• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1193
  • Last Modified:

TMG 2010 ISP Redudancy

Hello,

I want to configure TMG ISP-R. I have 2 different ISP's. ( ISP 1 and ISP 2)
My current setup.


TMG with 2 NIC ( Internal and External ). Configured as only proxy.

Internal NIC Configuration:

IP : 192.168.1.2
SM: 255.255.255.0

DNS: 192.168.2.2
         192.168.2.3

External NIC
IP: 1.1.1.1
SM: 255.255.255.248
G/W: 1.1.1.2

Our TMG is member of the windows domain. I have forwarder configured on Internal DNS pointing to ISP 1 DNS.

Please help me to configure ISP-R Feature and also DNS failover.

Thanks
0
cciedreamer
Asked:
cciedreamer
  • 15
  • 11
  • 2
  • +1
4 Solutions
 
Cliff GaliherCommented:
The wizards do this with very little complication. You will need to add another external NIC for your redundant connection, but from there just run the wizard and answer the questions,
0
 
cciedreamerAuthor Commented:
Thanks. Well this is a very little information

- How about the DNS configuration ? My internal DNS server is forwarding the DNS requests to ISP 1
- How I can achieve also DNS failover

My current ISP1 setup



Internet----Router----ASA----Internal Network----DNS/DC
                                     |
                                     |
                                     |
                                  TMG
0
 
Cliff GaliherCommented:
With redundant ISP connections, DNS wouldn't fail over, you'd either use ISP agnostic DNS forwarders or you'd add forwarders for both ISPs to your internal DNS server. Then, because TMG handles the ISP routing, traffic would flow as expected, INCLUDING your DNS queries,

You are right, it is very little Information. But very little information was provided in the question as well. The wizard is VERY robust. Until you've tried it, and have a SPECIFIC problem or question, the answer will remain as generic as the question,
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Sajid Shaik MSr. System AdminCommented:
cgaliher is right...
0
 
Craig BeckCommented:
@cgaliher - A bit more info for you here as this is a continuation of a previous question...

The primary ISP link is via the ASA.  The secondary ISP link will be via the TMG, but only for internet connectivity (HTTP/S).

All internal clients will use TMG as a proxy and all internet traffic will route via the TMG to ISP2.  All other off-net traffic will use normal IP routing and will flow via the ASA which will be each client's default gateway.

@samir - DNS failover can be achieved by adding a static route to ISP2's DNS servers on the internal DNS server.

So, the DNS server it will have its gateway pointing at the ASA.  Let's say the ISP1 DNS servers are already configured as forwarders.  We add ISP2's DNS servers as forwarders and add a static route to them on the DNS server, like this...

route -p add <DNSSERVER1> mask 255.255.255.255 <TMGINTERNALIP>
route -p add <DNSSERVER2> mask 255.255.255.255 <TMGINTERNALIP>

Open in new window


cgaliher is absolutely right... the ISP redundancy wizard is fool-proof :-)
0
 
cciedreamerAuthor Commented:
Can I do this way.

- Configure Internal DNS forwarder to point TMG Internal IP
- Install DNS service on TMG and configure ISP 1 & 2 DNS servers as forwarders.

Thanks
0
 
Craig BeckCommented:
You could do that.

You might still need to configure a static route though, but on the TMG instead, to point to the ISP1 DNS servers via the ASA.
0
 
cciedreamerAuthor Commented:
Thanks


- DNS will not be configured on TMG's External Interfaces but will be on internal interface instead.
- Internal DNS will forward the request back to TMG.
- TMG will forward the request to ISP's DNS.

But it will not affect DNS performance ?
0
 
Craig BeckCommented:
Only DNS requests from web clients will use the TMG DNS service.  The proxy service on the TMG will use whichever DNS server you tell it based on whichever DNS server is configured on the internal NIC.  If you configure it to use itself it will then use the forwarders configured in the DNS server.

So let's say...

- Web client tries to access www.experts-exchange.com (DNS request comes from TMG Proxy service.)

- TMG chooses first DNS server in the NIC binding order and tries to resolve www.experts-exchange.com.  If this is 127.0.0.1 (itself for example) the TMG DNS Server will use the configured forwarders to resolve the URL (ISP2's first, then ISP1's if configured).  If the configured DNS server is the internal DNS server the request will come to the internal DNS server then use the forwarders configured on that server.

I would probably configure the TMG's internal NIC to use itself (127.0.0.1) first, then the internal DNS if you want web DNS redundancy.  It would likely be no good doing that the other way round though (making your internal DNS look at the TMG for redundancy) as you probably have Active Directory, etc, and that would require your TMG server DNS instance to integrate into the AD.  That would also create a loop which could mean DNS queries bounce between servers.
0
 
cciedreamerAuthor Commented:
Thanks Craigbeck I really appreciate and I like the way you explain the things.
0
 
Craig BeckCommented:
Hey no problem - that's what I'm here for!

