ISP Redundancy features of TMG 2010 (Part 1)

One notable feature in TMG Firewall 2010 version is the ISP load balancing capabilities. If you have ever used ISA Firewall, you can see that the ability to support multiple ISPs is a necessary feature since the ISA 2004 is released. And these features will be integrated in the TMG Firewall 2010 version to come.In Part 1 of this article we will configure the virtual system and the communication of the TMG firewall.
Before getting multi-ISP feature of TMG, we will survey some basic points of TMG Firewall:
While the term is used for this feature is to support multi-ISP, so for clarity we can call this a dual ISP support as it only allows up to two ISP.
 Will have a NAT relationship between the source network and destination network, so if you're using a router on the relationship any of TMG Firewall Protected Network that they can not take advantage of many ISPs.
 Each ISP connection to connect to a default gateway on a different network ID as other ISPs, both the default gateway can not exist on the same network ID (ie the external network address on the TMG Firewall can not have the same network ID).
 Can not use DHCP to get the address of the external interface, if you are using the ISP connection type home user, you may not support multi-ISP.
 You can store both ISP connections on one or two NICs. In this article we will explore with 2 NIC configuration in which each ISP connection is shown by its own external interface.
 Network should handle transfer switch installed (on) or off (off) on both the NIC, if one of the NIC is in a state of open and NIC Left turned off the transfer process will be disabledNIC is turned on.Using the Multi-ISP ISP
Multi-ISP support allows us to use the ISP as one of two ways:
Failover only (only toggle). In this mode, an ISP will always be used until it no longer used anymore. This situation occurs when the connection will be forwarded to the ISP side. This is a good choice when using a high-speed link and a low-speed links, in addition we will not incur costs for broadband use only when necessary.
Failover and load balancing (Forward and load balancing.) In this mode, both links will be used. We have an option to install capacity for each link, so you will not be used simultaneously both links. If one link fails all connections will move to link online.
Multi-ISP support for virtual environments
Next we will implement a number of actions to get the virtual environment also supports Multi-ISP. In this article we will use VMWare Workstation, plus you can use Virtual PC Windows, ESX Server or Microsoft Hyper-V. There is not much difference between this software because they both use the same principle.
First we will start with the basic schema virtual network. We will use four virtual networks or virtual switch, each belonging to a network segment Ethernet distributions of different physical or virtual.Bridged: This network is being used in corporate networks. The virtual NIC will be connected to this network, there will be some valid IP addresses on the network are using the network and use it to connect to the Internet.
 VMNet3: This is a virtual switch that represents the Ethernet segment that connects the TMG firewall to the ISP first.
 VMNet4: This is a virtual switch that represents the Ethernet segment that connects the TMG firewall to the second ISP.
 VMNet2: This is a virtual switch that represents the Ethernet segment is connected to the Internet TMG Firewall default.Figure 1 shows the VMNet and other devices connected to them:RRAS1: This is a virtual machine with Windows Server 2003 RRAS service is configured as a NAT server. The external interface of this virtual machine is connected Bridged Network, and internal communication is connected to VMNet3, which connects the NIC on the TMG firewall RRAS1 ISP to use for Windows 2003 RRAS NAT.
 RRAS2: This is a virtual machine with Windows Server 2003 RRAS service is configured as a NAT server. The external interface is connected to the Bridged Network and internal communication are linked to VMNet4, which connects the NIC on the ISP RRAS2 TMG firewall to use Windows RRAS NAT.
 Firewall TMG: TMG Firewall has three NICs. A connection to VMNet3 (VMNet3 this NIC to connect RRAS1 ISP), a connection to VMNet4 (RRAS2 connected to the ISP), and the NIC connected to the Left VMNet2 (TMG Firewall connected to the Internet by default).
 DC: As a Domain Controller to Windows Server 2003 domain msfirewall.org. TMG Firewall belong to this domain and are connected to VMNet2.Some note that when the configuration:
1. RRAS2 RRAS1 node and display the default gateway we will use the ISP to configure the entire system. Therefore, the internal IP address of default gateway RRAS1 show's first ISP, and the internal IP address of the representative RRAS2 default gateway of the second ISP. Our test system is completely different, in which Internet connections are made via Bridged Network, so the external interface on RRAS2 RRAS1 and use the same default gateway.
2. We are using the dedicated NIC on the TMG firewall for each ISP. This is not necessary, but in the next section we will configure the ISP connection without a dedicated NIC.
3. We can create the same network segment with a number of other virtual tools (like Windows Virtual PC, ESX and Hyper-V) method can provide support similar to network segments.

