ISP Redundancy features of TMG 2010 (Part 1)

Posted on
  • Saturday, December 11, 2010
  • by
  • admin
  • in
  • Labels:
  • One notable feature in TMG Firewall 2010 version is the ISP load balancing capabilities. If you have ever used ISA Firewall, you can see that the ability to support multiple ISPs is a necessary feature since the ISA 2004 is released. And these features will be integrated in the TMG Firewall 2010 version to come.In Part 1 of this article we will configure the virtual system and the communication of the TMG firewall.
    Before getting multi-ISP feature of TMG, we will survey some basic points of TMG Firewall:
    While the term is used for this feature is to support multi-ISP, so for clarity we can call this a dual ISP support as it only allows up to two ISP.
    Will have a NAT relationship between the source network and destination network, so if you're using a router on the relationship any of TMG Firewall Protected Network that they can not take advantage of many ISPs.
    Each ISP connection to connect to a default gateway on a different network ID as other ISPs, both the default gateway can not exist on the same network ID (ie the external network address on the TMG Firewall can not have the same network ID).
    Can not use DHCP to get the address of the external interface, if you are using the ISP connection type home user, you may not support multi-ISP.
    You can store both ISP connections on one or two NICs. In this article we will explore with 2 NIC configuration in which each ISP connection is shown by its own external interface.
    Network should handle transfer switch installed (on) or off (off) on both the NIC, if one of the NIC is in a state of open and NIC Left turned off the transfer process will be disabledNIC is turned on.Using the Multi-ISP ISP
    Multi-ISP support allows us to use the ISP as one of two ways:
    Failover only (only toggle). In this mode, an ISP will always be used until it no longer used anymore. This situation occurs when the connection will be forwarded to the ISP side. This is a good choice when using a high-speed link and a low-speed links, in addition we will not incur costs for broadband use only when necessary.
    Failover and load balancing (Forward and load balancing.) In this mode, both links will be used. We have an option to install capacity for each link, so you will not be used simultaneously both links. If one link fails all connections will move to link online.
    Multi-ISP support for virtual environments
    Next we will implement a number of actions to get the virtual environment also supports Multi-ISP. In this article we will use VMWare Workstation, plus you can use Virtual PC Windows, ESX Server or Microsoft Hyper-V. There is not much difference between this software because they both use the same principle.
    First we will start with the basic schema virtual network. We will use four virtual networks or virtual switch, each belonging to a network segment Ethernet distributions of different physical or virtual.Bridged: This network is being used in corporate networks. The virtual NIC will be connected to this network, there will be some valid IP addresses on the network are using the network and use it to connect to the Internet.
    VMNet3: This is a virtual switch that represents the Ethernet segment that connects the TMG firewall to the ISP first.
    VMNet4: This is a virtual switch that represents the Ethernet segment that connects the TMG firewall to the second ISP.
    VMNet2: This is a virtual switch that represents the Ethernet segment is connected to the Internet TMG Firewall default.Figure 1 shows the VMNet and other devices connected to them:RRAS1: This is a virtual machine with Windows Server 2003 RRAS service is configured as a NAT server. The external interface of this virtual machine is connected Bridged Network, and internal communication is connected to VMNet3, which connects the NIC on the TMG firewall RRAS1 ISP to use for Windows 2003 RRAS NAT.
    RRAS2: This is a virtual machine with Windows Server 2003 RRAS service is configured as a NAT server. The external interface is connected to the Bridged Network and internal communication are linked to VMNet4, which connects the NIC on the ISP RRAS2 TMG firewall to use Windows RRAS NAT.
    Firewall TMG: TMG Firewall has three NICs. A connection to VMNet3 (VMNet3 this NIC to connect RRAS1 ISP), a connection to VMNet4 (RRAS2 connected to the ISP), and the NIC connected to the Left VMNet2 (TMG Firewall connected to the Internet by default).
    DC: As a Domain Controller to Windows Server 2003 domain TMG Firewall belong to this domain and are connected to VMNet2.Some note that when the configuration:
    1. RRAS2 RRAS1 node and display the default gateway we will use the ISP to configure the entire system. Therefore, the internal IP address of default gateway RRAS1 show's first ISP, and the internal IP address of the representative RRAS2 default gateway of the second ISP. Our test system is completely different, in which Internet connections are made via Bridged Network, so the external interface on RRAS2 RRAS1 and use the same default gateway.
    2. We are using the dedicated NIC on the TMG firewall for each ISP. This is not necessary, but in the next section we will configure the ISP connection without a dedicated NIC.
    3. We can create the same network segment with a number of other virtual tools (like Windows Virtual PC, ESX and Hyper-V) method can provide support similar to network segments.

