Agile Insider Blog

Multiple Internet Connections and Load Balancing – High Availability with Forefront Threat Management Gateway (TMG)

Update: As of September 2011, Microsoft has discontinued Forefront. For more information on how to protect your Microsoft environment, check out our Managed Service and Cloud Consulting services.

Keeping High Availability with Forefront TMG’s ISP Redundancy Feature


Today, more and more businesses rely on their Internet Service Providers link (or ISP) to handle their outside Internet world communications. Sending emails, browsing the web and any other web related actions are essential business infrastructure services that are only available as long the ISP line is up and running.
Keeping a stable, available and reliable outside Internet connection is one of the critical tasks on every administrator’s check list.
Forefront TMG provides a new capability called ISP redundancy which basically, enables utilizing not one, but two ISP links for external connectivity, either for traffic load balancing or as a failover backup.

This post is an introduction to the ISP Redundancy feature. It covers the basic setup steps, configuration, monitoring and some caveats and tips and tricks. It assumes you have access to two different ISPs lines and a TMG server hardware that has at least two available NICs.
This article is based on the Forefront TMG Beta2 release; later editions may vary in their User Interface and feature availability.

Important: ISP Redundancy is currently not supported in production environments. It can be used in non-production deployments.

Configuring ISP Redundancy

Once you’ve passed the initial Forefront TMG setup steps, either by manual configuration or by using the Getting Started Wizard, from Forefront TMG’s Management console tree open up the Networking pane and use the ISP Redundancy tab and click Enable ISP Redundancy to turn this feature on. Clicking Enable ISP Redundancy will open up the configuration wizard.
The first configuration step is choosing between two modes of operations:

Image 1 – Choosing ISP redundancy method.

Load Balancing – Network connections are distributed between the two active ISP lines. Load factor between the two links can be configured by sliding the percentage rule from one end to the other (See image 2). Distribution levels are determined by the actual number of connections.

Failover – Network connections are routed through the primary ISP Link. The secondary links stays inactive up until the master link connection is broken or disconnected. If the master connection fails the secondary link becomes active by routing the outbound traffic through the second ISP Link. The
secondary link will stay active up until the primary link comes back again.

Image 2 – Setting Load Balance Factor for the Load Balance Method

The next steps are similar for both methods. They basically ask for a link name and the specific default gateways and subnet masks of the two ISP links. Within these settings, explicit route destinations can be configured for each ISP link as well. Explicit route definitions, which are only available in load balancing mode, can be useful for defining the DNS servers of both ISPs to be routed explicitly through their respective ISP link. E.g. If we have ISP1 and ISP2 and they have different DNS servers , we’ll configure ISP1 Link to explicitly route the DNS ip address from this specific link (by using the Explicit Route Destinations buttons). This will make sure Forefront TMG is not querying DNS2 for a name resolution by using ISP1’s link. More explicit link traffic control can be set by using another one of Forefront TMG’s new Network rules capabilities, see Tips and Tricks section down below for more information.
* Please note that ISP redundancy will function properly if and only if only one of the external NICs has its default gateway defined in the NIC properties.

Image 3 – Configuring the 1st link as the master link.

Once we’ve configured the mode of operation and the two ISP links, we can go on and finalize the settings by confirming our ISP redundancy settings presented in the last wizard step.

We may also be required to apply the changes we’ve just configured and wait for the changes to fully apply. At this point it would be a good idea to check the Web access connectivity by using a client and our Forefront TMG as the gateway or proxy.

Forefront TMG (ISA Server) Product Team Blog : Keeping High Availability with Forefront TMG’s ISP Redundancy Feature

Please check us out for your Managed Service or Cloud Consulting needs.


Leave a comment

Learn More Today

Have questions or want to learn more about the services and solutions Agile IT has to offer?

Schedule a call with us today!

Schedule a Call

Request a Quote