Solved

TMG 2010 standard on WNLB

Posted on 2013-01-30
9
638 Views
Last Modified: 2013-03-13
I have just created multicast WNLB for the 2 TMG standard server. In the log I see the TMG is blocking the new Virtual IP for the WNLB. Is there a rules I need to allow to accept connection for the virtual IP?

Is there any guide for the configuration of WNLB for TMG 2010 standard edition. Thanks in advance.
0
Comment
Question by:artcrest
  • 3
  • 3
  • 3
9 Comments
 
LVL 3

Expert Comment

by:rafter81
ID: 38838622
Have you ust setup NLB within windows?  You need to setup NLB within TMG on the network that you are load balancing, i.e. Internal..
Networks > Internal > NLB tab.  To setup initially, Networks > Tasks... Enable Network Load Balance Integration.

Further info:
http://technet.microsoft.com/en-us/library/dd897010.aspx
0
 

Author Comment

by:artcrest
ID: 38838934
The NLB integration requires TMG 2010 Enterprise. My plan is to load balance TMG standard with WNLB. Any ideas?
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38838976
Hi,

My idea is that it can not work... and it's not just an idea, I AM SURE if can not work !

The reason is that as TMG is a FIREWALL it will reject any IP traffic that is not expected.
I said "REJECT" and not "IGNORE" !!! And that is VERY important !

What happens with your NLB configuration (as for any NLB configuration) is that incoming IP packets are broadcasted to both servers. On "classical" servers (with no firewall product I mean) on of the NLB member juts ignore the incoming packet whil the other member take care of the packet.

With TMG, the incoming packet arrives on both servers. the NLB layer makes things so that one of the TMG members is supposed to process the packet while the other one should not. But on this last member the firewall network layer will not just ignore unexpected incoming packets, it will REJECT it with a RST TCP response which will force the client to close the TCP session.


There's no way to make it work. TMG services on both servers must be aware of the NLB configuration to avoid rejecting packets that are supposed to be process by any other member. This change in behavior is supported by the Enterprise version, not the Standard version. And it is supported because TMG creates the NLB, it will not work if you create the NLB with the Windows console for the same reasons.

Have a good day.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 3

Expert Comment

by:rafter81
ID: 38839133
Yes, it is only available with enterprise edition.  For standard version you would have to use an external hardware load-balancer.
0
 

Author Comment

by:artcrest
ID: 38839289
Hi rafner, for using the hardware load balancer do I need to add rules to TMG? Any guide I could follow? Thanks.
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38842962
Hi,

In my opinion, the Hardware Load Balancer solution is good only if you already have a hardware load balancer... Cause this type of equipment cost much more that 2 Enterprise versions of TMG.

A HLB costs a lot but it can load balance several services on several server farms. So if you plan to use it more several usage it may worth its price.

Also, don't forget that if you only use one HLB this equipment is a signle point of failure... So usually you'll buy 2 HLB equipments that are able to act as one.

Have a good day.
0
 

Author Comment

by:artcrest
ID: 38849762
Hi PaciB,
In our environment we do have HLB for the DMZ and we want to consider using it. How can we utilize it?
Additional rules to be added on TMG?
0
 
LVL 3

Accepted Solution

by:
rafter81 earned 500 total points
ID: 38850133
It really will depend on your HLB, maybe you can find some white papters for that?

Not sure if this is of any use, its a bit old but:
http://forums.isaserver.org/m_2002105531/mpage_1/key_/tm.htm#2002105544
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38850315
Hi,

I never have configured a HLB equipment, but as far as I understand how it works you have ALMOST nothing to do "for it" on your TMG server.
Saying "for it" I mean "specifically for the HLB".

Of course your TMG must publish required services (OWA, ActiveSync, OutlookAnywhere, ...) for external clients. In fact these clients accesses will probably come from the HLB IP addresses from the point of vue of TMG server.
But as you usually don't do any restriction about the source IP on a publishing rule your TMG should accept any incoming traffic for published port whateve it comes for clients directly or from the HLB.

Usually, you configure your HLB to check availability of the published servers farm by checking published ports. As an example, if you use a HLB to publish OWA you'll configure the HLB to test availability of HTTPS port, so that the HLB is able to detect the failure of a TMG server and redirect traffi on the other TMG server.

So, compared to a real external client the HLB will make many more TCP requests to your TMG server. If there are too much TCP request in a second TMG may consider it to be an attempt of a flooding attack and will blocked the source IP ! This i s not what you expect about the HLB IP address.
So, you'll probably have to increase the threshold of the flood detect filter on TMG, or disable it completely (the last solution is not very good, you should always have a threshold configured on TCP intrusion detections settings, you just have to find to correct value).
See http://www.isaserver.org/tutorials/Intrusion-Detection-Prevention-Forefront-TMG-Part1.html
The easiest way is probably to tune the threshold each time its needed. So when your TMG farm is published, let it work with initial settings and plan for a close observation period. Each time you see alerts about flooding threshold reached you tune up the threshold.

Have a good day.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question