Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

TMG ISP Redudancy and DNS

Posted on 2014-01-13
11
Medium Priority
?
678 Views
Last Modified: 2014-01-15
Hello Experts,

actually this is the continuation of my previous question

Hello,

I have installed TMG with 3 NICs such as ISP1, ISP2 and Internal

I configured the ISP1 and ISP2 interfaces with IP addresses and default gateways and

configured internal NIC with IP address, but no  Default Gateway.

I installed DNS service on TMG and configured the forwarders pointing to ISP DNS servers.

Finally Internal NIC DNS configuration as follows

Primary : 127.0.0.1

Alternative: Internal AD DNS servers

Configured persistent routes

=============================================================
Persistent Routes:
  Network Address          Netmask             Gateway Address  Metric
         10.0.0.0               255.0.0.0                      10.1.2.1            1                  ( Internal LAN)
          1.1.1.1            255.255.255.255             192.168.5.1       2                   ( ISP1 DNS Server)
           2.2.2.2           255.255.255.255             192.168.4.2       3                    ( ISP2 DNS Server)
           0.0.0.0                 0.0.0.0                       192.168.4.2    Default
           0.0.0.0                 0.0.0.0                       192.168.5.1  Default

Suddenly I started facing a problem that web proxy client receiving a pop up Authentication Required.

I tried nslookup on TMG server for my domain domain but cannot resolved.

I would highly appreciate any help.


Thanks
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 3

Author Comment

by:cciedreamer
ID: 39777050
I uninstall TMG and removed the server from the domain.

When I am trying to rejoin, it says the domain name cannot be resolved and the failed to join to domain

Still the interface and route configuration remain as mentioned above.

Thanks
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39777096
You don't particularly need DNS server to be installed on the TMG if you only want it to resolve hostnames for web clients.

The TMG server will use the DNS server addresses you configure on the internal NIC (or External NIC) to resolve URLs on the client's behalf.  The DNS server is only necessary if you want to forward internal URLs to your internal hosts/DNS servers.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39777112
When you create your static routes, you don't need to change the metrics for the ISP DNS servers.  You only need to adjust the metrics for your default backup route for ISP redundancy.

So according to your routing table...
Persistent Routes:
  Network Address          Netmask             Gateway Address  Metric
         10.0.0.0               255.0.0.0                      10.1.2.1            Default            
          1.1.1.1            255.255.255.255             192.168.5.1       Default            
           2.2.2.2           255.255.255.255             192.168.4.2       Default            
           0.0.0.0                 0.0.0.0                       192.168.4.2       Default
           0.0.0.0                 0.0.0.0                       192.168.5.1       10
...might work better.

The primary DNS server always needs to go via ISP2, while the secondary DNS server always needs to go via the ASA, so these metrics are always going to be 1 as they will never need to go over the other ISP's link.

The primary route to the internet may change though, so the metric should be 1 for the ISP2 link, but lower for the ISP1 link.  Here I have set it to 10.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 3

Author Comment

by:cciedreamer
ID: 39777159
Sir,

What is your recommedation for DNS ? Actually I dont keep any ISP's DNS server forwarder on my internal DNS server

Thanks
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39777308
Your internal DNS server should use your ISP DNS servers as forwarders to ensure you get a fast response.  You don't have to use forwarders though, but if you don't you must use the Root servers or you won't resolve any external URLs.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39777327
How about this if I configure a conditional forwarder on TMG server and to forward DNS request to  internal DNS Server which is responsible for AD.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39777460
If you need internal clients to get to internal web sites then that's fine as the TMG will be proxying, but if you don't need any internal clients to get to internally-hosted websites there's not much point in running DNS on the TMG unless you want to manipulate URLs (block access to sites using DNS, etc).
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39777611
So far now everything is working.

Just a summary

- Installed the DNS service on TMG.
- Configured the forwarders pointing to ISP 1 & 2 DNS servers.
- Configured the conditional forwarder to forward DNS request to internal DNS server for AD authentication.
- Internai NIC DNS

Primary : 127.0.0.1 ( local host TMG
Alternative: Internal DNS servers.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39782156
Thanks craigbeck Its working fine.

But just facing some slowness browser though I have only 1 user connected

ISP1 Leased Line 15MB
ISP2 DIA   10MB

Thanks
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39782394
Sir,

I posted a new question with a new design. Please can you help in this.

http://www.experts-exchange.com/Networking/Network_Management/Network_Design_and_Methodology/Q_28339114.html

Thanks
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39783218
Thanks :)
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question