Planning for Internet service provider high availability
Published: November 15, 2009
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic is designed to help the Forefront TMG administrator ensure uninterrupted connection to the Internet, in organizations where:
Forefront TMG is deployed at the network edge, thus serving as the organization’s gateway to the Internet.
Connection to the Internet is provided by two Internet Service Providers (ISPs).
Uninterrupted Internet connectivity is enabled by the Forefront TMG ISP redundancy feature, as described in Enabling Internet Service Provider (ISP) redundancy.
|ISP redundancy does not apply to traffic originating from Forefront TMG, except for traffic that is handled by the Web proxy filter.|
The following sections describe:
Traffic distribution methods
You can configure Forefront TMG to distribute outbound traffic between two ISP connections by one of the following methods:
Load balancing with failover capabilities—High availability between the two connections, including the following capabilities:
Load balancing—Distribute traffic among the connections according to the ratio you define. For example, you can allocate 80% of traffic to one connection and the remaining 20% to the second connection.
Failover—If one connection becomes unavailable, traffic is handled by the other connection. Internet connection is uninterrupted and end users are unaffected.
- Load balancing—Distribute traffic among the connections according to the ratio you define. For example, you can allocate 80% of traffic to one connection and the remaining 20% to the second connection.
Failover only—One connection is defined as the primary connection for all traffic, while the other connection serves only as the backup connection. If the primary connection becomes unavailable, traffic is routed to the backup connection and Internet service is uninterrupted.
Use this option when you want to use the secondary connection only when the primary connection is unavailable.
Requirements for enabling ISP redundancy
Following are the requirements for enabling ISP redundancy in Forefront TMG:
All internal and perimeter networks connected to Forefront TMG must have a Network Address Translation (NAT) relationship with the default external network.
Each ISP connection must be configured with a unique IP subnet and a unique default gateway.
Note: Windows Server 2008 does not support multiple default gateways in DHCP-assigned links. If your ISPs support only DHCP-assigned addressing, you must manually add both default gateways to the routing table on Forefront TMG.
Forefront TMG must be connected to both ISPs directly, with no intermediary computers, for example, a proxy server, between them. In a Forefront TMG array, each array member must be directly connected to both ISPs.
If you select to associate one or both ISP connections with a network adapter, the connections must be associated with the default external network adapter; you must not associate an ISP connection with any other external network.
ISP DNS server entries cannot reside in the same subnet as the network adaptor with which they are associated. It is recommended that, before running the ISP Redundancy Wizard, you remove any DNS entries that exist in the same subnet as the network adaptor with which you intend to associate them. After completing the wizard, add the entries you removed to the IP settings and the ISP servers lists. For information, see Enabling Internet Service Provider (ISP) redundancy.
It is recommended that network offload processing configuration is identical on both the adapters that are connected to the ISPs. If the settings are not identical, network offload processing is disabled on both adapters.