troubleshooting Question

TMG Load Balanced Web Farm Issues

Avatar of pxuser
pxuser asked on
Microsoft Forefront ISA ServerWeb Servers
9 Comments1 Solution486 ViewsLast Modified:
Hello Experts,

Currently we have an ISA Server 2006 enterprise array with 2 members which is being used to publish various external sites, some of which are load balanced by ISA.

 This has been working perfectly well for some time. However we are currently in the testing phase of our migration to TMG as a short-ish term solution until we identify a suitable replacement solution. We have 2 TMG servers which are members of an enterprise array which is being managed by an EMS. NLB is enabled in multicast mode. All three machines are running the latest build of TMG, 7.0.9193.644.

 The firewall policy has been successfully exported from the ISA array and applied to TMG. All the non-load balanced rules are working as expected. However, all of the load balanced rules (using TMG web farms) are not.

 After some research it appears that the issue relates to the Web Farm ‘Proxy Requests to Published Servers’ setting in the firewall rule, specifically, where these requests appears to come from. Under ISA, this setting was set to ‘Original client who sent the request’ and it worked as expected. In TMG, using identical settings, if we go to the site we receive the following error from the browser:

“Error Code: 500 Internal Server Error. The remote server has been paused or is in the process of being started. (70)”

However, if this setting is changed to make requests appear to originate from the ‘Forefront TMG computer’ the site is available. The web servers have their default gateway set to the internal NLB address of the array.

 Having these requests appear to originate from the firewall does not work for us as our applications rely on knowing the external IP of the client to function correctly. We need to get to the bottom of why this doesn’t work in TMG, but worked perfectly in ISA.

 Has anyone encountered this issue before or perhaps could shed some light on a possible solution?
ASKER CERTIFIED SOLUTION
pxuser

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 9 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros