Load Balancing and Forefront TMG Firewall Clients
Recently I encountered an issue where TMG firewall clients were experiencing intermittent connectivity issues. Clients were sometimes able to connect to a remote RDP server, and other times they were not. Web proxy clients were working perfectly. After looking carefully at the network and TMG firewall configuration, everything appeared to be in order with no apparent issues. In this particular instance, two TMG firewalls were configured in a multi-homed, standalone array with Network Load Balancing (NLB) enabled on both the Internal and External networks. Clients connect to the array using a hostname that resolves to the virtual IP address (VIP) assigned to the Internal network.
Although this configuration works just fine for web proxy clients, it poses a particular problem for the TMG Firewall Client because the Firewall Client uses a control channel to facilitate authentication and communication with the TMG firewall. For proper operation, Firewall Clients must be configured to communicate directly with the TMG firewall’s dedicated IP address (DIP). For this reason, the use of NLB and third-party hardware load balancers is not supported for load balancing TMG Firewall Clients. The only form of load balancing that is supported for TMG Firewall Clients is DNS round-robin.
To learn more about the TMG Firewall Client and how it functions, please refer to Jim Harrison’s excellent series of articles about this topic on TechNet.
Introduction to the ISA Server Firewall Client and Forefront TMG Client
Introduction to Remote Winsock (RWS) Protocol Analysis
Observing Firewall Client Single-connection HTTP Traffic
Observing Firewall Client Single-connection DNS Traffic
Connect
Richard Hicks' Forefront TMG Blog 
We are using the same config with ISA 2006 Enterprise configuration but we didn’t encounter any problem till now. We are having also installed on all workstation Microsoft Firewall Client for ISA Server, Version 4.0. We are planning to migrate to TMG Server on NLB at application level (on TMG, using virtual IP).
The problem will persist also in this case ?
Regards,
anghelalex
Absolutely. Nothing changes in this regard with TMG. Firewall clients, if they are connecting to ISA or TMG, must communicate with the dedicated IP address of the array members in order to function correctly.
If the firewall clients will communicate with the dedicated ip of the array member, will they not lose the HA then, since they won’t be using the NLB virtual IP?
That’s correct. The only supported method of load balancing for ISA/TMG Firewall clients is DNS round robin.
Is that by design or will that be solved in a future servicepack or hotfix update?
Yes, it is a design limitation that can’t be addressed with a hotfix or service pack. It would likely involve a significant redesign of the Firewall Client control channel mechanism, and potentially the firewall core itself.
What are the symptom(s) that you see when you attempt to hit a load balanced CSS or EMS array (via Microsoft NLB) with the Firewall Client hitting the VIP?
Most often it is simply erratic client behavior and intermittent connectivity issues. It can work without issues if everything goes perfectly, but since the Firewall Client control channel is established with a single array member, if the connection moves to another array member for any reason the connection will break.
Does this also apply to an ISA Server 2004 Enterprise Edition array? The reason I ask is because we have a 4-node ISA Server 2004 Enterprise array deployed and we are NOT using DNS round robin for any of our internal clients.
Which begs the question, what has changed in behavior from ISA 2004 moving forward to later version of ISA 2006 and TMG 2010?
It certainly does. Again, the issue is that the Firewall Client establishes a control channel to a specific array member. If the data channel subsequently initiates to another member for any reason, the connection will break. If your environment is reasonably stable, it is possible that you won’t encounter issues. It is still an unsupported configuration, however.
I’m starting to notice a lot of problems when end-users are hitting websites that use AJAX heavily such as Yahoo Mail. Sometimes it will work and other times it will not work. In other words, it is intermittent, which is the worst kind of errors to troubleshoot.
During a live monitoring event via ISA Server I saw that the user was bouncing between proxy array members. Would it make a difference if the user was a web proxy client as opposed to a firewall client? In other words, we know that bouncing between array members will break a firewall client’s communication but how about a web proxy client?
Shouldn’t be a problem for Web Proxy clients since they don’t make use of a discrete control channel like the Firewall Client does.
Thanks richard and all the commentators for valuable information.
I have two TMG boxes (enterprise FF) in a Single Array – we use firewall client and it resolves to ONE member at a time –
How can I setup DNS Round Robin within this scenario ?
Would DNS Round Robin cause connectivity issues (as you say about the firewall client control chanel thing) ?
Will be grateful if you could provide a step by step to create a dns round robin for my two TMG boxes in a Single Array and Firewall Client in action on the client side.
TMGSNR = 192.168.1.1
TMGJNR = 192.168.1.2
Thanks ever so much !
Hi Sherry,
DNS round robin is indeed supported for load balancing Forefront TMG 2010 firewall clients. Information on how to configure DNS round robin can be found here:
http://technet.microsoft.com/en-us/library/cc787484(v=WS.10).aspx
Thanks!
Thanks Richard, Much appreciated !!
Would DNS Round Robin cause connectivity issues (as you say about the firewall client control chanel thing) ? Also just to re-confirm that if we use NLB and install FW Client – it won’t be load balanced as it would have to create a independent channel to a SINGLE TMG ARRAY MEMBER ?
