Solved

TMG 2010 ISP Redudancy

Posted on 2014-01-05
29
955 Views
Last Modified: 2014-01-13
Hello,

I want to configure TMG ISP-R. I have 2 different ISP's. ( ISP 1 and ISP 2)
My current setup.


TMG with 2 NIC ( Internal and External ). Configured as only proxy.

Internal NIC Configuration:

IP : 192.168.1.2
SM: 255.255.255.0

DNS: 192.168.2.2
         192.168.2.3

External NIC
IP: 1.1.1.1
SM: 255.255.255.248
G/W: 1.1.1.2

Our TMG is member of the windows domain. I have forwarder configured on Internal DNS pointing to ISP 1 DNS.

Please help me to configure ISP-R Feature and also DNS failover.

Thanks
0
Comment
Question by:cciedreamer
  • 15
  • 11
  • 2
  • +1
29 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39757107
The wizards do this with very little complication. You will need to add another external NIC for your redundant connection, but from there just run the wizard and answer the questions,
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39757109
Thanks. Well this is a very little information

- How about the DNS configuration ? My internal DNS server is forwarding the DNS requests to ISP 1
- How I can achieve also DNS failover

My current ISP1 setup



Internet----Router----ASA----Internal Network----DNS/DC
                                     |
                                     |
                                     |
                                  TMG
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39757114
With redundant ISP connections, DNS wouldn't fail over, you'd either use ISP agnostic DNS forwarders or you'd add forwarders for both ISPs to your internal DNS server. Then, because TMG handles the ISP routing, traffic would flow as expected, INCLUDING your DNS queries,

You are right, it is very little Information. But very little information was provided in the question as well. The wizard is VERY robust. Until you've tried it, and have a SPECIFIC problem or question, the answer will remain as generic as the question,
0
 
LVL 16

Expert Comment

by:Shaik M. Sajid
ID: 39757220
cgaliher is right...
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39757327
@cgaliher - A bit more info for you here as this is a continuation of a previous question...

The primary ISP link is via the ASA.  The secondary ISP link will be via the TMG, but only for internet connectivity (HTTP/S).

All internal clients will use TMG as a proxy and all internet traffic will route via the TMG to ISP2.  All other off-net traffic will use normal IP routing and will flow via the ASA which will be each client's default gateway.

@samir - DNS failover can be achieved by adding a static route to ISP2's DNS servers on the internal DNS server.

So, the DNS server it will have its gateway pointing at the ASA.  Let's say the ISP1 DNS servers are already configured as forwarders.  We add ISP2's DNS servers as forwarders and add a static route to them on the DNS server, like this...

route -p add <DNSSERVER1> mask 255.255.255.255 <TMGINTERNALIP>
route -p add <DNSSERVER2> mask 255.255.255.255 <TMGINTERNALIP>

Open in new window


cgaliher is absolutely right... the ISP redundancy wizard is fool-proof :-)
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39757339
Can I do this way.

- Configure Internal DNS forwarder to point TMG Internal IP
- Install DNS service on TMG and configure ISP 1 & 2 DNS servers as forwarders.

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39757371
You could do that.

You might still need to configure a static route though, but on the TMG instead, to point to the ISP1 DNS servers via the ASA.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39757375
Thanks


- DNS will not be configured on TMG's External Interfaces but will be on internal interface instead.
- Internal DNS will forward the request back to TMG.
- TMG will forward the request to ISP's DNS.

But it will not affect DNS performance ?
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 39757483
Only DNS requests from web clients will use the TMG DNS service.  The proxy service on the TMG will use whichever DNS server you tell it based on whichever DNS server is configured on the internal NIC.  If you configure it to use itself it will then use the forwarders configured in the DNS server.

So let's say...

- Web client tries to access www.experts-exchange.com (DNS request comes from TMG Proxy service.)

- TMG chooses first DNS server in the NIC binding order and tries to resolve www.experts-exchange.com.  If this is 127.0.0.1 (itself for example) the TMG DNS Server will use the configured forwarders to resolve the URL (ISP2's first, then ISP1's if configured).  If the configured DNS server is the internal DNS server the request will come to the internal DNS server then use the forwarders configured on that server.

