NLB is an wonderful in built TMG feature you can utilize to balance high network traffic. you can configure network load balancing across up to eight FF TMG array members.
The following is an example of FF TMG 2010 NLB Configuration.
To configure network load balancing among FF TMG 2010 enterprise array members, Open FF TMG enterprise Management server console, Click on the Networking Node>Select preferred networks. For this article, I have chosen internal networks for load balancing.
Click on Enable Network Load Balancing Integration, you will be presented with NLB Integration Wizard, Click Next.
Select Internal>Click Configure NLB Settings
Type Primary virtual IP (VIP), Select Unicast, Click OK. note that VIP will be similar IP range of internal networks of both TMG servers. VIP will be registered as a DNS record in DNS server once you click finish.
click Finish. Click OK.
Apply Changes. Click Ok.
To Change or add additional VIP, Click on Networking node>Right Click on Internal Network>Click Property>Click NLB Tab
Change FF TMG Client configuration to new VIP. Client proxy address will be new VIP.
Now you have finished configuring NLB. To test NLB, open internet explorer, add VIP as new proxy address and browse bing.com.
To test that you are able to browse internet using VIP proxy address if one NLB node fails, reboot one TMG server while you keep surfing internet on a client. you will experience slow browsing though depending on your load. you will see following error in TMG EMS but once all array members are up and running it will sync itself.
Important! you can centrally manage up to 15 EMS x 200 arrays per EMS x 50 TMG servers per array that is in total 150,000 TMG servers.
Relevant Articles:
FF TMG 2010: Configure ISP Redundancy— Step by Step
Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management (part II)—Step by Step
Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step
Install and configure Forefront TMG step by step
Forefront Threat Management Gateway (TMG) 2010
Hi , thanks for this article . i wondering , you ve give the exampe for outgoing NLB ,but for the incomming connexiont ; can FF tmg handel incomming requests from ( a routerto the VIP) in external interfaces ? hwo do we can to configure it ?
LikeLike
yes you can. select the networks you want to balance load.
LikeLike
Hi,
Its wonderful article but how i configure if i have only two servers and i need redundancy(load balancing) between them ……………………..
LikeLike
Hi, i have the same question. I have only 2 TMG enterprice without EMS. should i create first an array then create the NLB ? and if i want to create same settings for internal and external ? with some services published ?
thanks 😉
LikeLike
Array First than NLB. Array members will have same settings for internal and external config. You can publish whatever supported by TMG.
LikeLike
Hi. Do you perhaps know what can cause high receive errors on the Network Load Balanced Network cards on the array members. I have 2 array members.
LikeLike
what is the event log you get in TMG servers? what is the error code?
LikeLike
Sir,
i have one Ems server(one nic card on ems) tmg1 server tmg2 server(both servers have to nic card one for internal and other for external) i have import the policy and on ems on array and join both servers to the array now i am trying to create the EMS policy which is above on array and try to link it on array but its not working how i can do that please tell me.
LikeLike
how do you configure NLB plus ISP Redundancy? I am having some hard time setting it up.
thanks
LikeLike
Here is an example http://microsoftguru.com.au/2011/04/26/ff-tmg-2010-configure-isp-redundancy-step-by-step/
LikeLike
let me rephrase…. how do you set up NLB on 2nd ISP connection? i have no problem with NLB and 1st ISP connection.
thanks
LikeLike
figured it out.
LikeLike
Nice Blog thank us for sharing information about the TMG issue .
We have an issue with NLB getting error ( RPC services unavailable) while join host another array node server
we have 2 TMG nodes and 1 EMS server both 2 nodes have been successfully joined to EMS array ,I am trying to enable NLB for both nodes in TMG console and i have enabled and check the NLB manage the another node has not join to cluster RPC error
As i was go through the comments in the blog NLB manager is not required to manager but when i enabled NLB in TMG console its trying to add using NLB manager and getting error (RPC service )
Workaround :
I disabled RPC filter in Enterprise and system array and get re- solved the RPC error but when i disabled RPC error both nodes getting configuration error in EMS server not sync
could you please provide more details how we need to work with NLB
LikeLike
In TMG 2010 all DCOM is blocked by default. Add user-defined port DCOM 135 and allow that port for intraArray communication. Start NLB services in TMG2010. Dont configure NLB using NLB MMC instead configure NLB using TMG 2010 MMC.
If i was in your situation I would do the following
Install and confiure EMS with an Array
Join first TMG in the EMS array>configure everything
Join another TMG
Now configure NLB using EMS MMC.
Configure following in Cisco Switch http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml#mm
LikeLike
How do I create full redudancy using two tmg 2010 (configured as three leg firewall, Internal, external and dmz). and how to install ssl certificates as well publish websites, exchange 2010, owa etc. have no problem doing all the se on a single server??
Regards
LikeLike
I have showned NLB for public network. But you can configure it for all three network.
Install web server certificate into Web server and same certificate inot TMG Server. Publish web services using Firewall Policy>Publish Exchange or Websites
LikeLike
Please can u provide step by step guideline for the standalone array member creation and and tmg nlb configuration on these arrays..
LikeLike
all the TMG related blogs are here. help yourself http://microsoftguru.com.au/category/forefront-tmg-2010/
LikeLike
Hi,
when I select internal network or perimeter, the virtual IP is not defined and “Configure NLB Settings…” button is gray. What to do?!?
thanks
LikeLike
You must configure an enterprise array before you can see those button. you must have two TMG server joined to that array. I hope it will be good hint for you.
LikeLike
Thanks for reply.
I allready have an array, but button is still gray.
LikeLike
Ok, it was my problem 🙂 Spoofing was not enabled.
But now Ihave another problem. After I create NLB, the RDP session to specific tmg server doesn’t work anymore 😦
Any idea?
LikeLike