I have another question 🙂
Q : I have a Remote Email Server (Hosted elsewhere), I have around 75 users who use Outlook 2010 / 2007 to connect to this email server via POP / IMAP and use this email server as there outgoing SMTP too. Question is : Do I need to have FWClient installed in order for them to be able to send and receive emails via outlook? or can they just be a webproxy client and still use outlook to connect to smtp,pop,imap ? I really want to get rid of the FWClient due to the administrative overhead as I am the only one here these days 🙂
Will be most grateful for your response and guidance
Sherry
Hi Sherry,
DNS round robin would not cause connectivity issues because the Forefront TMG 2010 firewall client will select one IP address from the list of IP addresses returned and establish a connection directly to that array member individually.
Regarding your second question, the operative word here in “web proxy client” is “web”. 😉 By design, this includes only web-based protocols – HTTP, HTTPS, and FTP over HTTP. Any other protocol (including mail protocols as you described) would have to be SecureNAT or Firewall Client. If you don’t want the overhead of managing the Firewall Client. SecureNAT certainly works but you lose the ability to authenticate any traffic through the firewall. In addition, you will have to configure your clients to use the TMG firewall’s internal network interface as their default gateway, or configure your routing infrastructure to use the TMG firewall as its gateway of last resort. FYI, SecureNAT requires that TMG be configured with two network interfaces – one internal, and one external. Single network adapter deployments of Forefront TMG 2010 do not support SecureNAT traffic.
Thanks!
Hi everybody, My scenario is as following: two Forefront TMG 2010 on windows 2008 server (virtualized enviroment).
Both are in a NLB array, everything seems work fine but I have recently noted that when I try to access to CIFS names, and their shared resources, I can´t, from my TMG´s servers I just can´t even ping Ip destinations of the CIFS names.
So, I can´t access to those shared resources, when I disable the NLB array, everything works fine, I can access same shared resources, pinging the sites and all its OK.
Do you know what is happening?
best regards
I forgot to mention Iám ising unicast mode on my NLB array
NLB-related connectivity issues are typically related directly to layer-two problems. Since you are running in a virtual environment, there are some additional steps that have to be taken to allow NLB to work. In Hyper-V you have to enable MAC address spoofing. I’m sure there is an equivalent in Hyper-V. I expect that after you correct that configuration issue everything should work normally.
Hi Richard, I am not prettu sure if I have enaled the mac address spoofing option on my vmware nic´s, I’m gonna review it, on the other hand, I reviewed the output of nlb display on my two TMG´s array members and I can see the NLB mac address, this is the output:
ClusterIPAddress = HERE ES THE VIP ADDRESS
ClusterNetworkMask = 255.255.252.0
DedicatedIPAddresses/ = IP ADDRESS OF THE NIC TMG01/255.255.252.0
DedicatedNetworkMasks
McastIPAddress = 0.0.0.0
ClusterNetworkAddress = 02-bf-0a-02-01-64
So I think this is working, but, I will check this thing regarding mac address spoofing
I will let you know the results as soon as I can.
Regards
Hi again,
I have the MAC address spoofing settings correct, I mean, on my VMWARE enviroment, I have the MAC-ADDRESS-CHANGES option configured as: ACCEPT, so, this is no the issue because the problem appears only with CIFS names.
I was checking my persistent and active routes on my TMG server CMD, I noticed that I can´t reach CIFS names (these CIFS names are NAS with linux, cnames) if I only have persistent routes pointing to subnets, for example:
I can´t reach 10.1.1.10 (cname) if I have just a persistent route like this: 10.1.0.0 MASK 255.255.0.0 10.1.0.1 (gateway)
But if I add this more specific: route add -p 10.1.1.10 MASK 255.255.255.255 10.1.0.1
Sorprise! I can now reach the cname that is pointed to 10.1.1.10, pinging it by name or by IP.
At this moment I am thinking to implement NLB between my TMG’s even with this issue, I will have to configure specific persistent routes to those CIFS names, while I investigate what is happening and why, if I do disable the NLB feature, everything seems to work fine, and the CIFS problem disappear.
If you have an idea, let me know please.
Hello sir,
Hope my post finds you well ,
I have a question here regarding the TMG
I Have TMG array (2 TMG servers with NLB )
my question here regarding the publishing I need to publish a service but with 1 IP externally
I did a firewall policy but it keeps switching between the tow external IPs is there any way do that ?
thanks.
When you set up your publishing rule, specify the external virtual IP address (VIP) and the traffic will be automatically distributed to your published servers. If you don’t want this to happen, you can specify a specific external IP address to listen on if you wish.
Thanks for your reply , I tried to specify the xternal IP to listen on , but when I do it it didn’t work at all , when I make it listen to everyone it work =/
Hmmm…I’d look carefully at your network settings then. Could be something on your upstream networking gear perhaps? Or an ISP issue? If you’ve selected an IP address for the listener on the appropriate network interface, it should work as long as the traffic gets there.