waqqas31
asked on
How do I configure a SecureNAT client connecting to a ForeFront TMG 2010 Array (managed by an EMS server)?
Hello,
I have set up the following mini virtual network of servers:
Name: ARRAY1
Role: TMG Array member #1
NIC 1: 10.1.128.1/255.255.0.0 DNS: 10.1.128.3
NIC 2: External Public IP for Internet #1
Name: ARRAY2
Role: TMG Array member #2
NIC 1: 10.1.128.2/255.255.0.0 DNS: 10.1.128.3
NIC 2: External Public IP for Internet #2
Name: DC
Role: ADDS server, DNS server
NIC 1: 10.1.128.3/255.255.0.0 Default Gateway: 10.1.128.1 DNS: 10.1.128.3 (self)
Name: EMS
Role: EMS Server
NIC 1: 10.1.128.4/255.255.0.0 Default Gateway: NONE. DNS: 10.1.128.3 (self)
DNS Entry for the actual array called "TMGArray" points to 10.1.128.4.
Name: VM1
Role: Windows 7 Client
NIC 1: 10.1.128.5/255.255.0.0 Default Gateway: 10.1.128.4 DNS: 10.1.128.3
Independent internet connectivity on the two ARRAY* servers was verified and both ARRAY* servers were successfully added to an array called "TMGArray".
Now, the problem I am having is configuring clients to connect to the TMGArray for internet access, instead of directly to an individual TMG Server (which still works, btw).
In other words, for VM1:
NIC1: 10.1.128.5/255.255.0.0 DG: 10.1.128.1 DNS 10.1.128.3 <-- WORKS
but
NIC1: 10.1.128.5/255.255.0.0 DG: 10.1.128.4 DNS: 10.1.128.3 <-- DOES NOT WORK
How should I be configuring my client so that it connects to the internet via the TMG Array (EMS) and in SecureNAT mode (i.e. no browser config required)?
All help is greatly appreciated!
Thanks,
Waqqas
I have set up the following mini virtual network of servers:
Name: ARRAY1
Role: TMG Array member #1
NIC 1: 10.1.128.1/255.255.0.0 DNS: 10.1.128.3
NIC 2: External Public IP for Internet #1
Name: ARRAY2
Role: TMG Array member #2
NIC 1: 10.1.128.2/255.255.0.0 DNS: 10.1.128.3
NIC 2: External Public IP for Internet #2
Name: DC
Role: ADDS server, DNS server
NIC 1: 10.1.128.3/255.255.0.0 Default Gateway: 10.1.128.1 DNS: 10.1.128.3 (self)
Name: EMS
Role: EMS Server
NIC 1: 10.1.128.4/255.255.0.0 Default Gateway: NONE. DNS: 10.1.128.3 (self)
DNS Entry for the actual array called "TMGArray" points to 10.1.128.4.
Name: VM1
Role: Windows 7 Client
NIC 1: 10.1.128.5/255.255.0.0 Default Gateway: 10.1.128.4 DNS: 10.1.128.3
Independent internet connectivity on the two ARRAY* servers was verified and both ARRAY* servers were successfully added to an array called "TMGArray".
Now, the problem I am having is configuring clients to connect to the TMGArray for internet access, instead of directly to an individual TMG Server (which still works, btw).
In other words, for VM1:
NIC1: 10.1.128.5/255.255.0.0 DG: 10.1.128.1 DNS 10.1.128.3 <-- WORKS
but
NIC1: 10.1.128.5/255.255.0.0 DG: 10.1.128.4 DNS: 10.1.128.3 <-- DOES NOT WORK
How should I be configuring my client so that it connects to the internet via the TMG Array (EMS) and in SecureNAT mode (i.e. no browser config required)?
All help is greatly appreciated!
Thanks,
Waqqas
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you create the NLB with a new IP address, or did you use the same address that the EMS server is using?
ASKER
I used a new IP, 10.1.128.10.
ASKER
I may have found the reason for my woes. Apparently, VMware ESXi has issues with Microsoft NLB, so it's very possible that VMware Workstation does, too.
For what it's worth, I tried configuring NLB in the other two modes, namely Multicast and IGMP Multicast, and while Multicast-mode kept the intra-server communication up, the internet stopped working completely. I didn't verify the same with IGMP multicast.
I am going to try my configuration on physical servers in the next day or so and report back on whether there were any similar issues.
For what it's worth, I tried configuring NLB in the other two modes, namely Multicast and IGMP Multicast, and while Multicast-mode kept the intra-server communication up, the internet stopped working completely. I didn't verify the same with IGMP multicast.
I am going to try my configuration on physical servers in the next day or so and report back on whether there were any similar issues.
ASKER
Well, I now have a working redundant array of Forefront TMG servers. There were two factors that delayed me immensely in achieving a successful setup.
1. It just will not work in VMWare Workstation. There is a setting you can toggle in ESXi, but no similar setting in Workstation.
2. In a physical set up, I would recommend using dedicated network interfaces (that do not rely on VLAN-tagging). I had working VLANs for each of my networks, but after enabling NLB, they simply would not function properly. The adapters would each report being on "Unidentified networks" and none of the servers could communicate with each other anymore. I reverted to separate physical adapters for each network, and everything kept working fine.
Beyond these two issues, everything worked by the book.
And lastly, the answer to my question on how to connect to my redundant array setup is to enable NLB, create a VIP, then point each client to that VIP (configured as the default gateway).
1. It just will not work in VMWare Workstation. There is a setting you can toggle in ESXi, but no similar setting in Workstation.
2. In a physical set up, I would recommend using dedicated network interfaces (that do not rely on VLAN-tagging). I had working VLANs for each of my networks, but after enabling NLB, they simply would not function properly. The adapters would each report being on "Unidentified networks" and none of the servers could communicate with each other anymore. I reverted to separate physical adapters for each network, and everything kept working fine.
Beyond these two issues, everything worked by the book.
And lastly, the answer to my question on how to connect to my redundant array setup is to enable NLB, create a VIP, then point each client to that VIP (configured as the default gateway).
ASKER
Thanks for the tip.
I tried that, but something new happened. After applying NLB, the NLB settings are pushed out successfully to both servers (verified by running "nlb display" in Powershell on either server), but one of the two servers is no longer able to communicate with EMS. I even tried restarting all 5 TMG services on ARRAY2, but even that didn't help.