Solved

TMG 2010 standard on WNLB

Posted on 2013-01-30
9
616 Views
Last Modified: 2013-03-13
I have just created multicast WNLB for the 2 TMG standard server. In the log I see the TMG is blocking the new Virtual IP for the WNLB. Is there a rules I need to allow to accept connection for the virtual IP?

Is there any guide for the configuration of WNLB for TMG 2010 standard edition. Thanks in advance.
0
Comment
Question by:artcrest
  • 3
  • 3
  • 3
9 Comments
 
LVL 3

Expert Comment

by:rafter81
ID: 38838622
Have you ust setup NLB within windows?  You need to setup NLB within TMG on the network that you are load balancing, i.e. Internal..
Networks > Internal > NLB tab.  To setup initially, Networks > Tasks... Enable Network Load Balance Integration.

Further info:
http://technet.microsoft.com/en-us/library/dd897010.aspx
0
 

Author Comment

by:artcrest
ID: 38838934
The NLB integration requires TMG 2010 Enterprise. My plan is to load balance TMG standard with WNLB. Any ideas?
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38838976
Hi,

My idea is that it can not work... and it's not just an idea, I AM SURE if can not work !

The reason is that as TMG is a FIREWALL it will reject any IP traffic that is not expected.
I said "REJECT" and not "IGNORE" !!! And that is VERY important !

What happens with your NLB configuration (as for any NLB configuration) is that incoming IP packets are broadcasted to both servers. On "classical" servers (with no firewall product I mean) on of the NLB member juts ignore the incoming packet whil the other member take care of the packet.

With TMG, the incoming packet arrives on both servers. the NLB layer makes things so that one of the TMG members is supposed to process the packet while the other one should not. But on this last member the firewall network layer will not just ignore unexpected incoming packets, it will REJECT it with a RST TCP response which will force the client to close the TCP session.


There's no way to make it work. TMG services on both servers must be aware of the NLB configuration to avoid rejecting packets that are supposed to be process by any other member. This change in behavior is supported by the Enterprise version, not the Standard version. And it is supported because TMG creates the NLB, it will not work if you create the NLB with the Windows console for the same reasons.

Have a good day.
0
 
LVL 3

Expert Comment

by:rafter81
ID: 38839133
Yes, it is only available with enterprise edition.  For standard version you would have to use an external hardware load-balancer.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:artcrest
ID: 38839289
Hi rafner, for using the hardware load balancer do I need to add rules to TMG? Any guide I could follow? Thanks.
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38842962
Hi,

In my opinion, the Hardware Load Balancer solution is good only if you already have a hardware load balancer... Cause this type of equipment cost much more that 2 Enterprise versions of TMG.

A HLB costs a lot but it can load balance several services on several server farms. So if you plan to use it more several usage it may worth its price.

Also, don't forget that if you only use one HLB this equipment is a signle point of failure... So usually you'll buy 2 HLB equipments that are able to act as one.

Have a good day.
0
 

Author Comment

by:artcrest
ID: 38849762
Hi PaciB,
In our environment we do have HLB for the DMZ and we want to consider using it. How can we utilize it?
Additional rules to be added on TMG?
0
 
LVL 3

Accepted Solution

by:
rafter81 earned 500 total points
ID: 38850133
It really will depend on your HLB, maybe you can find some white papters for that?

Not sure if this is of any use, its a bit old but:
http://forums.isaserver.org/m_2002105531/mpage_1/key_/tm.htm#2002105544
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38850315
Hi,

I never have configured a HLB equipment, but as far as I understand how it works you have ALMOST nothing to do "for it" on your TMG server.
Saying "for it" I mean "specifically for the HLB".

Of course your TMG must publish required services (OWA, ActiveSync, OutlookAnywhere, ...) for external clients. In fact these clients accesses will probably come from the HLB IP addresses from the point of vue of TMG server.
But as you usually don't do any restriction about the source IP on a publishing rule your TMG should accept any incoming traffic for published port whateve it comes for clients directly or from the HLB.

Usually, you configure your HLB to check availability of the published servers farm by checking published ports. As an example, if you use a HLB to publish OWA you'll configure the HLB to test availability of HTTPS port, so that the HLB is able to detect the failure of a TMG server and redirect traffi on the other TMG server.

So, compared to a real external client the HLB will make many more TCP requests to your TMG server. If there are too much TCP request in a second TMG may consider it to be an attempt of a flooding attack and will blocked the source IP ! This i s not what you expect about the HLB IP address.
So, you'll probably have to increase the threshold of the flood detect filter on TMG, or disable it completely (the last solution is not very good, you should always have a threshold configured on TCP intrusion detections settings, you just have to find to correct value).
See http://www.isaserver.org/tutorials/Intrusion-Detection-Prevention-Forefront-TMG-Part1.html
The easiest way is probably to tune the threshold each time its needed. So when your TMG farm is published, let it work with initial settings and plan for a close observation period. Each time you see alerts about flooding threshold reached you tune up the threshold.

Have a good day.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Exchange 2010 OWA 403 error 7 717
FOPE 1 day Quarantine Notifications 4 260
MS Forefront UAG Support for Windows 10 1 545
TMG 2010 Deployment 3 72
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now