Forefront TMG 2010 not routing through primary ISP

Posted on 2012-08-14
Last Modified: 2012-08-19
I have a virtual Windows 2008 R2 with TMG 2010 routing two ISP.

ISP1 - primary - dynamic IPv4 - current value (sample) MASK
ISP2 - secondary - static IPv4 - static value (sample) MASK

Both should resolve names through and (google public DNS).

I have done the initial configs and ROUTE PRINT command returns:


14..00  (...)  Microsoft VM Adapter #4
12..00  (...)  Microsoft VM Adapter #2
11..00  (...)  Microsoft VM Adapter

IPV4 Routes

Persistent Routes:

ADDR       MASK                GW        METRIC       1     1     1       100     100     100

IPV6 Routes

Open in new window

-- IPV6 is only available for LAN
-- There is no IPV6 persistent route

-- is routed through interface 14. Triple-checked from the network adapter.
-- is routed through interface 11. Triple-checked too.
-- Interface 12 is the LAN adapter.

The problem is that the TMG-VM routes it's own calls perfectly through the primary ISP but any request from another computer on the network get's routed through the secondary ISP.

If you browse both or on the router you'll get the same value: Both sites on other computers over the LAN return

It's not only this info that shows the routing problem:

The primary link it's a 20Mb SOHO link and the secondary is a dedicated 1Mb fiber.
The router has full-speed on the web. Testing and all shows speed near 20Mbps.
Every other computer is limited to something bellow 1Mbps.

Any help here?
Question by:LordALMMa
    LVL 10

    Expert Comment

    What do your NAT rules look like? I suspect you have the NAT outside interface configured for GW.
    LVL 1

    Author Comment

    First of all, thanks for the reply.

    From TMG tab Network Rules, I have:

    #  Name                     Relation    Origin           Destiny      Network Address
    1  Local host access        Route       Local Host       Everyone
    2  VPN Clients              Route       VPN Clients      Internal
    3  Internet access          NAT         VPN Clients      External     Default IP Address
                                            + Internal

    Open in new window

    Details from NAT rule:

    Origin: VPN Clients + Internal
    Destiny: External
    NET Relation: NAT
    Net Address Selection: Use default IP adress

    Sorry if the names I provide aren't really equal to English names. My TMG is running on Brazilian Portuguese and I have to translate names here =)
    LVL 10

    Expert Comment

    Please check the following:

    If you want to bind specific user or group to go through specific link only,use the following logic
    # First create user/ip/ip range entry in FIREWALL POLICY > TOOL BOX / NETWORK OBJECTS  >> computer / computer sets or address range
    # Then goto  NETWORKING / NETWORK RULES and create new NETWORK RULE with following data
    Network Name Rule : WAN2 Users
     FROM: Your Specific Computer IP / User / IP Range
     TO : External
     Network Relationship : Network Address Translator (NAT)
     NAT Address Selection : Use the Specified IP and then select your desired WAN link ip
     Click FINISH and APPLY.
    LVL 1

    Author Comment

    If you want to bind specific user or group to go through specific link only,use the following logic

    I don't.
    I need the TMG to behave as a Failover: it should route all connections through the primary ISP and only use the secondary if the first fails.

    But checking the NAT configs I have:
    - FROM Internal TO External Using Default IP, where Internal is set to every IP on the LAN here and changing it to use a specific IP (primary or secondary) has no effect at all.

    Here follows a complete output from ROUTE PRINT:
     14...00 15 5d 37 52 03 ......Microsoft VM adapter #4
     12...00 15 5d 37 52 02 ......Microsoft VM adapter #2
     11...00 15 5d 37 52 04 ......Microsoft VM adapter
      1...........................Software Loopback Interface 1
     16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    IPv4 Routes
    Active routes:
    Network address          Mask       Gateway         Interface       Matric
          No bound      2
          No bound    200
        No bound    306
        No bound    306      No bound    306      No bound    257      No bound      2      No bound    257      No bound    257
      No bound    261
      No bound    261      No bound    261      No bound    356      No bound    200      No bound    356      No bound    356
        No bound    306
        No bound    261
        No bound    356
        No bound    257      No bound    306      No bound    261      No bound    356      No bound    257
    Persistent routes:
      Network address         Mask      Gateway        Metric
         100       1       1     100     100
    IPv6 routes
    Active routes:
     If metric network destiny          Gateway
      1    306 ::1/128                  No bound
      1    306 ff00::/8                 No bound
    Persistent routes:

