[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

TMG 2010 standard on WNLB

Posted on 2013-01-30
9
Medium Priority
?
689 Views
Last Modified: 2013-03-13
I have just created multicast WNLB for the 2 TMG standard server. In the log I see the TMG is blocking the new Virtual IP for the WNLB. Is there a rules I need to allow to accept connection for the virtual IP?

Is there any guide for the configuration of WNLB for TMG 2010 standard edition. Thanks in advance.
0
Comment
Question by:artcrest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
9 Comments
 
LVL 3

Expert Comment

by:rafter81
ID: 38838622
Have you ust setup NLB within windows?  You need to setup NLB within TMG on the network that you are load balancing, i.e. Internal..
Networks > Internal > NLB tab.  To setup initially, Networks > Tasks... Enable Network Load Balance Integration.

Further info:
http://technet.microsoft.com/en-us/library/dd897010.aspx
0
 

Author Comment

by:artcrest
ID: 38838934
The NLB integration requires TMG 2010 Enterprise. My plan is to load balance TMG standard with WNLB. Any ideas?
0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 38838976
Hi,

My idea is that it can not work... and it's not just an idea, I AM SURE if can not work !

The reason is that as TMG is a FIREWALL it will reject any IP traffic that is not expected.
I said "REJECT" and not "IGNORE" !!! And that is VERY important !

What happens with your NLB configuration (as for any NLB configuration) is that incoming IP packets are broadcasted to both servers. On "classical" servers (with no firewall product I mean) on of the NLB member juts ignore the incoming packet whil the other member take care of the packet.

With TMG, the incoming packet arrives on both servers. the NLB layer makes things so that one of the TMG members is supposed to process the packet while the other one should not. But on this last member the firewall network layer will not just ignore unexpected incoming packets, it will REJECT it with a RST TCP response which will force the client to close the TCP session.


There's no way to make it work. TMG services on both servers must be aware of the NLB configuration to avoid rejecting packets that are supposed to be process by any other member. This change in behavior is supported by the Enterprise version, not the Standard version. And it is supported because TMG creates the NLB, it will not work if you create the NLB with the Windows console for the same reasons.

Have a good day.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 3

Expert Comment

by:rafter81
ID: 38839133
Yes, it is only available with enterprise edition.  For standard version you would have to use an external hardware load-balancer.
0
 

Author Comment

by:artcrest
ID: 38839289
Hi rafner, for using the hardware load balancer do I need to add rules to TMG? Any guide I could follow? Thanks.
0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 38842962
Hi,

In my opinion, the Hardware Load Balancer solution is good only if you already have a hardware load balancer... Cause this type of equipment cost much more that 2 Enterprise versions of TMG.

A HLB costs a lot but it can load balance several services on several server farms. So if you plan to use it more several usage it may worth its price.

Also, don't forget that if you only use one HLB this equipment is a signle point of failure... So usually you'll buy 2 HLB equipments that are able to act as one.

Have a good day.
0
 

Author Comment

by:artcrest
ID: 38849762
Hi PaciB,
In our environment we do have HLB for the DMZ and we want to consider using it. How can we utilize it?
Additional rules to be added on TMG?
0
 
LVL 3

Accepted Solution

by:
rafter81 earned 2000 total points
ID: 38850133
It really will depend on your HLB, maybe you can find some white papters for that?

Not sure if this is of any use, its a bit old but:
http://forums.isaserver.org/m_2002105531/mpage_1/key_/tm.htm#2002105544
0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 38850315
Hi,

I never have configured a HLB equipment, but as far as I understand how it works you have ALMOST nothing to do "for it" on your TMG server.
Saying "for it" I mean "specifically for the HLB".

Of course your TMG must publish required services (OWA, ActiveSync, OutlookAnywhere, ...) for external clients. In fact these clients accesses will probably come from the HLB IP addresses from the point of vue of TMG server.
But as you usually don't do any restriction about the source IP on a publishing rule your TMG should accept any incoming traffic for published port whateve it comes for clients directly or from the HLB.

Usually, you configure your HLB to check availability of the published servers farm by checking published ports. As an example, if you use a HLB to publish OWA you'll configure the HLB to test availability of HTTPS port, so that the HLB is able to detect the failure of a TMG server and redirect traffi on the other TMG server.

So, compared to a real external client the HLB will make many more TCP requests to your TMG server. If there are too much TCP request in a second TMG may consider it to be an attempt of a flooding attack and will blocked the source IP ! This i s not what you expect about the HLB IP address.
So, you'll probably have to increase the threshold of the flood detect filter on TMG, or disable it completely (the last solution is not very good, you should always have a threshold configured on TCP intrusion detections settings, you just have to find to correct value).
See http://www.isaserver.org/tutorials/Intrusion-Detection-Prevention-Forefront-TMG-Part1.html
The easiest way is probably to tune the threshold each time its needed. So when your TMG farm is published, let it work with initial settings and plan for a close observation period. Each time you see alerts about flooding threshold reached you tune up the threshold.

Have a good day.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question