    Now we have created a virtual network architecture, next we will check the IP address scheme. IP addresses used in this example is shown in Figure 2. Note that using TMG RRAS1 ISP NIC's internal communication RRAS1 as its default gateway. In addition, network segments RRAS1 the network ID, while the network segment attached to network ID RRAS2.
    Intranet TMG Firewall's default network ID of, and DC on the local network using TMG Firewall default as its default gateway.

    In this article we will explore load balancing feature of the ISP. Therefore we will pay attention to the implementation method TMG Firewall load balancing. Basically TMG Firewall will check the source address (client) and destination (server) and create a hash value, this value is then described as a value between 1 and 100. Hash values can all be delivered within this balance. After calculating these values, TMG Firewall will check the traffic assigned to each ISP.
    For example, suppose that ISP1 is assigned 75% of the load, and ISP2 is assigned 25%. If the hash value is 30, then the connection will switch to ISP1, because the hash value that is lower than the value assigned to the preferred connection. If the hash value is 80, then the connection will be forwarded to ISP2 because this value is higher than the value assigned to the preferred connection.
    In short, we need: Check the load on the connection priority (by percentage%).
    If the hash value is lower than the flow of the preferred connection is used.
    Hash value higher if traffic is secondary connection will be used. Figure 3 below illustrates an example. RRAS1 ISP traffic is assigned 75% of the RRAS connection and ISP 2 is 25%. We can see the interface configuration in Figure 3. When PC1 connected to the Web-1 hash value is calculated as 60. Because this value is lower than the rate assigned to the preferred connection so the connection is made through the connection priority (in this case is RRAS1 ISP). When connected to the Web PC1-2, Hash value is calculated to be 80. This value is higher in proportion to the value assigned to the preferred connection, so this connection will be routed through the secondary connection (no preference).
    Of course, if we set both the ISP connection is 50%, half the hash value will be lower than 50 and half will be higher than 50, so all connections will be divided equally between the ISP.

    Configure network interfaces on the TMG Firewall
    In Figure 4 we can see the network interface is configured on the TMG firewall is used in this example. Communication is connected to VMNet2 LAN, WAN interface is connected to WAN2 VMNet3 and is connected to VMNet4.

    NIC WAN communication is initially configured on the TMG firewall, so it has been granted a default gateway configured before starting the TMG firewall. In Figure 5, we can see that it has been assigned a valid IP address for ISP RRAS1 and get the default gateway is the internal IP address of the virtual machine RRAS1 (this will be the default gateway of the ISP system).In addition we need access to install the Advanced TCP / IP and disable the Automatic Metric feature. Microsoft recommends doing so to ISP Redundancy features stable operation. But we need to set a metric Manual. The only requirement that we need to comply with communication that is installed with a metric lower priority than the communication was not a priority. In Figure 5, the priority communication was installed using a metric.

    Display IP address information for non-priority ISP (ISP RRAS2). This communication is installed using the metric 2.
    Windows does not allow to assign two default gateways on the same machine.However, ISP Redundancy features of TMG Firewall allows us to break this rule, so we only need to click Yes when you see a warning as shown in Figure 7.
    Before installing we need to examine how communication will be used. We have configured the TMG firewall rules and create an opening. When we use the tracert command will communicate priority that will be used.
    Here is the order to perform to configure the communication:Create an original virtual machine with two NICs - internal and ngpai.
    Assign IP addresses to the external interface and internal communication.
    TMG firewall software installed.
    Confirm that the installation was successful.
    TMG turn off the virtual machine and install a virtual NIC to support Tuesday for the second ISP link.
    Tuesday virtual NIC configuration after rebooting the virtual machine.
    Restart your computer after configuring the virtual IP address on Tuesday to communicate.
    This is not the Microsoft recommended method but it has been tested and works well.Conclusion
    In the first part of the series on features of TMG Firewall Redundancy ISP that we have outlined the virtual network structure and some information about the method chosen ISP. Then we have the configuration interface and a few notes when configuring the network interface to connect to each ISP. In the next section, we will proceed to configure load balancing features of the ISP and check if it actually works or not by testing from a workstation and check the log file of the TMG firewall and a Netmon trace on the number.


    Post a Comment