I would probably configure the TMG's internal NIC to use itself (127.0.0.1) first, then the internal DNS if you want web DNS redundancy.  It would likely be no good doing that the other way round though (making your internal DNS look at the TMG for redundancy) as you probably have Active Directory, etc, and that would require your TMG server DNS instance to integrate into the AD.  That would also create a loop which could mean DNS queries bounce between servers.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39757824
Thanks Craigbeck I really appreciate and I like the way you explain the things.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39757837
Hey no problem - that's what I'm here for!

Thanks, Samir :-)
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39766462
Hi craigbeck,


I have installed TMG as fresh.

I on the getting started - Network setup wizard.

I have three options among them should I select Back to Back firewall or 3 leg perimeter

Little confused ?

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39766858
You just want to use the edge firewall option.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39767339
Thanks
I installed and configured TMG with ISP-R.
Also added the DNS static routes pointing to specific ISP
Web proxy client can access internet.
Failover is good.
Just observed something I change the DNS static route for ISP1 and also change the forwarder but then web client statrting recieving "Network Access Error Page of TMG"
Then I tried pinging to DNS server from TMG then it started working Please can you help why is that so.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Author Comment

by:cciedreamer
ID: 39767414
One more thing

I am trying to understand the link detection interval time but couldn't understand it from the articles available on the internet

I need to understand and how I can change the default

For example when Primary ISP link goes down it should go through Secondary Link within  10 seconds
Once the primary link resume back it and it should resume to it within 10 sec.

Thanks for your help
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 39767665
Have a look at this...
(It explains a lot better than me!)

http://aacable.wordpress.com/tag/tmg-isp-redundancy-link-time-detection/
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39767786
Hi,
I have saved following text as vbs file and tried to run from the desktop but there was no response.


set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 60
ISPRCfg.TestIntervalLinkAvailable = 60
ISPRCfg.TestIntervalLinkUnavailable = 60
ISPRCfg.FailuresToUnavailable = 2
ISPRCfg.SuccessesToAvailable = 2
ISPRCfg.Save
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39768108
The VBS script doesn't contain anything that would ask you to confirm the changes, so it will likely just run and exit without giving you any feedback.

You should be able to search the registry for those values to see if they have been applied.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39773734
Hi,

I tried changing timing to 45 seconds and verified that those registry values are applied on registry but still take 120 seconds to failover to ISP 2. Any guess ?

set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 45
ISPRCfg.TestIntervalLinkAvailable = 45
ISPRCfg.TestIntervalLinkUnavailable = 45
ISPRCfg.FailuresToUnavailable = 2
ISPRCfg.SuccessesToAvailable = 2
ISPRCfg.Save

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39774060
The failurestounavailable value is 2, so it will wait a minimum of 90s (2*45) to fail over.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39774308
Hi

I have changed the above values to 1 but still it takes 120 seconds to failover and failback.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39775111
Did you restart the server or TMG services?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39775263
Yes Sir I reboot the server after running the vb script
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 39775358
Try this...

set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 15
ISPRCfg.TestIntervalLinkAvailable = 3
ISPRCfg.TestIntervalLinkUnavailable = 3
ISPRCfg.FailuresToUnavailable = 2
ISPRCfg.SuccessesToAvailable = 2
ISPRCfg.Save

Open in new window

0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39776021
I tyried doing this now the its taking 45 seconds.


set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 15
ISPRCfg.TestIntervalLinkAvailable = 10
ISPRCfg.TestIntervalLinkUnavailable = 10
ISPRCfg.FailuresToUnavailable = 1
ISPRCfg.SuccessesToAvailable = 1
ISPRCfg.Save

Open in new window

0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39776181
Thanks craigbeck for your support

I am really appreciating your help.

Thanks a lot.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39776499
Sir,

Suddenly I started facing a problem that web proxy client started receiving a pop up Authentication Required.

I tried nslookup on TMG server for my domain domain but cannot resolved.
This is my DNS configuration

- DNS service installed on TMG server and configured with forwarders to ISP's DNS servers
- Internal NIC configured with 127.0.0.1 ( Primary) and Internal DNS server ( alternative)


Please any help.

Thanks for your time.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39777025
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39777043
Thanks I open a new ticket.

http://www.experts-exchange.com/Microsoft/Windows_Security/Q_28337158.html

Please have a look I'll update the comment there
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now