    Open in new window

    Here are some details from TMG itself:
    Embratel - STATIC -    -> This should be the secondary ISP
    Virtua   - DHCP   -      -> This should be the primary ISP
    LAN      - STATIC -
    	DESTINY		MASK		GW		METRIC		Virtua		1	1	100	Loopback	256	Loopback	256	Loopback	256
	Virtua		256	Virtua		1	Virtua		256	Virtua		256
	LanAGG	256	LanAGG	256	LanAGG	256
	Embratel	256 Embratel	100	Embratel	256	Embratel	256
	Loopback	256	Loopback	256
 	1	100	1	100
    ISP Connection    Gateway	    Mask	    Detection	Function
    Primary - Virtua	Enabled		Primary
    Secondary - Embratel	Enabled		Secondary

    Open in new window

    What I have tested:

    1. Both primary and secondary ISP adapters ON

    Router (TMG) uses the primary ISP link.
    Every other computer on the LAN uses the secondary ISP link.

    2. Primary link is OFF / Secondary is ON

    Router (TMG) looses connectivity.
    Every other computer on the LAN keeps using the secondary ISP link.

    2. Primary link is ON / Secondary is OFF

    Router has connectivity through the primary link.
    Every other computer on the LAN start using the primary ISP link.

    I simply have no other clue here.
    I've tested changing the persistent routes, adding or removing, but nothing seems to make any effect.

    It's as if the TMG had a static predefined route to access internet only through the primary ISP and as if the link was set opposite (as if the primary was set to secondary and vice-versa).

    I just have no clue here.
    I have already followed this website from your link. It's based on this post that the TMG was configured and yet this is the behavior I have.

    Any other tip/suggestion?
    LVL 10

    Accepted Solution

    You have several routes listed that are erroneous.
    But also 2 of these are likely wrong.
    LVL 1

    Assisted Solution

    Thanks for the tip.
    I'm a bit lost here though.

    This TMG box was installed by me actually but I'm still learning to use it.
    I have no clue on how to set the routes correctly and every help is much appreciated.

    You said:
    But also 2 of these are likely wrong.

    My IP's (isp provided) are: (primary, dynamic IP) (secondary, static IP)

    These are the gateways provided by each ISP: (for the primary link) (for the secondary link)

    What should I put in the static routing for, the external interfaces IP or the gateway from each external link?

    -- Update:

    I've just removed the two items you marked as mistaken and removed the routings for from the interface IP (kept the ones for interfaces' external gateways).

    The router kept using the primary ISP and desktops are still using the secondary ISP.
    But now if I remove the secondary ISP every LAN computer looses connectivity (just the router remains online).

    Also, before any change and still now, the TMG is marking the primary link as offline.
    It's online and I'm pretty sure of that, I have disconnected the secondary and TMG keeps online so it's working but it's marked as offline.

    Might be that the problem here.
    The TMG box is staticly routing itself to the primary ISP and that's not OK -- and -- TMG is detecting the primary link as OFF and is routing every request to the secondary.

    The link is up but it's as if it is not accessible by TMG.
    If I disable the secondary TMG won't route through the primary because it's marked as off.

    On the interface properties both interfaces are marked as Auto-detect.
    LVL 1

    Author Closing Comment

    The problem was related to routing but not only that.

    After a day of learning i finally figured what were the causes for this problem.

    1) The routing table wasn't up-to-date and I didn't know how to fix that. After a few attempts I just "broke" it completely to the point of no routing at all. Done a full restore and some updates and it was 50% done.

    2) The connectivity tests were running and the last one, responsible for pinging the google's public DNS-A ( have been blacklisted (probably because of dynamic ip being used by someone else). Disabling the test resulted in a full restore.

    The TMG is now a full failover system again.
    I'm still a newbie on TMG and thanks for your answers!

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
    So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now