Comments on: Load Balancing and Forefront TMG Firewall Clients

By: Richard Hicks

Richard Hicks — Mon, 23 May 2011 19:21:47 +0000

Shouldn’t be a problem for Web Proxy clients since they don’t make use of a discrete control channel like the Firewall Client does.

By: mikehowells

mikehowells — Mon, 23 May 2011 14:47:08 +0000

I’m starting to notice a lot of problems when end-users are hitting websites that use AJAX heavily such as Yahoo Mail. Sometimes it will work and other times it will not work. In other words, it is intermittent, which is the worst kind of errors to troubleshoot.

During a live monitoring event via ISA Server I saw that the user was bouncing between proxy array members. Would it make a difference if the user was a web proxy client as opposed to a firewall client? In other words, we know that bouncing between array members will break a firewall client’s communication but how about a web proxy client?

By: Richard Hicks

Richard Hicks — Wed, 11 May 2011 23:19:58 +0000

It certainly does. Again, the issue is that the Firewall Client establishes a control channel to a specific array member. If the data channel subsequently initiates to another member for any reason, the connection will break. If your environment is reasonably stable, it is possible that you won’t encounter issues. It is still an unsupported configuration, however.

By: mikehowells

mikehowells — Wed, 11 May 2011 17:22:09 +0000

Does this also apply to an ISA Server 2004 Enterprise Edition array? The reason I ask is because we have a 4-node ISA Server 2004 Enterprise array deployed and we are NOT using DNS round robin for any of our internal clients.

Which begs the question, what has changed in behavior from ISA 2004 moving forward to later version of ISA 2006 and TMG 2010?

By: Richard Hicks

Richard Hicks — Sat, 23 Apr 2011 00:28:38 +0000

Most often it is simply erratic client behavior and intermittent connectivity issues. It can work without issues if everything goes perfectly, but since the Firewall Client control channel is established with a single array member, if the connection moves to another array member for any reason the connection will break.

By: mikehowells

mikehowells — Fri, 22 Apr 2011 20:47:49 +0000

What are the symptom(s) that you see when you attempt to hit a load balanced CSS or EMS array (via Microsoft NLB) with the Firewall Client hitting the VIP?

By: Richard Hicks

Richard Hicks — Fri, 17 Sep 2010 00:14:50 +0000

Yes, it is a design limitation that can’t be addressed with a hotfix or service pack. It would likely involve a significant redesign of the Firewall Client control channel mechanism, and potentially the firewall core itself.

By: RuudBoek

RuudBoek — Thu, 16 Sep 2010 07:50:09 +0000

Is that by design or will that be solved in a future servicepack or hotfix update?

By: Richard Hicks

Richard Hicks — Wed, 15 Sep 2010 21:56:43 +0000

That’s correct. The only supported method of load balancing for ISA/TMG Firewall clients is DNS round robin.

By: RuudBoek

RuudBoek — Wed, 15 Sep 2010 15:18:32 +0000

If the firewall clients will communicate with the dedicated ip of the array member, will they not lose the HA then, since they won’t be using the NLB virtual IP?