ISP redundancy feature utilizes multiple ISP links and provide high-availability with load balancing and failover or just failover capability to the corporate Internet. The common functionality of ISP redundancy are:
- Designate primary and secondary link for internet connections
- Balance traffic load based on percentage of total traffic per link
- Automatic fail over to secondary link if primary link fails
Picture: ISP redundancy using FF TMG 2010
You must fulfill following requirements before you configure ISP redundancy.
- Two separate ISP links
- ISP provided Static IP must be obtain from separate subnet.
- Each network must have a Network Address Translation (NAT) relationship with the External network.
- To ensure that DNS requests are routed to the correct ISP, you must add a persistent static route for each DNS IP address(s) configured on the external network adapters
Important!
- Static NAT rules take precedence over ISP redundancy configuration settings. This means that a static NAT traffic directed to a primary ISP link is not rerouted to secondary ISP link if primary ISP link is down.
- you can designate traffic sent to a range of IP addresses is routed to a specific ISP link while configuring ISP redundancy. To do so, click Explicit Route Destinations>click Add Range. You can add multiple ranges.
To configure NICs which is connected to ISP Links
Right click on the external NIC connected to primary ISP>Click on Property>Select TCP/IP4>Click Property>Type the Static IP, Subnet Mask, Gateway and DNS provided by ISP
Repeat above steps for external NIC connected to secondary ISP Link. you will be prompted with the following warning. Don’t worry this is common phenomenon for windows operating systems when you add two gateway. Click Yes to save the configuration.
To add a persistent static route
Open command prompt as an administrator and add persistent route for both external NIC.
route -p ADD 192.168.1.254 MASK 255.255.255.0 192.168.1.254 METRIC 1 IF 3
route -p ADD 192.168.100.254 MASK 255.255.248.0 192.168.100.254 METRIC 2 IF 4
Command Syntax
route [-p] ADD [destination] MASK [netmask] [gateway] METRIC [metric] IF [interface]
- P—-Makes the route persistent
METRIC---specifies the priority for this route. the route with the lowest metric has the highest priority.IF---Specifies the interface number
To Verify NAT rule
Open Forefront TMG Management console, click the Networking node.
Click on Network Rules Tab>Check Network Rules
To Configure ISP Redundancy
Open Forefront TMG Management console, click the Networking node. In the details pane, click the ISP Redundancy tab> click Configure ISP Redundancy, follow the instructions in the wizard as shown on screen shots.
In this window, you can select preferred redundancy mode.
Apply Changes. Click Ok.
To modify each link. Select the link, Click on edit Selected ISP Connection. To monitor ISP redundancy, Click on Monitor ISP redundancy.
Relevant Articles:
Install and configure Forefront TMG step by step
Forefront Threat Management Gateway (TMG) 2010
Configure back to back perimeter step by step
Configure reverse proxy step by step
Blog by Raihan Al-Beruni 
Pingback: FF TMG 2010: Configure Network Load Balancing among Enterprise Array Members | MicrosoftGURU
Hi, with this configuration, the internet connection will still be available if one ISP is down.
Yet, if the FF TMG server goes down due to a hardware failure or just if we need to update the server, how can we maintain the service ?
LikeLike
You can use NLB and ISP Redundancy both http://microsoftguru.com.au/2011/04/30/ff-tmg-2010-configure-network-load-balancing-among-enterprise-array-members/
In this way, you can achieve high availability. for whatever reason if you have shutdown one server you will still have proxy and internet.
LikeLike
Thank you !
And As FF TMG supports now virtual network, this will be perfect in a virtualized configuration 🙂
LikeLike
Hi There,
I have a TMG setup with 2 route to the internet, one is through the LAN which is connected to a firewall and the other is direct to the internet. So instead of having my Internal and 2 External adapters i have just 1 internet (which provides access to the internet) and a single External adapter.
I cannot see my External doing any work! Please is this a possible configuration and what am i doing wrong?
LikeLike
what you want to configure? you can not configure ISP redundancy using one external nic? you need two nic at least
LikeLike
Thanks for this post. Helped me a lot 🙂
Your blog is awesome. Love the details you provide along with screen shots. Keep up the good work.
LikeLike
thanks for visiting my site
LikeLike
First of all, I found your article to be very good and it is also very clear where other tend to make things complicated.
I have this configuration set up for fault tolerance but I’m experincing some problems with some banking and webmail sites. I noticed that when I disable the NIC of any of my two ISPs the problem solves imediatelly. Is there a way to do a more detailed diagnose of what’s happening here?
Best regards and thanks again for your article.
