FF TMG 2010: Configure ISP Redundancy— Step by Step

ISP redundancy feature utilizes multiple ISP links and provide high-availability with load balancing and failover or just failover capability to the corporate Internet. The common functionality of ISP redundancy are:

  • Designate primary and secondary link for internet connections
  • Balance traffic load based on percentage of total traffic per link
  • Automatic fail over to secondary link if primary link fails


Picture: ISP redundancy using FF TMG 2010

You must fulfill following requirements before you configure ISP redundancy.

  • Two separate ISP links
  • ISP provided Static IP must be obtain from separate subnet.
  • Each network must have a Network Address Translation (NAT) relationship with the External network.
  • To ensure that DNS requests are routed to the correct ISP, you must add a persistent static route for each DNS IP address(s) configured on the external network adapters


  • Static NAT rules take precedence over ISP redundancy configuration settings. This means that a static NAT traffic directed to a primary ISP link is not rerouted to secondary ISP link if primary ISP link is down.
  • you can designate traffic sent to a range of IP addresses is routed to a specific ISP link while configuring ISP redundancy. To do so, click Explicit Route Destinations>click Add Range. You can add multiple ranges.

To configure NICs which is connected to ISP Links


Right click on the external NIC connected to primary ISP>Click on Property>Select TCP/IP4>Click Property>Type the Static IP, Subnet Mask, Gateway and DNS provided by ISP

Repeat above steps for external NIC connected to secondary ISP Link. you will be prompted with the following warning. Don’t worry this is common phenomenon for windows operating systems when you add two gateway. Click Yes to save the configuration.  


To add a persistent static route

Open command prompt as an administrator and add persistent route for both external NIC.

route -p ADD MASK METRIC 1 IF 3 

route -p ADD MASK METRIC 2 IF 4 

Command Syntax

route [-p] ADD [destination] MASK [netmask] [gateway] METRIC [metric] IF [interface]

  • P—-Makes the route persistent
  • METRIC---specifies the priority for this route. the route with the lowest metric has the highest priority.
  • IF---Specifies the interface number

To Verify NAT rule

Open Forefront TMG Management console, click the Networking node.

Click on Network Rules Tab>Check Network Rules


To Configure ISP Redundancy

Open Forefront TMG Management console, click the Networking node. In the details pane, click the ISP Redundancy tab> click Configure ISP Redundancy, follow the instructions in the wizard as shown on screen shots.




In this window, you can select preferred redundancy mode.










Apply Changes. Click Ok.

To modify each link. Select the link, Click on edit Selected ISP Connection. To monitor ISP redundancy, Click on Monitor ISP redundancy.




Relevant Articles:

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step





About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , , , . Bookmark the permalink.

23 Responses to FF TMG 2010: Configure ISP Redundancy— Step by Step

  1. Pingback: FF TMG 2010: Configure Network Load Balancing among Enterprise Array Members | MicrosoftGURU

  2. Chris says:

    Hi, with this configuration, the internet connection will still be available if one ISP is down.
    Yet, if the FF TMG server goes down due to a hardware failure or just if we need to update the server, how can we maintain the service ?


  3. Berdugu says:

    Hi There,

    I have a TMG setup with 2 route to the internet, one is through the LAN which is connected to a firewall and the other is direct to the internet. So instead of having my Internal and 2 External adapters i have just 1 internet (which provides access to the internet) and a single External adapter.

    I cannot see my External doing any work! Please is this a possible configuration and what am i doing wrong?


  4. Pavlo says:

    Thanks for this post. Helped me a lot 🙂

    Your blog is awesome. Love the details you provide along with screen shots. Keep up the good work.


  5. Humberto Lopez says:

    First of all, I found your article to be very good and it is also very clear where other tend to make things complicated.

    I have this configuration set up for fault tolerance but I’m experincing some problems with some banking and webmail sites. I noticed that when I disable the NIC of any of my two ISPs the problem solves imediatelly. Is there a way to do a more detailed diagnose of what’s happening here?

    Best regards and thanks again for your article.

    Humberto Lopez
    Independent consultant


  6. Ali says:

    I have a question.
    I have more than two internet connection .
    Is there any way to use forefront for aggregate them?


  7. Alessandro Proenca says:


    Nice Article, but I don´t understood this configuration:

    route -p ADD MASK METRIC 1 IF 3

    route -p ADD MASK METRIC 2 IF 4

    Do you make a loop? Why?

    Thank you.


    • this is not loop. Windows server does not allow two default gateway to work at the same time. that confuse windows to communicate with other devices/server. adding persistant routing fix the problem. I hope I explianed.


  8. Brian says:

    I was able to get the load balancing to work but I have several pc’s with static IP’s that need to be routed though one specific Nic or ISP. I was unsuccessful at routing them though one specific Nic or ISP, even though I found some information indicating it could be done. Keep in mind I know nothing about Forefront, I am learning the hard way and your site has been most helpful. I hope you have a solution for my issue.


  9. Ashan says:

    in my case i have two internet connection ,and what i want to do is connect it together as a one connection .In my TMG setup i have already insert three NIC, internal and two external internal ip range is 192.168.101. 254 and extnl extnl2 .so pls tel me the steps to configure ISP redundancy in to my setup



  10. ko says:

    Can you help me with my situation? I have:
    2 internal interfaces (corporate network), (public WiFi).
    2 external interfaces,

    internal interfaces are not routable.
    From public WiFi users connect to corporate network via vpn. There is also mobile clients who uses lync and activsync. Everything working fine.

    But when I make load balancing or failover, vpn, lync and exchange is unreachable, even ping from wifi to, is unreachable.
    Load balancing or failover work fine with internet.


    • Do you have two TMG servers or just one?

      I am wondering why you two internal interface when you can add range(s) IP in TMG COnsole>Networking>Right Click Internal Network>Property>Add ranges of IP
      In your external interface you can add multiple IPs in TCP/IP property within same subnate ranges. To use Load balancing and failover option you need to use two TMG servers managed to TMG EMS servers. than you can have load balancing and failover in internal or external NICs. you can have ISP redundancy as well.

      Add Connectivity verifier in TMG>Monitoring. Use correct DNS routing for Lync and Exchange in Router and TMG servers. than it will work.


      • ko says:

        I have one TMG server with 4 interfaces (different vlans)
        Internal interfaces could not connect each other on l3 even l2, only vpn (some users to some servers).

        Two ISP interfaces:
        first – internet, web, exchange (smtp,owa,….)
        second – lync edge (sip,web,av )
        Everything work fine.
        I can ping from internal subnets to external tmg addresses
        When first ISP is down I haven’t internet, web, exchange (owa,….), smtp only receive (dns mx work fine)

        I make load balancing or failover (one TMG server, two ISP), failover work fine, I even don’t notice when one of ISPs is down.
        But I can’t ping from internal subnets to external tmg addresses and I can’t connect to vpn via intenal subnets, external vpn work fine.


  11. Akbar Orya says:


    Thanks for your nice postings, they are really useful, but in this section i got a problem that my DSL connections are from same ISP means they have same range of IP like 192.168.144.x

    And same Sub net mask when i do the load balancing in TMG it give ms an error that ranges are same range, So is there any chance to get rid of it and use my two links simultaneously .



    • Khyber, Ask your ISP to provide you a static IP from different subnet range without charging you extra $$. they should be able to provide you with that. I personally prefer to have two connections from two ISPs. The whole point of ISP redundancy is to have redunacy of ISPs and connections. what happen if your ISP goes offline. even you configured ISP redundancy but you dont have any redundancy. I would recommend to go with two separate ISPs. Thanks for visiting my web site.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s