TMG 2010 standard on WNLB

I have just created multicast WNLB for the 2 TMG standard server. In the log I see the TMG is blocking the new Virtual IP for the WNLB. Is there a rules I need to allow to accept connection for the virtual IP?

Is there any guide for the configuration of WNLB for TMG 2010 standard edition. Thanks in advance.
artcrestAsked:
Who is Participating?
 
rafter81Connect With a Mentor Commented:
It really will depend on your HLB, maybe you can find some white papters for that?

Not sure if this is of any use, its a bit old but:
http://forums.isaserver.org/m_2002105531/mpage_1/key_/tm.htm#2002105544
0
 
rafter81Commented:
Have you ust setup NLB within windows?  You need to setup NLB within TMG on the network that you are load balancing, i.e. Internal..
Networks > Internal > NLB tab.  To setup initially, Networks > Tasks... Enable Network Load Balance Integration.

Further info:
http://technet.microsoft.com/en-us/library/dd897010.aspx
0
 
artcrestAuthor Commented:
The NLB integration requires TMG 2010 Enterprise. My plan is to load balance TMG standard with WNLB. Any ideas?
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
Bruno PACIIT ConsultantCommented:
Hi,

My idea is that it can not work... and it's not just an idea, I AM SURE if can not work !

The reason is that as TMG is a FIREWALL it will reject any IP traffic that is not expected.
I said "REJECT" and not "IGNORE" !!! And that is VERY important !

What happens with your NLB configuration (as for any NLB configuration) is that incoming IP packets are broadcasted to both servers. On "classical" servers (with no firewall product I mean) on of the NLB member juts ignore the incoming packet whil the other member take care of the packet.

With TMG, the incoming packet arrives on both servers. the NLB layer makes things so that one of the TMG members is supposed to process the packet while the other one should not. But on this last member the firewall network layer will not just ignore unexpected incoming packets, it will REJECT it with a RST TCP response which will force the client to close the TCP session.


There's no way to make it work. TMG services on both servers must be aware of the NLB configuration to avoid rejecting packets that are supposed to be process by any other member. This change in behavior is supported by the Enterprise version, not the Standard version. And it is supported because TMG creates the NLB, it will not work if you create the NLB with the Windows console for the same reasons.

Have a good day.
0
 
rafter81Commented:
Yes, it is only available with enterprise edition.  For standard version you would have to use an external hardware load-balancer.
0
 
artcrestAuthor Commented:
Hi rafner, for using the hardware load balancer do I need to add rules to TMG? Any guide I could follow? Thanks.
0
 
Bruno PACIIT ConsultantCommented:
Hi,

In my opinion, the Hardware Load Balancer solution is good only if you already have a hardware load balancer... Cause this type of equipment cost much more that 2 Enterprise versions of TMG.

A HLB costs a lot but it can load balance several services on several server farms. So if you plan to use it more several usage it may worth its price.

Also, don't forget that if you only use one HLB this equipment is a signle point of failure... So usually you'll buy 2 HLB equipments that are able to act as one.

Have a good day.
0
 
artcrestAuthor Commented:
Hi PaciB,
In our environment we do have HLB for the DMZ and we want to consider using it. How can we utilize it?
Additional rules to be added on TMG?
0
 
Bruno PACIIT ConsultantCommented:
Hi,

I never have configured a HLB equipment, but as far as I understand how it works you have ALMOST nothing to do "for it" on your TMG server.
Saying "for it" I mean "specifically for the HLB".

Of course your TMG must publish required services (OWA, ActiveSync, OutlookAnywhere, ...) for external clients. In fact these clients accesses will probably come from the HLB IP addresses from the point of vue of TMG server.
But as you usually don't do any restriction about the source IP on a publishing rule your TMG should accept any incoming traffic for published port whateve it comes for clients directly or from the HLB.

Usually, you configure your HLB to check availability of the published servers farm by checking published ports. As an example, if you use a HLB to publish OWA you'll configure the HLB to test availability of HTTPS port, so that the HLB is able to detect the failure of a TMG server and redirect traffi on the other TMG server.

So, compared to a real external client the HLB will make many more TCP requests to your TMG server. If there are too much TCP request in a second TMG may consider it to be an attempt of a flooding attack and will blocked the source IP ! This i s not what you expect about the HLB IP address.
So, you'll probably have to increase the threshold of the flood detect filter on TMG, or disable it completely (the last solution is not very good, you should always have a threshold configured on TCP intrusion detections settings, you just have to find to correct value).
See http://www.isaserver.org/tutorials/Intrusion-Detection-Prevention-Forefront-TMG-Part1.html
The easiest way is probably to tune the threshold each time its needed. So when your TMG farm is published, let it work with initial settings and plan for a close observation period. Each time you see alerts about flooding threshold reached you tune up the threshold.

Have a good day.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.