Currently we have an ISA Server 2006 enterprise array with 2 members which is being used to publish various external sites, some of which are load balanced by ISA.
This has been working perfectly well for some time. However we are currently in the testing phase of our migration to TMG as a short-ish term solution until we identify a suitable replacement solution. We have 2 TMG servers which are members of an enterprise array which is being managed by an EMS. NLB is enabled in multicast mode. All three machines are running the latest build of TMG, 7.0.9193.644.
The firewall policy has been successfully exported from the ISA array and applied to TMG. All the non-load balanced rules are working as expected. However, all of the load balanced rules (using TMG web farms) are not.
After some research it appears that the issue relates to the Web Farm ‘Proxy Requests to Published Servers’ setting in the firewall rule, specifically, where these requests appears to come from. Under ISA, this setting was set to ‘Original client who sent the request’ and it worked as expected. In TMG, using identical settings, if we go to the site we receive the following error from the browser:
“Error Code: 500 Internal Server Error. The remote server has been paused or is in the process of being started. (70)”
However, if this setting is changed to make requests appear to originate from the ‘Forefront TMG computer’ the site is available. The web servers have their default gateway set to the internal NLB address of the array.
Having these requests appear to originate from the firewall does not work for us as our applications rely on knowing the external IP of the client to function correctly. We need to get to the bottom of why this doesn’t work in TMG, but worked perfectly in ISA.
Has anyone encountered this issue before or perhaps could shed some light on a possible solution?
This makes sure that one session is handled over the same node...
To change the setting, goto Networking - Networks tab...
From the task pane select "Enable Network Load Balancing Integration.
Select the interface - Configure NLB Settings...
Enter the IP and Mask for the primary VIP.
After you changed everything, wait for replication and restart the machines...