TMG ISP Redundancy ‘unleashed’

TMG ISP Redundancy ‘unleashed’

  • Comments 7
  • Likes

In this article I want to provide a detailed view on the configuration features of the ISP Redundancy features, which are not available from the TMG Management console.

For a good overview about the ISP Redundancy feature and the configuration options in the management console have a look at Keeping High Availability with Forefront TMG’s ISP Redundancy Feature.

Note: Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

The examples provided in this blog have to be run on a node running the firewall services. They won’t work when executed on an EMS server.

Configuring verification of link status

In the default setting, TMG checks the status of the ISP link by trying to establish a TCP connection on port 53 (DNS zone transfer) to a list* of root DNS server on a round robin basis. If a connection can be established, TMG will consider the link active.

Although, the IP addresses and the TCP port used for the verification cannot be configured directly from the management console, If you need to modify these settings, e.g. because you setup your TMG server without direct access to the internet, you can do this by using the TMG COM, through simple Visual Basic script like this one:

Note: Please take an export of TMG configuration prior to running the script. To get the original behavior you need to import the original configuration

==================================================================

‘ we need to get the ISP Redundancy configuration object first:

set oRoot = CreateObject(“FPC.Root”)

set oArray = oRoot.GetContainingArray()

set oExternalNetwork = oArray.NetworkConfiguration.Networks(“External”)

set oISPRCfg = oExternalNetwork.ISPRedundancyConfig

‘ ===================================================================

‘ if you want to remove the complete list of connectivity verification

‘addresses:

oISPRCfg.ConnectivityVerificationRemoteIpAddresses.RemoveAll()

‘ To add a new address (in this case 192.168.1.1) to check the connectivity:

oISPRCfg.ConnectivityVerificationRemoteIpAddresses.Add “192.168.1.1”

‘ To change the TCP port for connectivity verification (default: 53)

oISPRCfg.ConnectivityVerificationRemotePort = 53

‘ To save the changes

oISPRCfg.Save

Important: Please be aware that this is a sample script. When executed on TMG this script will modify the TMG ISPR configuration to make connectivity checks only to the IP address 192.168.1.1 on port 53, and removes the list of predefined IP addresses. You have to make sure to modify the values used in this script to match your setup, before running this script on your TMG server.

* Default destination addresses in TMG RC: 192.58.128.30,193.0.14.129,198.32.64.12,202.12.27.33,198.41.0.4,192.228.79.201,192.33.4.12,128.8.10.90,192.203.230.10,192.5.5.241,192.112.36.4,128.63.2.53,192.36.148.17

Modifying dead link detection periods

The primary goal of link detection is to accurately determine the state of the ISP link being examined. One additional goal was to prevent ‘link flapping’; a condition where TMG shifts back and forth between ISP links.

This ISP link test and anti-flapping mechanisms are controlled by 5 COM objects:

  • MinimalResumeTime – (default 300) Minimal time before we resume using an ISP link / Min failed time in seconds.
  • TestIntervalLinkAvailable – (default 60) Time in seconds between two successive connectivity verification tests when an ISP is available.
  • TestIntervalLinkUnavailable – (default 60) Time in seconds between two successive connectivity verification tests when an ISP is not available.
  • SuccessesToAvailable - (Default - 3) Number of successive connectivity verification successful test attempts before an Internet service provider (ISP) link is considered available.
  • FailuresToUnavailable - (Default - 3) Number of successive connectivity verification failed test attempts before an Internet service provider (ISP) link is considered unavailable.

image 

This timeline shows the intervals with those default settings. If the ISP link is available, TMG performs line verification every 60 seconds (TestIntervalLinkAvailable) if the connection to one of the IPs configured for verification is available.

If the test connection can’t be established, TMG will perform two additional connection attempts, each with another 60 sec interval (TestIntervalLinkAvailable). If 3 successive checks fail (FailuresToUnavailable), the link will be considered down.

Once the Link is down, TMG will wait 300 seconds (MinimalResumeTime) before trying to establish a new connection through the failed link to one of the verification IP addresses. If the connection fails again, TMG will try to establish a new connection every 60 seconds (TestIntervalLinkUnavailable). There must be 3 successful (SuccessesToAvailable) connection attempts in a row (each with an interval of 60 seconds) in order to consider the Link to be up again.