Humberto Lopez
Independent consultant
LikeLike
Its nothing to do with TMG. Please check your DNS forwarding and DNS configuration with ISP. appropriate DNS config will fix the issue.
LikeLike
Hi
I have a question.
I have more than two internet connection .
Is there any way to use forefront for aggregate them?
LikeLike
Please add another NIC external side in TMG and try ISP redundancy with VIP. It should work.
LikeLike
thank you for your answer but can you explain about vip and how i can use it or give me a link about that?
LikeLike
Hi,
Nice Article, but I don´t understood this configuration:
route -p ADD 192.168.1.254 MASK 255.255.255.0 192.168.1.254 METRIC 1 IF 3
route -p ADD 192.168.100.254 MASK 255.255.248.0 192.168.100.254 METRIC 2 IF 4
Do you make a loop? Why?
Thank you.
LikeLike
this is not loop. Windows server does not allow two default gateway to work at the same time. that confuse windows to communicate with other devices/server. adding persistant routing fix the problem. I hope I explianed.
LikeLike
I was able to get the load balancing to work but I have several pc’s with static IP’s that need to be routed though one specific Nic or ISP. I was unsuccessful at routing them though one specific Nic or ISP, even though I found some information indicating it could be done. Keep in mind I know nothing about Forefront, I am learning the hard way and your site has been most helpful. I hope you have a solution for my issue.
LikeLike
in my case i have two internet connection ,and what i want to do is connect it together as a one connection .In my TMG setup i have already insert three NIC, internal and two external internal ip range is 192.168.101. 254 and extnl 192.168.2.1 extnl2 192.168.3.1 .so pls tel me the steps to configure ISP redundancy in to my setup
Thanks..
LikeLike
Here is example http://microsoftguru.com.au/2011/04/26/ff-tmg-2010-configure-isp-redundancy-step-by-step/ and http://microsoftguru.com.au/2011/04/30/ff-tmg-2010-configure-network-load-balancing-among-enterprise-array-members/
LikeLike
Can you help me with my situation? I have:
2 internal interfaces 192.168.0.1 (corporate network), 192.168.1.1 (public WiFi).
2 external interfaces 123.4.0.1, 123.4.1.1
internal interfaces are not routable.
From public WiFi users connect to corporate network via vpn. There is also mobile clients who uses lync and activsync. Everything working fine.
But when I make load balancing or failover, vpn, lync and exchange is unreachable, even ping from wifi to 123.4.0.1, 123.4.1.1 is unreachable.
Load balancing or failover work fine with internet.
LikeLike
Do you have two TMG servers or just one?
I am wondering why you two internal interface when you can add range(s) IP in TMG COnsole>Networking>Right Click Internal Network>Property>Add ranges of IP
In your external interface you can add multiple IPs in TCP/IP property within same subnate ranges. To use Load balancing and failover option you need to use two TMG servers managed to TMG EMS servers. than you can have load balancing and failover in internal or external NICs. you can have ISP redundancy as well.
Add Connectivity verifier in TMG>Monitoring. Use correct DNS routing for Lync and Exchange in Router and TMG servers. than it will work.
LikeLike
I have one TMG server with 4 interfaces (different vlans)
Internal interfaces could not connect each other on l3 even l2, only vpn (some users to some servers).
Two ISP interfaces:
first – internet, web, exchange (smtp,owa,….)
second – lync edge (sip,web,av )
Everything work fine.
I can ping from internal subnets to external tmg addresses
When first ISP is down I haven’t internet, web, exchange (owa,….), smtp only receive (dns mx work fine)
I make load balancing or failover (one TMG server, two ISP), failover work fine, I even don’t notice when one of ISPs is down.
But I can’t ping from internal subnets to external tmg addresses and I can’t connect to vpn via intenal subnets, external vpn work fine.
LikeLike
Bro,
Thanks for your nice postings, they are really useful, but in this section i got a problem that my DSL connections are from same ISP means they have same range of IP like 192.168.144.x
192.168.143.x
And same Sub net mask when i do the load balancing in TMG it give ms an error that ranges are same range, So is there any chance to get rid of it and use my two links simultaneously .
Thanks
LikeLike
Khyber, Ask your ISP to provide you a static IP from different subnet range without charging you extra $$. they should be able to provide you with that. I personally prefer to have two connections from two ISPs. The whole point of ISP redundancy is to have redunacy of ISPs and connections. what happen if your ISP goes offline. even you configured ISP redundancy but you dont have any redundancy. I would recommend to go with two separate ISPs. Thanks for visiting my web site.
Regards,
Raihan
LikeLike