Publishing Exchange HT-CAS 2007 with Threat Management Gateway 2010 ?

Hi Folks,

I got 2 Exchange servers 2007 with the Hub Transport and Client Access Server role combined together and then running Windows NLB with IGMP Multicast (recommended by Vmware).

When publishing with Forefront Threat Management Gateway 2010, shall I create the rule to point into the Virtual Server / cluster name or one of the HT-CAS server only ?
LVL 11
Senior IT System EngineerSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Senior IT System EngineerSenior Systems EngineerAuthor Commented:
So is it possible to change the published site to point to the NLB cluster virtual IP instead of one server FQDN ?
Will SzymkowskiSenior Solution ArchitectCommented:
When you are dealing with a Load Balancer the point of the Vitrual IP is so that it can distribute the load between the 2 servers based on the servers health. If you point it directly to the IP or FQDN of one of the servers this defeats the purpose of a load balancer. Also another thing, WNLB is not supported in a production environment and only should be used for testing environments.

If possible i would consider getting a hardware load balanacer or a vitrual load balancer.

Senior IT System EngineerSenior Systems EngineerAuthor Commented:

Is this official from Microsoft or not the best practice ?
because when I join this company, the HT-CAS is already using WNLB as IGMP Multicast and then published by TMG 2010 to the internet.

if it is not recommended by Microsoft, then what should I do then to publish it to the internet securely ?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Jamie McKillopIT ManagerCommented:
WNLB is not supported in a production environment and only should be used for testing environments

WNLB is most certainly supported on the CAS/HT role. What isn't specifically supported is the use of Exchange Server authentication on the HT role when using WNLB. See here:

That said, I don't recommend using WNLB. Hardware load balancers are far superior. Unfortunately, they are also expensive, so you may be stuck with WNLB due to your budget.

Another option you have is to ditch WNLB and setup TMG to publish your servers as a farm. You would need to have your internal clients pointed at your TMG server to maintain redundancy though. Also, I assume you have have a TMG array for fault tolerance and redundancy.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
No my TMG 2010 is just standard deployment.

I had a problem when I vMotioned the HT-CAS it broke the Activesync, so the fix was to change the Activesync publishing rule in TMG 2010 to pint just one HT-CAS server instead of the VIP fqdn or the WNLB DNS names.

Strange and hard to believe.

It used to work fine but somehow live migration broke the Activesync
Jamie McKillopIT ManagerCommented:
My suggestion would be to ditch WNLB and use farm publishing in TMG.

Senior IT System EngineerSenior Systems EngineerAuthor Commented:

So in this case let the existing HT-CAS configuration work as it is but then change the TMG publishing rule only into farm publishing for the Activesync ?

For the Hub Transport I see no issue with email flow. It was just the Activesync that is doesn't work when the NLB is drainstopped and then resumed and started.
Jamie McKillopIT ManagerCommented:
I would go to farm publishing for all your web services. You get the added benefit that TMG can do some health checks and automatically remove a member from the farm if there is an issue.

Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Thanks man ! you are very helpful !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.