How do I configure a SecureNAT client connecting to a ForeFront TMG 2010 Array (managed by an EMS server)?

Hello,

I have set up the following mini virtual network of servers:

Name:  ARRAY1
Role:  TMG Array member #1
NIC 1: 10.1.128.1/255.255.0.0 DNS: 10.1.128.3
NIC 2: External Public IP for Internet #1

Name:  ARRAY2
Role:  TMG Array member #2
NIC 1: 10.1.128.2/255.255.0.0 DNS: 10.1.128.3
NIC 2: External Public IP for Internet #2

Name:  DC
Role:  ADDS server, DNS server
NIC 1:  10.1.128.3/255.255.0.0 Default Gateway: 10.1.128.1 DNS: 10.1.128.3 (self)

Name:  EMS
Role:  EMS Server
NIC 1:  10.1.128.4/255.255.0.0 Default Gateway: NONE. DNS: 10.1.128.3 (self)
DNS Entry for the actual array called "TMGArray" points to 10.1.128.4.

Name:  VM1
Role:  Windows 7 Client
NIC 1: 10.1.128.5/255.255.0.0 Default Gateway: 10.1.128.4 DNS: 10.1.128.3

Independent internet connectivity on the two ARRAY* servers was verified and both ARRAY* servers were successfully added to an array called "TMGArray".

Now, the problem I am having is configuring clients to connect to the TMGArray for internet access, instead of directly to an individual TMG Server (which still works, btw).

In other words, for VM1:

NIC1: 10.1.128.5/255.255.0.0 DG: 10.1.128.1 DNS 10.1.128.3 <-- WORKS

but

NIC1: 10.1.128.5/255.255.0.0 DG: 10.1.128.4 DNS: 10.1.128.3 <-- DOES NOT WORK

How should I be configuring my client so that it connects to the internet via the TMG Array (EMS) and in SecureNAT mode (i.e. no browser config required)?

All help is greatly appreciated!

Thanks,
Waqqas
waqqas31Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
I believe you need to configure network load balancing (NLB) on the two array members, and use the IP address you create at that time.

Here's an NLB guide (you can adapt it to be for TMG instead of RDS):
https://technet.microsoft.com/en-us/library/cc771300%28v=ws.10%29.aspx


Note:  If you have Cisco routers that need to route to the NLB virtual IP address, then you will need to add static ARP entries on those devices.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
waqqas31Author Commented:
Hi asavener,

Thanks for the tip.

I tried that, but something new happened.  After applying NLB, the NLB settings are pushed out successfully to both servers (verified by running "nlb display" in Powershell on either server), but one of the two servers is no longer able to communicate with EMS.  I even tried restarting all 5 TMG services on ARRAY2, but even that didn't help.

TMG-EMS-Error.jpg
asavenerCommented:
Did you create the NLB with a new IP address, or did you use the same address that the EMS server is using?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

waqqas31Author Commented:
I used a new IP, 10.1.128.10.
waqqas31Author Commented:
I may have found the reason for my woes.  Apparently, VMware ESXi has issues with Microsoft NLB, so it's very possible that VMware Workstation does, too.

For what it's worth, I tried configuring NLB in the other two modes, namely Multicast and IGMP Multicast, and while Multicast-mode kept the intra-server communication up, the internet stopped working completely.  I didn't verify the same with IGMP multicast.

I am going to try my configuration on physical servers in the next day or so and report back on whether there were any similar issues.
waqqas31Author Commented:
Well, I now have a working redundant array of Forefront TMG servers.  There were two factors that delayed me immensely in achieving a successful setup.

1. It just will not work in VMWare Workstation.  There is a setting you can toggle in ESXi, but no similar setting in Workstation.
2. In a physical set up, I would recommend using dedicated network interfaces (that do not rely on VLAN-tagging).  I had working VLANs for each of my networks, but after enabling NLB, they simply would not function properly.  The adapters would each report being on "Unidentified networks" and none of the servers could communicate with each other anymore.  I reverted to separate physical adapters for each network, and everything kept working fine.

Beyond these two issues, everything worked by the book.

And lastly, the answer to my question on how to connect to my redundant array setup is to enable NLB, create a VIP, then point each client to that VIP (configured as the default gateway).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.