Thanks, Samir :-)
0
 
cciedreamerAuthor Commented:
Hi craigbeck,


I have installed TMG as fresh.

I on the getting started - Network setup wizard.

I have three options among them should I select Back to Back firewall or 3 leg perimeter

Little confused ?

Thanks
0
 
Craig BeckCommented:
You just want to use the edge firewall option.
0
 
cciedreamerAuthor Commented:
Thanks
I installed and configured TMG with ISP-R.
Also added the DNS static routes pointing to specific ISP
Web proxy client can access internet.
Failover is good.
Just observed something I change the DNS static route for ISP1 and also change the forwarder but then web client statrting recieving "Network Access Error Page of TMG"
Then I tried pinging to DNS server from TMG then it started working Please can you help why is that so.
0
 
cciedreamerAuthor Commented:
One more thing

I am trying to understand the link detection interval time but couldn't understand it from the articles available on the internet

I need to understand and how I can change the default

For example when Primary ISP link goes down it should go through Secondary Link within  10 seconds
Once the primary link resume back it and it should resume to it within 10 sec.

Thanks for your help
0
 
Craig BeckCommented:
Have a look at this...
(It explains a lot better than me!)

http://aacable.wordpress.com/tag/tmg-isp-redundancy-link-time-detection/
0
 
cciedreamerAuthor Commented:
Hi,
I have saved following text as vbs file and tried to run from the desktop but there was no response.


set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 60
ISPRCfg.TestIntervalLinkAvailable = 60
ISPRCfg.TestIntervalLinkUnavailable = 60
ISPRCfg.FailuresToUnavailable = 2
ISPRCfg.SuccessesToAvailable = 2
ISPRCfg.Save
0
 
Craig BeckCommented:
The VBS script doesn't contain anything that would ask you to confirm the changes, so it will likely just run and exit without giving you any feedback.

You should be able to search the registry for those values to see if they have been applied.
0
 
cciedreamerAuthor Commented:
Hi,

I tried changing timing to 45 seconds and verified that those registry values are applied on registry but still take 120 seconds to failover to ISP 2. Any guess ?

set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 45
ISPRCfg.TestIntervalLinkAvailable = 45
ISPRCfg.TestIntervalLinkUnavailable = 45
ISPRCfg.FailuresToUnavailable = 2
ISPRCfg.SuccessesToAvailable = 2
ISPRCfg.Save

Thanks
0
 
Craig BeckCommented:
The failurestounavailable value is 2, so it will wait a minimum of 90s (2*45) to fail over.
0
 
cciedreamerAuthor Commented:
Hi

I have changed the above values to 1 but still it takes 120 seconds to failover and failback.
0
 
Craig BeckCommented:
Did you restart the server or TMG services?
0
 
cciedreamerAuthor Commented:
Yes Sir I reboot the server after running the vb script
0
 
Craig BeckCommented:
Try this...

set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 15
ISPRCfg.TestIntervalLinkAvailable = 3
ISPRCfg.TestIntervalLinkUnavailable = 3
ISPRCfg.FailuresToUnavailable = 2
ISPRCfg.SuccessesToAvailable = 2
ISPRCfg.Save

Open in new window

0
 
cciedreamerAuthor Commented:
I tyried doing this now the its taking 45 seconds.


set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 15
ISPRCfg.TestIntervalLinkAvailable = 10
ISPRCfg.TestIntervalLinkUnavailable = 10
ISPRCfg.FailuresToUnavailable = 1
ISPRCfg.SuccessesToAvailable = 1
ISPRCfg.Save

Open in new window

0
 
cciedreamerAuthor Commented:
Thanks craigbeck for your support

I am really appreciating your help.

Thanks a lot.
0
 
cciedreamerAuthor Commented:
Sir,

Suddenly I started facing a problem that web proxy client started receiving a pop up Authentication Required.

I tried nslookup on TMG server for my domain domain but cannot resolved.
This is my DNS configuration

- DNS service installed on TMG server and configured with forwarders to ISP's DNS servers
- Internal NIC configured with 127.0.0.1 ( Primary) and Internal DNS server ( alternative)


Please any help.

Thanks for your time.
0
 
Craig BeckCommented:
0
 
cciedreamerAuthor Commented:
Thanks I open a new ticket.

http://www.experts-exchange.com/Microsoft/Windows_Security/Q_28337158.html

Please have a look I'll update the comment there
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 15
  • 11
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now