Outbound Traffic Issue with TMG and Multiple WAN / ISP Connections
-
Friday, December 28, 2012 7:58 AM
Hi there,
We have a scenario where 3 (three) multiple external Internet connections are connected directly to our TMG with publicly subnetted address ranges on separate NICs and connected to separate routers.
The configuration is 1 x ADSL2 connection (which is the only connection configured on TMG with a default gateway), and 1 x 4Mbit SHDSL and 1 x 2Mbit SHDSL. We also have one internal NIC and a perimeter NIC.
I am attempting to implement server publishing rules on the 4Mbit and 2Mbit services but all of the outgoing traffic appears to return or be limited by the bandwidth of the default gateway's connection. I've tried creating NAT Network Rules to services to encourage the return traffic back through the NIC it originated on but it seems that everything which exits the network to the Internet through TMG, regardless of any server publishing rules, ends up going out the default gateway. For example, ingress traffic with any publishing rule on the 4Mbit service comes in through the 4Mbit service, but appears to send all of its egress traffic through the ADSL2 connection, rather than returning in a stately fashion to the incoming IP address on the 4Mbit NIC. (This doesn't make a lot of sense to me routing-wise but it's what I'm seeing through NIC traffic and packet captures).
Is this configuration something which is supported on TMG? - Multiple WAN links with specific publishing rules on each NIC, expecting traffic to exit on the same NIC that it enters? Does it require further configuration? Or does TMG just not work like this?
I have tested extensively and happy to provide further detailed information.
Thanks, Tim.
All Replies
-
Sunday, December 30, 2012 4:37 AM
Hi,
I've done some more research and I guess what I am looking at here is a standard routing problem. It doesn't matter whether NAT relationships to external (or internal) addresses are defined because there is only one default gateway to any incoming unknown addresses on the same router (ie TMG). Tried RIP etc, it doesn't work, and multiple default gateways won't impliciltly (or otherwise on TMG) send incoming traffic back over the same WAN link they were initiated on (beacuse there is no known path except for the default gateway). Referred to as asymmetric routing, inasmuch as the return source IP address stays the same but routes out through the default gateway's IP address anyway.
Have tried RIP and NAT relationships between internal / TMG addresses, and external / TMG addresses by defining networks and routing relationships, it's the limitation of a single default gateway on a singe router which kills the configuration as far as I can tell. TMG doesn't allow you to say 'here's a session which came through on NIC A, and NIC A's default gateway is W.X.Y.Z, so send session traffic back through that NIC's gateway'.
Looks like I need to publish services (ie, specific servers) over routes which only offer a single default gateway - I guess this means ideally splitting the network and three TMGs, one for each WAN gateway with each published service behind a different TMG. Otherwise something like mapping WANs directly to web servers on the perimeter (if we can't afford the TMG licenses) and routing internal back through a single TMG.
I'm hoping there are a tonne of creative solutions to a multiple-WAN scenario, so please, please let me know.
Cheers, Tim.
-
Monday, December 31, 2012 3:31 AMModerator
Hi,
Thank you for the post.
You can use ISP Redundancy in conjunction with ENAT. However ISP-R only allows you to link two external network adapters.
Regards,
Nick Gu - MSFT
- Edited by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Monday, December 31, 2012 3:31 AM
-
Tuesday, January 01, 2013 10:02 AM
Thanks Nick,
I've now configured ISP-R with LB/Failover and created an E-NAT rule for two of the publishing types we intend to implement - RDP and Web (SSL). However this does still not appear to be working as intended.
Running Forefront TMG Standard SP2 (7.0.9193.500) on Windows 2008 R2 SP1 (build 7601). I have the ADSL Link running at 90% of load and the 4Mbit link at 10%. Have configured both NICs, the ADSL with an Interface metric of 1 and the 4Mbit metric at 2. Have created static routes to DNS and mail proxies through the TMG Interface. Then created an E-Nat rule between the RDP server and External, selecting one of the public addresses as the NAT Address Selection in the rule and moving the rule order to 2 (under the localhost rule). Configured the same on the Web server, just a different public IP.
The main symptom is that even though there is now a default gateway on the 4Mbit and an E-Nat rule which returns all traffic to that interface, TMG routes in the following way from the published server:
1 server default gateway (router)
2 TMG internal IP address
3 TMG NAT address selection on 4Mbit
4 TMG ADSL default gateway (router)
...and off to the internet. Obviously I'm expecting hop 4 to be the 4Mbit default gateway rather than the default gateway of the other NIC.
I have also tried including the published server in the 'dedicated servers' tab and adjusting the metrics on the NICs to be the same (both recreating the ISP-R configuration and restarting the TMG each time), with no change to the tracert above. This is particularly interesting as a dedicated server is not supposed to load balance or fail over if its assigned link is unavailable - unless of course this feature is only applicable to external servers.
There are a couple of things to clean up in the TMG configuration here tomorrow morning - there are currently static persistent routes set both in the command line interface (internal routes) and in the TMG interface (will move these all to TMG) and the ADSL and 4Mbit NICs are different models (will change to the same model). If these changes make any difference I will post back an update.
Appreciate your help.
.png)