Now we have created a virtual network architecture, next we will check the IP address scheme. IP addresses used in this example is shown in Figure 2. Note that using TMG RRAS1 ISP NIC's internal communication RRAS1 as its default gateway. In addition, network segments RRAS1 the network ID 10.0.1.0/24, while the network segment attached to network ID 10.0.2.0/24 RRAS2.
Intranet TMG Firewall's default network ID of 10.0.0.0/24, and DC on the local network using TMG Firewall default as its default gateway.

In this article we will explore load balancing feature of the ISP. Therefore we will pay attention to the implementation method TMG Firewall load balancing. Basically TMG Firewall will check the source address (client) and destination (server) and create a hash value, this value is then described as a value between 1 and 100. Hash values can all be delivered within this balance. After calculating these values, TMG Firewall will check the traffic assigned to each ISP.
For example, suppose that ISP1 is assigned 75% of the load, and ISP2 is assigned 25%. If the hash value is 30, then the connection will switch to ISP1, because the hash value that is lower than the value assigned to the preferred connection. If the hash value is 80, then the connection will be forwarded to ISP2 because this value is higher than the value assigned to the preferred connection.
In short, we need: Check the load on the connection priority (by percentage%).
  If the hash value is lower than the flow of the preferred connection is used.
  Hash value higher if traffic is secondary connection will be used. Figure 3 below illustrates an example. RRAS1 ISP traffic is assigned 75% of the RRAS connection and ISP 2 is 25%. We can see the interface configuration in Figure 3. When PC1 connected to the Web-1 hash value is calculated as 60. Because this value is lower than the rate assigned to the preferred connection so the connection is made through the connection priority (in this case is RRAS1 ISP). When connected to the Web PC1-2, Hash value is calculated to be 80. This value is higher in proportion to the value assigned to the preferred connection, so this connection will be routed through the secondary connection (no preference).
Of course, if we set both the ISP connection is 50%, half the hash value will be lower than 50 and half will be higher than 50, so all connections will be divided equally between the ISP.

Configure network interfaces on the TMG Firewall
In Figure 4 we can see the network interface is configured on the TMG firewall is used in this example. Communication is connected to VMNet2 LAN, WAN interface is connected to WAN2 VMNet3 and is connected to VMNet4.

NIC WAN communication is initially configured on the TMG firewall, so it has been granted a default gateway configured before starting the TMG firewall. In Figure 5, we can see that it has been assigned a valid IP address for ISP RRAS1 and get the default gateway is the internal IP address of the virtual machine RRAS1 (this will be the default gateway of the ISP system).In addition we need access to install the Advanced TCP / IP and disable the Automatic Metric feature. Microsoft recommends doing so to ISP Redundancy features stable operation. But we need to set a metric Manual. The only requirement that we need to comply with communication that is installed with a metric lower priority than the communication was not a priority. In Figure 5, the priority communication was installed using a metric.

Display IP address information for non-priority ISP (ISP RRAS2). This communication is installed using the metric 2.

Windows does not allow to assign two default gateways on the same machine.However, ISP Redundancy features of TMG Firewall allows us to break this rule, so we only need to click Yes when you see a warning as shown in Figure 7.

Before installing we need to examine how communication will be used. We have configured the TMG firewall rules and create an opening. When we use the tracert command will communicate priority that will be used.

Here is the order to perform to configure the communication:Create an original virtual machine with two NICs - internal and ngpai.
 Assign IP addresses to the external interface and internal communication.
 TMG firewall software installed.
 Confirm that the installation was successful.
 TMG turn off the virtual machine and install a virtual NIC to support Tuesday for the second ISP link.
 Tuesday virtual NIC configuration after rebooting the virtual machine.
 Restart your computer after configuring the virtual IP address on Tuesday to communicate.
 This is not the Microsoft recommended method but it has been tested and works well.Conclusion
In the first part of the series on features of TMG Firewall Redundancy ISP that we have outlined the virtual network structure and some information about the method chosen ISP. Then we have the configuration interface and a few notes when configuring the network interface to connect to each ISP. In the next section, we will proceed to configure load balancing features of the ISP and check if it actually works or not by testing from a workstation and check the log file of the TMG firewall and a Netmon trace on the number.

