Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
TMG workgroup deployment in DMZ

Answered TMG workgroup deployment in DMZ

  • Friday, August 24, 2012 6:49 AM
     
     
    Sign In to Vote
    0

    Hi Folks,

    I have customer who is looking to deploy TMG 2010 in the High Availability set-up without a overkill. They have two datacenters in the same city (streched VLAN). Each datacenter has its own separate internet connectivity to the outsite world and all users reside in the primary datacenter. The following is their networking flow:

    Internet>Router>Firewall>Load Balancers>DMZ>Internal and this setup is replicated in the second datacenter to provide failover. They are looking to deploy TMG for only reverse publishing Exchange Web Services, OWA, ActiveSync, Outlook Anywhere etc for approx 4000 user base. Now we have done some work to understand the network and ran numbers through the TMG capacity planning and Exchange bandwidth calculator. I am thinking to propose the following:

    • 1x EMS server in DMZ in primary datacenter (Workgroup setup)
    • 1 x TMG 2010 server in primary datacenter (Array Member)
    • 1 x TMG 2010 server in the secondary datacenter (Array Member)

    This way both TMG servers will have the same configuration and load balancers will be configured to send traffic to the TMG in the primary datacenter. If the TMG in the primary datacenter experiences an outage the load balancer will forward the traffic to the second TMG in the second datacenter. Does anyone see issue with that design. At one point i thought to have EMS server domain joined on the internal network and both TMG Array members (in DMZ) to be workgroup joined, so that if DMZ zone is unavailable it wont affect the EMS server and vice versa. but i am not sure if this would work having EMS and Array members in the separate domain configuration.

    Appreciate any guidance.

     

All Replies

  • Friday, August 24, 2012 2:53 PM
     
     Answered
    Sign In to Vote
    0

    This is valid, obviously the EMS will only be available when both DC's are up. Do you really need an EMS for such a small user base how often will you actually be modifying publishing rules? You could save allot of money by using standard edition. You will need to consider how you handle persistence etc from the HLB but most vendors will provide their own whitepaper for this.

    I would move the EMS internally and leave it separate from the domain. It's one less point of attack.

     
  • Sunday, August 26, 2012 11:27 PM
     
     
    Sign In to Vote
    0
    Yes Ross, The rule set will not change much as this is a dedicated TMG Array for the Exchange publishing. Not having EMS makes sense too, so if i remove it I am left with one option of having two standalone TMG's in each datacenter.
     
  • Thursday, August 30, 2012 2:12 AM
    Moderator
     
     Proposed
    Sign In to Vote
    0

    Hi,

    Thank you for the post.

    “If the TMG in the primary datacenter experiences an outage the load balancer will forward the traffic to the second TMG in the second datacenter. Does anyone see issue with that design.” – this design is no problem.  You may also refer to this thread about DR site: http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/848561b0-2475-4098-839c-4fdea8115bef.

    Regards,

    Nick Gu - MSFT