Consider the following scenario. You are running an array of more than one TMG Server 2010 and need to establish a VPN Site-to-Site connection. Therefore you will need to define a connection owner. The reason for this is that you need to define a tunnel endpoint in your array.
Normally you define the connection owner this in the wizard while creating such a Site-to-Site connection.
Furthermore you can change this setting after you have created it. For the Site-to-Site connection there is a tab called 'Server' which enables you to change this.
Generally speaking you should have this tab if you have an array of multiple servers and if NLB has been disabled.
This is also explained in the following TechNet article: http://technet.microsoft.com/en-us/library/dd441072.aspx
“If the Forefront TMG server is a member of an array, on the Connection Owner page, click the array member that will serve as the VPN tunnel endpoint in the array. If Network Load Balancing (NLB) is enabled for the array, you do not have to specify a connection owner; it will be assigned automatically.”
However, if you have enabled NLB on one interface only (e.g. the internal one), but not on the external interface, the 'Server' tab will be missing if you open the properties of a Site-to-Site connection. This can get an issue if you need to change the connection owner.
To address this issue, you can use the following script which resets the connection owner. Copy the content below to a text editor and save the file to a vbs file (e.g. connectionsowner.vbs).
Then you can run the script with the syntax 'cscript connectionsowner.vbs ConnectionName NewConnectionOwnerName'.
Running this script will create an output in the cmd.exe like the following example:
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' This script will display the currently assigned Server for a given ' VPN S2S connection and will set it to the value in the parameter ' serverName. Future versions can add this one as an addtl. argument ' to the script ' This script can be run from a command prompt by entering the ' following command: ' CScript SetAssignedServer.vbs NetworkName '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Option Explicit 'Define the constants needed Const Error_FileNotFound = &H80070002 Const fpcPolicyRuleWebPublishing = &H02 Const fpcPolicyRuleServerPublishing = &H01 Dim networkName Dim network Dim serverName
Main(WScript.Arguments) Sub Main(args) If(args.Count <> 2) Then Usage() End If networkName = args(0) serverName = args(1) SetValue() End Sub
Sub SetValue() ' Create the root obect. Dim root ' The FPCLib.FPC root object Set root = CreateObject("FPC.Root") 'Declare the other objects needed. Dim array ' An FPCArray object ' Get references to the array object ' and the network rules collection. Set array = root.GetContainingArray 'Get the Networks Dim arrayNetworks Set arrayNetworks = array.NetworkConfiguration.Networks On Error Resume Next Set network = arrayNetworks.Item(networkName) If Err.Number = Error_FileNotFound Then WScript.Echo _ "The network specified could not be found." WScript.Quit End If On Error GoTo 0 WScript.Echo "Found the network " &networkName &" it currently has the server " &network.VpnConfiguration.AssignedServer &" assigned to it" 'set the assigned server to the servername network.VpnConfiguration.SetAssignedServer(serverName) CheckError WScript.Echo "Now set the connection owner server to " &network.VpnConfiguration.AssignedServer &" " 'save the changes network.Save false, true CheckError End Sub
Sub CheckError() If Err.Number <> 0 Then WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description Err.Clear End If End Sub
Sub Usage() WScript.Echo "Usage:" & VbCrLf _ & " CScript " & WScript.ScriptName & " NetworkName" & " ServerName" & VbCrLf _ & "" & VbCrLf _ & " NetworkName - Name of a VPN S2S network" & VbCrLf WScript.Quit End Sub
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Please note that running this script will not display the missing tab again, but you will be able to change the settings. You would need to completely disable NLB integration in TMG to see this tab again.
I hope this blog is helpful for you and I am looking forward to your comments.
Author: Frank Hennemann Microsoft CSS Forefront Security Edge Team
Reviewer: Thomas Detzner Microsoft Consulting Services
Wow...how is this something that has not been addressed? I can't disable NLB without setting the server, but I can't set the server until NLB is disabled.....wow...just wow.