Read More...

Turn an old computer into an access point

If you have old computers not in use, you do not rush to dispose of these computers a waste, but use them to make a number of quite useful. In this article we'll show you five suggestions to turn the old computer into the device useful in testing, routing, security, ..


. Installing Ubuntu or another distribution to test Linux
If you never use the operating system than Windows, now you can explore the world of open source operating system for free by installing Ubuntu. Within an hour, you can download and install the Ubuntu operating system, or one of thousands of other distributors on the old computer. You can even test it before installing anything on your hard drive, using the live CD of some distribution.
Today Ubuntu has become very popular, especially for new Linux experience. "Ubuntu" is an ancient African word, meaning "I get to be myself thanks to the people around", so that tasks and philosophies of the world it's better to calculate.
When you boot into a desktop version of Linux that you will find that, although it has many differences, but the OS still has the same functionality as Windows. Start menu is still there - was better organized in Windows - and the icons on the desktop. Ordinary users can edit documents, browse the web and perform other basic tasks.
The biggest advantage is that you can access hundreds of thousands of free applications. Most distributions are available for everyone to mention that: office suite, email client, calendar, web browser, the photo editing and ...
With additional applications, you can use Package Manager to search and install the software listed in the store's distributor, or download programs directly from the developer's site and build them up.
Linux is actually an operating system for many devices and computer networks. The rest of the ideas in this article also use the software for Linux.
2. Turned into a router with RouterOS or ZeroShell
You can completely own the advanced networking features, such as the features in Cisco devices, with some small effort. The Linux operating system can turn your old PC into a multi-purpose server LAN. Use it to replace the router firewall by running the network and share Internet access (with NAT). You can even connect the offices together using VPN server and client, providing public access by configuring the gate locked, or used for balancing and automatic failover. The features and solutions here are endless.
Two projects you need to get these advanced features are RouterOS and ZeroShell.ZeroShell is a free tool and can be run from the CD with profiles stored on a hard drive or USB drive. After configuring the minimum in the console, you can administer it via the web browser on a remote computer. RouterOS has had for years and are widely appreciated. It can be installed directly onto a disk and configure multiple interfaces, including web interface and GUI applications.
3. Create a LAN file server with FreeNAS
If implemented several actions to share files online, you can use Network Attached Storage Solutions (NAS) instead of having to create the basic shared with Windows.May notice some NAS (essentially small computers) not cheap, not only that but you have to buy the hard drive. However, you can create your own NAS by installing server NAS server based on FreeBSD, FreeNAS, on the old PC.
Using a NAS server which means you do not have to worry about the PC remaining queues to access the Windows share. FreeNAS will use your network to a central storage location and always accessible. It also provides control functions and make it easier to share. Can store the information of the user and user authentication. If using the Windows share, you will have to mirror each user account on the computer to get the same protection for sharing.
Like other NAS servers, FreeNAS allows you the support of the Recycle bin. If you delete a file from Windows share, it will disappear permanently. However, if you delete a file from the FreeNAS share, it will be put into the Recycle bin and you can restore if necessary.
FreeNAS supports many different sharing protocols: CIFS (SMB / samba) for Windows, NFS for Linux / Uniux, and AFP for Mac OS X. Supports FTP, RSYNC, and iSCSI.There is even a whole host iTunes / DAAP, so you can share files between your iPod.Also FreeNAS also characteristic of a BitTorrent server attachment.
4. Running a Web server, Email, FTP and other servers with Linux
Though prices for web hosting can be quite affordable, but you can still want hosting your own website. Can also be useful to develop a local network or work with special applications. Besides, you can host other services, such as mail servers with POP3 and SMTP, file access to FTP server or access databases using the MySQL server.
Two leading Web server, Apache HTTP server for Linux and Microsoft's IIS server (currently available in the professional version of Windows) are actually free to use.
When installing Apache, you can only install applications or web server software distribution to install the web server. When using Apache, it is best that you install a server software package. Apache2Triad is a great software package for Windows. If using Linux, you can include the groups LAMP when installing Ubuntu Server Edition.
5. Turned into a hotspot with ZoneCD
You may want to provide wireless Internet access for their customers but do not want costly to invest in a hotspot gateway? If you have old computers, you can create Wi-Fi hotspot using tools from PublicIP ZoneCD.
ZoneCD is a Linux live CD, providing Wi-Fi authentication and allows web content filtering. It boot directly from disk without any changes that occur with hard drives. Needs only minimum requirements 128MB RAM, CD-ROM and floppy disk drive or USB drive to store the configuration. Add to that two Ethernet cards. One to plug into the Internet and to plug into a wireless router or AP.

