NICs -- one for external access (client-facing), and one for internal access (web server facing).  Forefront is up and running, and I've walked through this document to publish multiple web sites over a basic HTTP connection.  Honestly, I'm not doing anything particularly fancy here.

My Listener is set to use the Ext IP (10.1.1.152).  The Firewall Policy is coming FROM "anywhere" and TO "10.1.7.11", which is our single web server, in this case.  I've also created a Public Name -- "lbtest" -- so that clients on the 10.1.1.x subnet can hit the Forefront server and get routed to the web server.  The "lbtest" name has a DNS "A" record of the Forefront EXT IP, 10.1.1.152.  Otherwise, there is no authentication needed, no specific users, no specific times, etc..  It's pretty wide open.  If a client requests "http://lbtest", it should route to the Forefront server EXT IP address, which should then be picked up by Forefront and routed to the web server (10.1.7.11).  Also, the internal Forefront configuration tests all appear to pass.

So, what am I missing here?  I try to hit http://lbtest from my box and it goes nowhere.  I'm guessing that it's something fairly straightforward, but I can't for the life of me figure it out.

Thoughts?

Chumplet
0
Comment
Question by:chumplet
  • 5
  • 5
11 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35106116
You are using FTMG Enterprise version and using the Integrated NLB?
Confirm you are using different subnet masks for internal and external - i.e. you are not using a /8 mask here?
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 35106528
What DW has webserver?
0
 
LVL 6

Author Comment

by:chumplet
ID: 35111457
We're using Forefront TMG (version 7.0.7734.100).  Not using the integrated NLB, as far as I know.  We're not load balancing network cards, but rather taking requests (to the EXT IP address) and routing them to clients (INT IP range).  As stated above, the EXT IP range is 10.1.1.x and the INT IP range is 10.1.7.x, so "yes"... different subnets.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35111501
These are only different subnets if you have an appropriate mask in place - both of yours are part of the same class A network.
Have you used the publish a web server wizard or have you tried to do this via an access rule?
0
 
LVL 6

Author Comment

by:chumplet
ID: 35111611
I'm not sure what you're driving at with the subnetting questions.  I have one NIC on the "external" labeled 10.1.1.x network, and another NIC on the "internal" labeled 10.1.7.x network.  I have used the "Publish Web Sites" wizard, of course.  The Listener is listening on the external network, and the Firewall Policy I've created is (supposedly) taking traffic FROM "anywhere" and routing it TO our "WIN1" server -- via HTTP.

Should I attach some screenshots to help show my config?  If so, which areas/tabs should I snapshot?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 35111766
Not really getting on very well together are we. The point I am driving at is we are trying to address your issue effectively via email so I have to ask the basic questions. Many issues are just fundamental setup issues so checking that 10.1.1.x and 10.1.7.x are not set using a mask of 255.0.0.0 (the defaul mask for this Class A network) is a simple check. FTMG will continually fail if the same network is used on both the internal and external interface - believe me, people do try it.

Again, the use of the wizard to publish the internal site is not mandatory - for example, you may have created a route relationship between the internal/external interface in which case you would have to use an access rule, not the publishing wizard. To gain an insight to your environment I have to ask what may well seem obtuse and obvious questions but it saves me time having to 'guess' what may be happening.

FTMG is currently on SP1 with the latest rollup being rollup 3.
It might be prudent to run up the best practice analyser.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8aa01cb0-da96-46d9-a50a-b245e47e6b8b

An obvious question, if the tests are being carried out from outside, the dns a record for nlbtest does resolve to the expected IP address? Equally obviously, internal users will not be able to access the external FTMG ip address.

Only useful info would be an ipconfig /all out put from the FTMG box
0
 
LVL 6

Author Comment

by:chumplet
ID: 35112397
I'm not meaning to come across as snarky.  I appreciate your help, and I *do* understand that "blind support" is difficult at best.

I believe that I have the subnetting properly configured, but the Best Practices Analyzer will help with that.  Great suggestion!  I'll also update to the latest version and see how that goes.

Will report back soon....
0
 
LVL 6

Author Comment

by:chumplet
ID: 35113240
Wow!  So, I ran the Best Practices Analyzer (which *reports*, but doesn't do anything) and decided that I should really update the system first.  I downloaded Forefront TMG SP1 and the Update 1 for SP1, installed both, and rebooted -- for good measure.  The server comes back on-line and then I simply hit the same URL I've been hitting (from my client machine) and guess what... I'm getting pages from the back-end server!  Honestly, I don't know if it was simply a reboot issue *OR* if it needed one of those updates, but it seems to be working now.  Thanks for your help!

Different issue, I suppose, but I'm able to test against a single server in the back-end *OR* multiple servers in the back-end.  The single-server method is VERY fast, but the multi-server setup seems extraordinarily slow.  Hmmm.  A different support incident, I guess.

I'd be happy to award you the points, even if the "fix" seems pretty random :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35114483
The points are just for fun so don't worry about those. Also, I'm laid up in bed after an appendicitus operation currently so I am a tad 'touchy' as well :)  Snarkey - what a great word. Never heard of it but I like it a lot lol.

What is the specification of the FTMG server being used? Is this a physical or virtual implementation?
I guess network performance and bandwidth are not factors?
One of the biggest performance issues that FTMG is prone to is AD/dns service availability although AD should not be an issue here as you are only using http and for all users so no authentication requests are going back to the DC every second. How about dns services - are these well served?

Have you fired up the FTMG performance counters to see if there are any bottlenecks either at the disk or network level?
0
 
LVL 6

Author Comment

by:chumplet
ID: 35116871
Ouch.  Sorry to hear about the appendicitus.  I had an emergency appendectomy years ago.  No fun at all, and it helped started my marriage out with $20k in debt (no insurance).  Good times!

As for FTMG, we're not actually using it for it's intended purpose(s).  In this case, I have FTMG virtualized on one Hyper-V Server -- connected to our corp network with one NICE, and a test network with a second NIC -- and then cabled over to a second Hyper-V Server with (8) virtual PCs running IIS.  I'm really only testing the load balancing portion, so mal-ware sniffing, etc. is of no use to me.

Anyhow, after my last comment regarding single-server perf vs. multi-server perf, I ran the Best Practices Analyzer again and realized that a DNS issue was causing the multi-server config to timeout regularly.  Since these are all workgroup-based instances, I simply added each of the (8) virtual PCs into the HOSTS files on the FTMG server.  Cleared it up automagically, and everything is running super-smoothly now.  Awesome!

Aside from that reboot-seems-to-fix-what-ails-me issue, I'm actually rather enjoying using FTMG.  My load-balancer experience is mostly limited to Coyote Point (hardware) load-balancers, and my firewall experience is with Juniper/Netscreen devices.  FTMG does a pretty good job, and is fairly easy for me to understand -- again, save for the fixed-after-reboot confusion that started this whole thread.

Thanks again :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35120271
Welcome :) I wouldn't be quite so confident about the reboot only but if it is working for you then great. For future reference, you may want to have a look at an article i wrote on the dns, network card settings etc for ISA and FTMG. Get these wrong and it never 'quite' gets there if you get my drift. Isn't the BPA a great tool? I have 100's of ISA and FTMG installs but it has still saved my bacon sometimes.

http://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html?sfQueryTermInfo=1+30+alabast+keith
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now