?
Solved

TMG 2010 standard on WNLB

Posted on 2013-01-30
9
Medium Priority
?
702 Views
Last Modified: 2013-03-13
I have just created multicast WNLB for the 2 TMG standard server. In the log I see the TMG is blocking the new Virtual IP for the WNLB. Is there a rules I need to allow to accept connection for the virtual IP?

Is there any guide for the configuration of WNLB for TMG 2010 standard edition. Thanks in advance.
0
Comment
Question by:artcrest
  • 3
  • 3
  • 3
9 Comments
 
LVL 3

Expert Comment

by:rafter81
ID: 38838622
Have you ust setup NLB within windows?  You need to setup NLB within TMG on the network that you are load balancing, i.e. Internal..
Networks > Internal > NLB tab.  To setup initially, Networks > Tasks... Enable Network Load Balance Integration.

Further info:
http://technet.microsoft.com/en-us/library/dd897010.aspx
0
 

Author Comment

by:artcrest
ID: 38838934
The NLB integration requires TMG 2010 Enterprise. My plan is to load balance TMG standard with WNLB. Any ideas?
0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 38838976
Hi,

My idea is that it can not work... and it's not just an idea, I AM SURE if can not work !

The reason is that as TMG is a FIREWALL it will reject any IP traffic that is not expected.
I said "REJECT" and not "IGNORE" !!! And that is VERY important !

What happens with your NLB configuration (as for any NLB configuration) is that incoming IP packets are broadcasted to both servers. On "classical" servers (with no firewall product I mean) on of the NLB member juts ignore the incoming packet whil the other member take care of the packet.

With TMG, the incoming packet arrives on both servers. the NLB layer makes things so that one of the TMG members is supposed to process the packet while the other one should not. But on this last member the firewall network layer will not just ignore unexpected incoming packets, it will REJECT it with a RST TCP response which will force the client to close the TCP session.


There's no way to make it work. TMG services on both servers must be aware of the NLB configuration to avoid rejecting packets that are supposed to be process by any other member. This change in behavior is supported by the Enterprise version, not the Standard version. And it is supported because TMG creates the NLB, it will not work if you create the NLB with the Windows console for the same reasons.

Have a good day.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Expert Comment

by:rafter81
ID: 38839133
Yes, it is only available with enterprise edition.  For standard version you would have to use an external hardware load-balancer.
0
 

Author Comment

by:artcrest
ID: 38839289
Hi rafner, for using the hardware load balancer do I need to add rules to TMG? Any guide I could follow? Thanks.
0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 38842962
Hi,

In my opinion, the Hardware Load Balancer solution is good only if you already have a hardware load balancer... Cause this type of equipment cost much more that 2 Enterprise versions of TMG.

A HLB costs a lot but it can load balance several services on several server farms. So if you plan to use it more several usage it may worth its price.

Also, don't forget that if you only use one HLB this equipment is a signle point of failure... So usually you'll buy 2 HLB equipments that are able to act as one.

Have a good day.
0
 

Author Comment

by:artcrest
ID: 38849762
Hi PaciB,
In our environment we do have HLB for the DMZ and we want to consider using it. How can we utilize it?
Additional rules to be added on TMG?
0
 
LVL 3

Accepted Solution

by:
rafter81 earned 2000 total points
ID: 38850133
It really will depend on your HLB, maybe you can find some white papters for that?

Not sure if this is of any use, its a bit old but:
http://forums.isaserver.org/m_2002105531/mpage_1/key_/tm.htm#2002105544
0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 38850315
Hi,

I never have configured a HLB equipment, but as far as I understand how it works you have ALMOST nothing to do "for it" on your TMG server.
Saying "for it" I mean "specifically for the HLB".

Of course your TMG must publish required services (OWA, ActiveSync, OutlookAnywhere, ...) for external clients. In fact these clients accesses will probably come from the HLB IP addresses from the point of vue of TMG server.
But as you usually don't do any restriction about the source IP on a publishing rule your TMG should accept any incoming traffic for published port whateve it comes for clients directly or from the HLB.

Usually, you configure your HLB to check availability of the published servers farm by checking published ports. As an example, if you use a HLB to publish OWA you'll configure the HLB to test availability of HTTPS port, so that the HLB is able to detect the failure of a TMG server and redirect traffi on the other TMG server.

So, compared to a real external client the HLB will make many more TCP requests to your TMG server. If there are too much TCP request in a second TMG may consider it to be an attempt of a flooding attack and will blocked the source IP ! This i s not what you expect about the HLB IP address.
So, you'll probably have to increase the threshold of the flood detect filter on TMG, or disable it completely (the last solution is not very good, you should always have a threshold configured on TCP intrusion detections settings, you just have to find to correct value).
See http://www.isaserver.org/tutorials/Intrusion-Detection-Prevention-Forefront-TMG-Part1.html
The easiest way is probably to tune the threshold each time its needed. So when your TMG farm is published, let it work with initial settings and plan for a close observation period. Each time you see alerts about flooding threshold reached you tune up the threshold.

Have a good day.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question