Read More...

Optimized dual-band Wi-Fi

Wi-Fi router supports 2 types and frequency and type of support only one frequency has advantages and disadvantages.Positive evolution of the media makes everything better, faster and more reliable. USB 1.0 is lifted USB 2.0, FireWire 400 to FireWire 800 standard, 10Mbps Ethernet speeds of 100Mbps and even 1.000Mbps - Gigabit router wireless router (Wi-Fi) 802.11b 11Mbps speed of development also 802.11g up to 54Mbps speed and then speed up to 300Mbps 802.11n draft 2.0, Wi-Fi router single frequency (2.4 GHz or 5 GHz) to Wi-Fi router dual band (dual-band) - supported devices using the 2.4 GHz and 5 GHz.
In theory, Wi-Fi router is dual-band router supports two 2.4 GHz and 5 GHz frequencies.Due to price competition, as well as desired features for up to several customers, the firm had a Wi-Fi router design dual-band into two main categories: (1) supports two frequencies simultaneously and (2) only support one frequency at a time. Previously, the router supports dual-band 802.11a and 802.11b / g, this device is now more support 802.11n draft (that supports 802.11a, 802.11b / g, draft 802.11n). In this article, we only mention the dual-band router supporting 802.11n draft standard.
Wi-Fi router supports 2 types and frequency and type of support only one frequency has advantages and disadvantages. For example, the device supports two 2.4 GHz and 5GHz frequencies simultaneously, such as D-Link DIR-855 (ID: A0905_68), all Wi-Fi equipment from 802.11a/b/g to 802.11n draft 2.0 can share a network. However, as you know, there is so much a network access device will lead to slow access speeds due to bandwidth sharing for multiple machine use for many different purposes. In particular, not to mention the case of civil equipment causing interference to affect speed. Of course, with this type of router, you can "turn off" one or two fixed frequencies according to a timetable of priority bandwidth for essential needs.
Meanwhile, Wi-Fi router supports only one frequency at a time such as the Linksys WRT320N (ID: A0907_75) has its own advantages such as cheaper than router supports two frequencies simultaneously, each time only Wi-Fi devices compatible with 2.4 GHz or 5 GHz can access the network, so most cases will avoid overloading.
Wi-Fi router using dual-band
Wi-Fi router, dual-band usually has at least two SSID (network name Wi-Fi), so you can customize the SSID and encryption mode (WPA2/WPA/WEP).
With devices that support two simultaneous frequencies DIR-855, you have two options set: In the context of a variety of devices (PCMCIA, USB, CardBus, Express, or integrated network card on laptop .. .) supports two frequencies simultaneously, you can set the network name and encryption settings on both the same SSID to the client 2 (Wi-Fi client) dual-band can use the "full" tape communication network. If your network equipment supports many different standard - most 802.11b routers - the network speed will slow down. To fix this, you put two different SSID, passwords were different. In particular, at 2.4 GHz, you should encrypt lower if the network has many old standard equipment. The benefits in this setting is that you "enjoy" the advantages of 5 GHz (low interference, high speed to watch online.)

(Figure 1: Wi-Fi Router supports two frequencies simultaneously)

With Wi-Fi router does not support dual-band 2 frequencies simultaneously, you can do to change the network name and save the configuration for each frequency. If you wish to switch to another frequency, you do not need to set up from scratch (at least the network name and password in encrypted mode.)
Both 2.4 GHz and 5 GHz frequencies used for Wi-Fi routers do not need licensing, which means any individual or organization can also use this frequency. Therefore, interference between devices is unavoidable.

Figure 2: Wi-Fi Router supports only one frequency at a time

Wi-Fi network to optimize, you should balance between the components: interference (almost completely at 2.4 GHz), coverage and speed. These three elements are closely related to each other: large interference to the speed and the coverage poor; broad coverage makes the slow-down, the higher the speed the greater the interference and workstations The closer the device over Wi-Fi.
The influence dual-band Wi-Fi
1) Interference in the 2.4 GHz frequency: 2.4 GHz frequency was "contaminated" because this is a serious amateur frequencies (ISM), free use, so often used in industrial, scientific and medical . Although many devices are not used for communication but also in the process used to create electrical signals from (a phenomenon causes interference).
Some causes of interference:
Microwave oven also uses the 2.4 GHz to warm up food ... Microwave generated vibration signal about 1.000W 2.4 billion times per second - 2.4 GHz. This is causing the interference. Despite the microwave shielding shell to limit air emissions to the outside, but there are small amounts of beam exit "disruptive" Wi-Fi and reduce signal quality.
Solution: Move Wi-Fi equipment and kitchen equipment emission apart or 5 GHz frequency use less power than the jamming.
Network hardware and 2.4 GHz frequency. 2.4 GHz frequency used for many purposes on different devices such as Bluetooth, the phone cradling her child, the child monitoring devices, integrated camera / video, projector ...
Solution: Upgrade equipment, such conversion to the 5.8 GHz phone, baby monitor devices for better or 5GHz Wi-Fi use.
Some channels do not overlap each other. The devices use the more overlapping channels, the interference between the larger network. In residential buildings, or you can "see" tens of networks that use the same frequency and were all "collisions" with each other to slow down and sometimes "drop" network.
Solution: Switch to using 5 GHz frequency devices. If you still want to use the 2.4 GHz frequency, you can use 3 non overlapping channels 1, 6 and 11 to set up Wi-Fi router for three close together (each Wi-Fi router choose a channel).
2) Coverage in the 2.4 GHz frequency: 2.4 GHz advantage of the coverage is wider than 5GHz. Short wavelength of the 5 GHz frequency can not penetrate hard structures such as walls, ceilings, desks and people.
Some causes affect coverage:
Coverage of 5 GHz seems quite small compared to 2.4 GHz. You try to go around the room and could not get to see the signal strength or 5GHz network.
Solution: In all ability possible, Wi-Fi client will automatically choose the lowest number of 5GHz channels (or select it manually.) If you select channel 149 or higher and having problems with the network, try the other three options (153, 157 and 161) and if still having problems, go on automatic mode.
Slow connection speeds. When checking on the devices you add 802.11n connectivity at a speed 5GHz frequency or slower than 130Mbps.
Solution: Make sure the channels have enabled the broadband (wide channel) 40MHz on the router. With 802.11n, Wi-Fi client can connect via broadband channel-width double the normal channels (20MHz). Apple and several other manufacturers do not select the channel bandwidth to 2.4 GHz by too much interference affecting the signal.Meanwhile, the 5 GHz frequency interference levels are significantly lower. So Apple set up the router for dual-band Wi-Fi broadband using the automatic channel. If you do not see a speed of 270Mbps - the speed, you check this option has been turned on yet.
Low-speed data transmission.
Solution: If the device transmitter and receiver separated, you should move them closer together or to add a Wi-Fi network to extend the 2nd. Also, you should also check the interference problem by moving the source of interference or Wi-Fi devices away from each other to improve speed. Another reason, you should avoid using the 2.4 GHz frequency device that should switch to using 5 GHz frequency. This helps to release the 2.4 GHz, ensuring faster speeds for 802.11n devices. The advantage of the 5 GHz frequency is very small devices using this frequency, thus limiting interference issues, improving network speeds, ensuring a more stable connection.

Read More...

7 tips for network troubleshooting Wireless N

In this guide we'll show you some tips to troubleshoot your network to make the best work possible for Wireless N.1. Confirm that you are using the new adapter
If you just thaty good for most of 54Mbps or lower, first check to see if you are using a wireless N adapter instead of an older wireless G card or not.
The old adapter can connect with the new N devices, but the speed and efficiency can be achieved only on the connections between a wireless N router or access point (AP) with a wireless adapter N. In short, you must upgrade all wireless devices.
2. Verify that hardware from the same manufacturer
One reason why Wi-Fi Alliance certification for wireless products is to ensure that the development of manufacturing equipment can work together.
However there are some features of the ownership and use must be compatible with its equipment. In addition, there are many issues operational capability between devices over wireless devices N.
While the official standard, but not completed, the company is still issuing Draft products. At this point: You should use the same manufacturer for all network devices to avoid potential problems.
If you have not chosen a brand, think of any specific wireless device that you can or want. For example, if you want to convey the same set of images, video and music files from your computer to your TV with a wireless media extender, you can compare facilities among other brands each other. So you can choose the brand best for you.
As with a certain company, you should look for product reviews online. Just type the model number into Google, you can see a long list of product reviews.
Compare two or three reviews to find out the characteristics of the router that people like or dislike.
3. Just use WPA2 encryption options
N wireless standard does not support WEP, so the connection is encrypted using this model will be limited to devices such as wireless G (54Mbps), even when using the device N.
In addition, the WPA version also does not provide good performance for multi-network N. Therefore, you should use WPA2 encryption (with AES), personal or enterprise.
If you're still using an old adapter only supports WEP, check the manufacturer's website to see if any driver does not upgrade, besides that you should make sure that Windows has been updated in a timely manner.
If that does not help you, advice for you is to buy a new wireless card.
To change the encryption settings, log into the router's configuration utility by typing its IP address into your browser.
The default IP and password will be listed in the accompanying documentation. Then you should find the wireless settings and change the encoding.
4. Change default bandwidth to achieve high speed
If you discover that his speed never exceeds 130Mbps, then you must change the default channel bandwidth. To limit interference with other Wi-Fi equipment that old, N wireless router and the AP was released to establish channels with 20MHz bandwidth.
One way to increase the performance of wireless N is moving up 40MHz bandwidth, this is called multiplexing. Thus the speed of the channel to double, you must change this default setting.
To change the encryption settings, you log into the router's configuration utility by entering its IP address into your browser.
IP and the default password will be listed in the accompanying documentation. Then you look to the wireless settings and change the encoding.
To enable channel bonding, open a browser and type the IP address of the router to login to add its configuration. Then find the wireless settings and select the 40MHz channel width.
Do not forget to save changes before you exit the configuration utility.
5. Disconnected clients Wireless G for best performance
Wireless N is backward compatible with Wireless G devices, even the B standard in the past. However, network traffic will be different when the old adapter is connected to the network N.
This has a negative effect on the speed and performance. So if you do not want any restrictions on data rates and throughput, please ensure that your network has connections with wireless clients N.
You can restrict a client through the router to only allow wireless connections N.
If you want to make this limitation, you log into the router's configuration utility and change the settings in the wireless.
If you still want to support the client wireless B / G, please consider using the old wireless G router or AP.
You can plug the wireless G router to router or AP. Ensure that each router must be set in overlapping channels: 1, 6, or 11, or 11 if only one and use channel bonding on the router N.
Then make sure you only allow N connections on the new router or wireless type indicator in the network name (SSID), so users will know the type of device they are connected to.
6. Use only 40MHz wide channels with strong signals
As mentioned above, to get connection speeds above 130Mbps Wireless N devices, you must double the bandwidth of the channel from 20 to 40MHz.
However, you should review to the multiplex, if not all users have a good signal because this could negatively impact the client has a weak signal.
7. Interference check
As well as wireless G network, you need to consider interference issues, such as neighboring APs are being set up at a certain channel interference or if interference can come from devices radio and other electronics.
But even a wireless N other issues for you. Remember, if you change the default channel bandwidth from 20 to 40MHz (to get higher speeds), it will double the frequency range of your transmission.
If you use the multiplex, you're limited to using two of the three channels do not typically overlap. So you should ensure that you are using channel 1 or 11 on all AP.
Add to that the radio check to see if the network somewhere in the region and select the channel that is not appropriate.

By : Admin

Read More...