TMG 2010 ISP Redundancy Fail Over Guide

Scenario: I have 2 WAN Internet Connections, and I want that if primary link fails (or looses its connectivity with the ISP/internet) TMG should automatically switch over to secondary link, and when primary link gets back online, TMG should switch back to Primary Link.

But first let’s discuss some theoretical introduction of TMG new feature called ISP Redundancy

Forefront TMG 2010 is the latest proxy/firewall server from Microsoft. It have many new exciting features which makes it very good , reliable and rich feature application.

One of the greatest (and most demanding) new features of Microsoft Forefront TMG is ISP Redundancy. With the help of this feature it is now possible to load balance the network traffic between two different ISPs . One other configuration mode is the ability to configure Microsoft Forefront TMG for ISP Failover (Which is discussed later in this article). In this case, Forefront TMG will use one ISP link as the primary connection, and if this link gets broken, TMG will automatically failover to the second configured ISP.

ISP redundancy feature utilizes multiple ISP links and provide high-availability with load balancing and failover or just failover capability to the corporate Internet. The common functionality of ISP redundancy are:

•     Designate primary and secondary link for internet connections
•     Balance traffic load based on percentage of total traffic per link
•     Automatic fail over to secondary link if primary link fails

Ok Let’s Start 🙂

Requirements:

1) Two Separate WAN connections connected with TMG , both should be fully configured with there respective IP , gateway and DNS.

2) Static Route defined via ip route command for ISP’s DNS Server (Or any other WAN IP, to let TMG decide if the specific link unable to reach isp dns or any other wan ip defined)

In this example , we have 3 Interfaces card in TMG as following

LAN = Connected with Users Switch
WAN1 = PTCL DSL Link (Primary)
WAN2 = FIBER Optics Backup Link (Secondary)

(As shown in the image below . . .)

Open TMG console,
Goto Networking  >> ISP Redundancy
and click on Configure ISP Redundancy

(As shown in the image below . . .)

In the below example, I am using FAILOVER only mode, (But you can select Load balancing with failover capability, you can also change the mode later)

Now type the ISP1 name and select the Network adapter (After selecting the network adapter , Subnet field will auto fill up )

In next screen, it will show you the ISP1 ip scheming info like gateway , subnet , dns etc

Now type the ISP2 name and select the Network adapter (After selecting the network adapter , Subnet field will auto fill up )

In next screen, it will show you the ISP1 ip scheming info like gateway , subnet , dns etc

Now it will ask you which ISP link will act as PRIMARY ISP Connection, select your desired link

All done, It will show the final config on your screen, just select FINISH.

Now the Important Part. We Must add static route to tell TMG via route that if specific WAN link looses its connectivity , it should switch over to secondary link.

First you have to see what network interface have which code, this code will be used in route command to tell which interface rule would be applied.

open command prompt on TMG, and type
ROUTE PRINT

Now Open Network Connections , and take properties of your First ISP Interface Adapter. and you will see the interface name, like below

Now check in the route PRINT command and find the number of your first isp interface card number which name is “Microsoft Virtual Machine Bus Network Adapter #2” which in this example is 12 (it is showed in starting)

Repeat the above step and find the number of secondary ISP link, which in this example is 29

Now issue following command To add a persistent static route

route -p ADD 221.132.112.8 MASK 255.255.255.255 192.168.30.1 METRIC 1 IF 12
route -p ADD 221.132.112.9 MASK 255.255.255.255 192.168.20.1 METRIC 2 IF 29

the above command will tell TMG to go through Specific link for DNS Server status, so if primary link looses it connectivity with the internet(connectivity with the 221.132.112.8 via ISP1, ) it will switch over to ISP2 , it will periodically check primary link connectivity, as soon it restores, it will switch back to primary link.

ROUTE Command Syntax

route [-p] ADD [destination] MASK [netmask] [gateway] METRIC [metric] IF [interface]

• P—-Makes the route persistent
• METRIC---specifies the priority for this route. the route with the lowest metric has the highest priority.
• IF---Specifies the interface number

TIP:

Howto Bind User/dst website to Go through Specific Link Only in TMG

If you want to bind specific user or group to go through specific link only,use the following logic

# First create user/ip/ip range entry in FIREWALL POLICY > TOOL BOX / NETWORK OBJECTS  >> computer / computer sets or address range

# Then goto  NETWORKING / NETWORK RULES and create new NETWORK RULE with following data

Network Name Rule : WAN2 Users
FROM: Your Specific Computer IP / User / IP Range
TO : External
Network Relationship : Network Address Translator (NAT)
NAT Address Selection : Use the Specified IP and then select your desired WAN link ip
Click FINISH and APPLY.

Note: As shown in the images below

Now hit APPLY button to make changes.

To test, Goto your client, and open http://www.whatismyip.com
It will show you new ip of secondary link. 😀

BEFORE NETWORK RULE:  User request is routing through Default First WAN link (PTCL).

AFTER NETWORK RULE:  User request is now routing through second WAN link (FIBER).

Some Considerations and Info

To determine the availability of a particular ISP connection, TMG performs dead link detection by randomly polling one of the thirteen Internet root DNS servers on TCP port 53 (when TMG is deployed as a back firewall, make certain that TCP port 53 is open to the Internet). If the selected root DNS server responds, TMG considers the connection available. If it does not respond, TMG will poll additional root DNS servers at one minute intervals. If no replies are received after three consecutive attempts, TMG considers the connection unavailable and raises an alert. Once TMG identifies a connection as unavailable, it will wait for five minutes before attempting to poll again. Once it receives a response, TMG will continue polling at one minute intervals. When three consecutive responses have been received, TMG will consider the connection available.

In the default setting, TMG checks the status of the ISP link by trying to establish a TCP connection on port 53 (DNS zone transfer) to a list* of root DNS server on a round robin basis. If a connection can be established, TMG will consider the link active.

* Default destination addresses in TMG RC:
192.58.128.30,193.0.14.129,198.32.64.12,202.12.27.33,198.41.0.4,192.228.79.201,192.33.4.12,128.8.10.90,192.203.230.10,192.5.5.241,192.112.36.4,128.63.2.53,192.36.148.17

TMG will wait at least 3 minutes until a link is considered down

•  A link will be considered down for at least 7 minutes (min failed time with 300 seconds + 2x OK interval with 60 seconds each)
• A link has to be stable for at least 3 minutes once TMG will bring the link up again.

You can modify those default values by using VBS Script (mentioned in the below links)

Script to reduce link detection time:

Forefront TMG 2010 ISP Redundancy : Configuring verification of link status

set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 30
ISPRCfg.TestIntervalLinkAvailable = 30
ISPRCfg.TestIntervalLinkUnavailable = 30
ISPRCfg.FailuresToUnavailable = 1
ISPRCfg.SuccessesToAvailable = 1
ISPRCfg.Save

 

I took help from following websites for this article , I copied some text from following websites for general information. You can find Some Good Reference for more detailed and step by step guides.

http://www.isaserver.org/tutorials/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html
http://www.isaserver.org/tutorials/microsoft-forefront-tmg-isp-redundancy-mode.html
http://microsoftguru.com.au/2011/04/26/ff-tmg-2010-configure-isp-redundancy-step-by-step/

Regard’s

Syed Jahanzaib

24.851000 67.008300