  • With TMG default settings, TMG will wait at least 3 minutes until a link is considered down
  • With TMG default settings, a link will be considered down for at least 7 minutes (min failed time with 300 seconds + 2x OK interval with 60 seconds each)
  • With TMG default settings, a link has to be stable for at least 3 minutes once TMG will bring the link up again.

You can modify those default values by changing the highlighted values in the following VBS script:

‘ =====================================================================

‘ we need to get the ISP Redundancy configuration object first:

set oRoot = CreateObject(“FPC.Root”)

set oArray = oRoot.GetContainingArray()

set oExternalNetwork = oArray.NetworkConfiguration.Networks(“External”)

set oISPRCfg = oExternalNetwork.ISPRedundancyConfig

‘ =====================================================================

‘ Minimal time before we resume using an ISP link / Min failed time in seconds (default 300)

oISPRCfg.MinimalResumeTime = 300

Time between two successive connectivity verification tests when an ISP is available in

‘seconds (default 60)

oISPRCfg.TestIntervalLinkAvailable = 60

Time between two successive connectivity verification tests when an ISP is unavailable in

‘seconds (default 60)

oISPRCfg.TestIntervalLinkUnavailable = 60

‘Number of successive connectivity verification successes before an Internet service provider

‘(ISP) link is considered available. (Default - 3)

oISPRCfg.SuccessesToAvailable = 3

Number of successive connectivity verification failures before an Internet service provider

‘(ISP) link is considered unavailable. (Default - 3)

oISPRCfg.FailuresToUnavailable = 3

‘ To save the changes

oISPRCfg.Save

 

Author

Philipp Sand

Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Eric Detoc & Jim Harrison & Bala Natarajan

Microsoft CSS Forefront Security Edge Team

Comments
  • Hi,

    great stuff!! :)

    Regards,

    Paulo Oliveira.

  • If the ISP is only offering up DHCP addressing - could this script be extended to check the currently assigned IP address to the external NICs and update the array configuration accordingly? Right now it appears that TMG ISP redundancy caters only to statically assigned IPs addressing, but could cater to DHCP assignments if a script were to check and update the config during a given interval.

  • Based on your example I answered my own question with the following powershell:

    $root = new-object -comobject "FPC.Root"

    $isaArray = $root.GetContainingArray()

    $networks = $isaarray.networkconfiguration.networks

    $External = $networks | ? {$_.Name -eq "External"}

    $IspConfig = $External.IspRedundancyConfig

    $ISPs = $IspConfig.Isps

    $Cable = $ISPs | ? {$_.Name -eq "Cable"}

    $DSL = $ISPs | ? {$_.Name -eq "DSL"}

    $Cable.GatewayIPAddress = (netsh interface ip show address "Cable" | `

    select-string "Default Gateway") -replace '^[^\d]+'

    $Cable.Save()

    $DSL.GatewayIPAddress = (netsh interface ip show address "DSL" | `

    select-string "Default Gateway") -replace '^[^\d]+'

    $DSL.Save()

  • TMG ISP Redundancy - Brilliant, and a long time comming.

    Here's how I implemented it:

    http://robsilver.org/isatmg/isp-redundancy-made-easy/

    Hope this helps,

  • Hi,

    This question is clearly falls out of this subject, but I have a request from an important client of mine.

    I've been asked to prioritize Web Access traffic of a group of users, in relation to others, using TMG.

    Is that in anyway possible !?

    Thank you in advance,

    Paulo Alves

  • Can anyone help me how can I use this script.I pasted following script in the notepad and save it as tmg.vbs but its giving me errors upon execution on various lines.

    set Root = CreateObject(“FPC.Root”)

    set Array = Root.GetContainingArray()

    set ExternalNetwork = Array.NetworkConfiguration.Networks(“External”)

    set ISPRCfg = ExternalNetwork.ISPRedundancyConfig

    ISPRCfg.MinimalResumeTime = 300

    ISPRCfg.TestIntervalLinkAvailable = 60

    ISPRCfg.TestIntervalLinkUnavailable = 60

    ISPRCfg.SuccessesToAvailable = 3

    ISPRCfg.FailuresToUnavailable = 3

    ISPRCfg.Save

    What is the correct way to execute this script ?

  • http://www.isaserver.org/articles-tutorials/configuration-general/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment