Forefront TMG 2010 not routing through primary ISP

I have a virtual Windows 2008 R2 with TMG 2010 routing two ISP.

ISP1 - primary - dynamic IPv4 - current value (sample) MASK
ISP2 - secondary - static IPv4 - static value (sample) MASK

Both should resolve names through and (google public DNS).

I have done the initial configs and ROUTE PRINT command returns:


14..00  (...)  Microsoft VM Adapter #4
12..00  (...)  Microsoft VM Adapter #2
11..00  (...)  Microsoft VM Adapter

IPV4 Routes

Persistent Routes:

ADDR       MASK                GW        METRIC       1     1     1       100     100     100

IPV6 Routes

Open in new window

-- IPV6 is only available for LAN
-- There is no IPV6 persistent route

-- is routed through interface 14. Triple-checked from the network adapter.
-- is routed through interface 11. Triple-checked too.
-- Interface 12 is the LAN adapter.

The problem is that the TMG-VM routes it's own calls perfectly through the primary ISP but any request from another computer on the network get's routed through the secondary ISP.

If you browse both or on the router you'll get the same value: Both sites on other computers over the LAN return

It's not only this info that shows the routing problem:

The primary link it's a 20Mb SOHO link and the secondary is a dedicated 1Mb fiber.
The router has full-speed on the web. Testing and all shows speed near 20Mbps.
Every other computer is limited to something bellow 1Mbps.

Any help here?
Who is Participating?
You have several routes listed that are erroneous.        1        100
But also 2 of these are likely wrong.       1
What do your NAT rules look like? I suspect you have the NAT outside interface configured for GW.
LordALMMaAuthor Commented:
First of all, thanks for the reply.

From TMG tab Network Rules, I have:

#  Name                     Relation    Origin           Destiny      Network Address
1  Local host access        Route       Local Host       Everyone
2  VPN Clients              Route       VPN Clients      Internal

3  Internet access          NAT         VPN Clients      External     Default IP Address
                                        + Internal

Open in new window

Details from NAT rule:

Origin: VPN Clients + Internal
Destiny: External
NET Relation: NAT
Net Address Selection: Use default IP adress

Sorry if the names I provide aren't really equal to English names. My TMG is running on Brazilian Portuguese and I have to translate names here =)
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Please check the following:

If you want to bind specific user or group to go through specific link only,use the following logic
# First create user/ip/ip range entry in FIREWALL POLICY > TOOL BOX / NETWORK OBJECTS  >> computer / computer sets or address range
# Then goto  NETWORKING / NETWORK RULES and create new NETWORK RULE with following data
Network Name Rule : WAN2 Users
 FROM: Your Specific Computer IP / User / IP Range
 TO : External
 Network Relationship : Network Address Translator (NAT)
 NAT Address Selection : Use the Specified IP and then select your desired WAN link ip
 Click FINISH and APPLY.
LordALMMaAuthor Commented:
If you want to bind specific user or group to go through specific link only,use the following logic

I don't.
I need the TMG to behave as a Failover: it should route all connections through the primary ISP and only use the secondary if the first fails.

But checking the NAT configs I have:
- FROM Internal TO External Using Default IP, where Internal is set to every IP on the LAN here and changing it to use a specific IP (primary or secondary) has no effect at all.

Here follows a complete output from ROUTE PRINT:
 14...00 15 5d 37 52 03 ......Microsoft VM adapter #4
 12...00 15 5d 37 52 02 ......Microsoft VM adapter #2
 11...00 15 5d 37 52 04 ......Microsoft VM adapter
  1...........................Software Loopback Interface 1
 16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

IPv4 Routes
Active routes:
Network address          Mask       Gateway         Interface       Matric
      No bound      2
      No bound    200
      2      No bound    306      No bound    306      No bound    306      No bound    257      No bound      2      No bound    257      No bound    257      No bound    261      No bound    261      No bound    261      No bound    356      No bound    200      No bound    356      No bound    356      No bound    306      No bound    261      No bound    356      No bound    257      No bound    306      No bound    261      No bound    356      No bound    257
Persistent routes:
  Network address         Mask      Gateway        Metric
     100       1       1     100     100

IPv6 routes
Active routes:
 If metric network destiny          Gateway
  1    306 ::1/128                  No bound
  1    306 ff00::/8                 No bound
Persistent routes:

Open in new window

Here are some details from TMG itself:
Embratel - STATIC -    -> This should be the secondary ISP
Virtua   - DHCP   -      -> This should be the primary ISP
LAN      - STATIC -

	DESTINY		MASK		GW		METRIC		Virtua		1	1	100	Loopback	256	Loopback	256	Loopback	256	Virtua		256	Virtua		1	Virtua		256	Virtua		256	LanAGG	256	LanAGG	256	LanAGG	256	Embratel	256 Embratel	100	Embratel	256	Embratel	256	Loopback	256	Loopback	256	1	100	1	100

ISP Connection    Gateway	    Mask	    Detection	Function
Primary - Virtua	Enabled		Primary
Secondary - Embratel	Enabled		Secondary

Open in new window

What I have tested:

1. Both primary and secondary ISP adapters ON

Router (TMG) uses the primary ISP link.
Every other computer on the LAN uses the secondary ISP link.

2. Primary link is OFF / Secondary is ON

Router (TMG) looses connectivity.
Every other computer on the LAN keeps using the secondary ISP link.

2. Primary link is ON / Secondary is OFF

Router has connectivity through the primary link.
Every other computer on the LAN start using the primary ISP link.

I simply have no other clue here.
I've tested changing the persistent routes, adding or removing, but nothing seems to make any effect.

It's as if the TMG had a static predefined route to access internet only through the primary ISP and as if the link was set opposite (as if the primary was set to secondary and vice-versa).

I just have no clue here.
I have already followed this website from your link. It's based on this post that the TMG was configured and yet this is the behavior I have.

Any other tip/suggestion?
LordALMMaAuthor Commented:
Thanks for the tip.
I'm a bit lost here though.

This TMG box was installed by me actually but I'm still learning to use it.
I have no clue on how to set the routes correctly and every help is much appreciated.

You said:
But also 2 of these are likely wrong.

My IP's (isp provided) are: (primary, dynamic IP) (secondary, static IP)

These are the gateways provided by each ISP: (for the primary link) (for the secondary link)

What should I put in the static routing for, the external interfaces IP or the gateway from each external link?

-- Update:

I've just removed the two items you marked as mistaken and removed the routings for from the interface IP (kept the ones for interfaces' external gateways).

The router kept using the primary ISP and desktops are still using the secondary ISP.
But now if I remove the secondary ISP every LAN computer looses connectivity (just the router remains online).

Also, before any change and still now, the TMG is marking the primary link as offline.
It's online and I'm pretty sure of that, I have disconnected the secondary and TMG keeps online so it's working but it's marked as offline.

Might be that the problem here.
The TMG box is staticly routing itself to the primary ISP and that's not OK -- and -- TMG is detecting the primary link as OFF and is routing every request to the secondary.

The link is up but it's as if it is not accessible by TMG.
If I disable the secondary TMG won't route through the primary because it's marked as off.

On the interface properties both interfaces are marked as Auto-detect.
LordALMMaAuthor Commented:
The problem was related to routing but not only that.

After a day of learning i finally figured what were the causes for this problem.

1) The routing table wasn't up-to-date and I didn't know how to fix that. After a few attempts I just "broke" it completely to the point of no routing at all. Done a full restore and some updates and it was 50% done.

2) The connectivity tests were running and the last one, responsible for pinging the google's public DNS-A ( have been blacklisted (probably because of dynamic ip being used by someone else). Disabling the test resulted in a full restore.

The TMG is now a full failover system again.
I'm still a newbie on TMG and thanks for your answers!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.