FF TMG 2010: Configure Network Load Balancing Across Enterprise Array Members

NLB is an wonderful in built TMG feature you can utilize to balance high network traffic. you can configure network load balancing across up to eight FF TMG array members.
Windows Server 2012 Step by Step

The following is an example of FF TMG 2010 NLB Configuration.  

image

To configure network load balancing among FF TMG 2010 enterprise array members, Open FF TMG enterprise Management server console, Click on the Networking Node>Select preferred networks. For this article, I have chosen internal networks for load balancing.

 1

Click on Enable Network Load Balancing Integration, you will be presented with NLB Integration Wizard, Click Next.

2

Select Internal>Click Configure NLB Settings

3

Type Primary virtual IP (VIP), Select Unicast, Click OK. note that VIP will be similar IP range of internal networks of both TMG servers. VIP will be registered as a DNS record in DNS server once you click finish.

4

5

click Finish. Click OK.

6

Apply Changes. Click Ok.

7

To Change or add additional VIP, Click on Networking node>Right Click on Internal Network>Click Property>Click NLB Tab

8

Change FF TMG Client configuration to new VIP. Client proxy address will be new VIP.

11

Now you have finished configuring NLB. To test NLB, open internet explorer, add VIP as new proxy address and browse bing.com.

13

14

To test that you are able to browse internet using VIP proxy address if one NLB node fails, reboot one TMG server while you keep surfing internet on a client. you will experience slow browsing though depending on your load. you will see following error in TMG EMS but once all array members are up and running it will sync itself.

9

10

Important!    you can centrally manage up to 15 EMS x 200 arrays per EMS x 50 TMG servers per array that is in total 150,000 TMG servers. 

Relevant Articles:

FF TMG 2010: Configure ISP Redundancy— Step by Step

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management (part II)—Step by Step

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step

FF TMG 2010: Configure ISP Redundancy— Step by Step

ISP redundancy feature utilizes multiple ISP links and provide high-availability with load balancing and failover or just failover capability to the corporate Internet. The common functionality of ISP redundancy are:

  • Designate primary and secondary link for internet connections
  • Balance traffic load based on percentage of total traffic per link
  • Automatic fail over to secondary link if primary link fails

image

Picture: ISP redundancy using FF TMG 2010

You must fulfill following requirements before you configure ISP redundancy.

  • Two separate ISP links
  • ISP provided Static IP must be obtain from separate subnet.
  • Each network must have a Network Address Translation (NAT) relationship with the External network.
  • To ensure that DNS requests are routed to the correct ISP, you must add a persistent static route for each DNS IP address(s) configured on the external network adapters

Important!

  • Static NAT rules take precedence over ISP redundancy configuration settings. This means that a static NAT traffic directed to a primary ISP link is not rerouted to secondary ISP link if primary ISP link is down.
  • you can designate traffic sent to a range of IP addresses is routed to a specific ISP link while configuring ISP redundancy. To do so, click Explicit Route Destinations>click Add Range. You can add multiple ranges.

To configure NICs which is connected to ISP Links

16

Right click on the external NIC connected to primary ISP>Click on Property>Select TCP/IP4>Click Property>Type the Static IP, Subnet Mask, Gateway and DNS provided by ISP

Repeat above steps for external NIC connected to secondary ISP Link. you will be prompted with the following warning. Don’t worry this is common phenomenon for windows operating systems when you add two gateway. Click Yes to save the configuration.  

17

To add a persistent static route

Open command prompt as an administrator and add persistent route for both external NIC.

route -p ADD 192.168.1.254 MASK 255.255.255.0 192.168.1.254 METRIC 1 IF 3 

route -p ADD 192.168.100.254 MASK 255.255.248.0 192.168.100.254 METRIC 2 IF 4 

Command Syntax

route [-p] ADD [destination] MASK [netmask] [gateway] METRIC [metric] IF [interface]

  • P—-Makes the route persistent
  • METRIC---specifies the priority for this route. the route with the lowest metric has the highest priority.
  • IF---Specifies the interface number

To Verify NAT rule

Open Forefront TMG Management console, click the Networking node.

Click on Network Rules Tab>Check Network Rules

18

To Configure ISP Redundancy

Open Forefront TMG Management console, click the Networking node. In the details pane, click the ISP Redundancy tab> click Configure ISP Redundancy, follow the instructions in the wizard as shown on screen shots.

1

2

3

In this window, you can select preferred redundancy mode.

4

5

6

7

8

9

10

11

12

Apply Changes. Click Ok.

To modify each link. Select the link, Click on edit Selected ISP Connection. To monitor ISP redundancy, Click on Monitor ISP redundancy.

15

13

14

Relevant Articles:

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step