locked
TMG, and 2 ISPS, one which requires it's own proxy settings RRS feed

  • Question

  • Hi everyone.

    Using TMG Enterprise on x64 Server 2008. We currently have one only one ISP connected to tmg as 'external' for all users' internet access.

    I want to use a second connection, which is provided by our county (very fast, and highly filtered) for some users. This connection requires a proxy server. My question is, can TMG be used in this scenario? My internal clients use TMG as the proxy. I want some users to use one connection and the other users to use another.

    Can I tell TMG that this connection requires a proxy? I Hope this makes sense.

    Thanks

    Tuesday, May 11, 2010 12:04 PM

Answers

  • Dave,

    The only way TMG will use multiple ISPs is for load balancing or redundancy. In the load balancing scenario it would split the traffic between the two (also has failover). In the redundancy scenario it would use one and then switch to the other if the first one fails.

    Unfortunately there is no way to set TMG up to force certain users to use one particular ISP.

    HTH.

     

    Tuesday, May 11, 2010 8:00 PM
    Answerer
  • You can direct traffic via different ISPs (using NAT rules) based upon source IP address, but not users/groups.

    http://blogs.technet.com/isablog/archive/2009/02/16/keeping-high-availability-with-forefront-tmg-s-isp-redundancy-feature.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, May 11, 2010 9:07 PM
  • This is the sort of thing that Web Chaining was made to address.  But for some reason I can't fathom, they didn't build it to route based on the access rule.

    Collective has this on the ideas whiteboard as a good filter to make.  But it's non-trivial since we'd have to essentially duplicate the web chaining back end and use ours instead of the built-in one.

    • Marked as answer by daveHassen Friday, May 14, 2010 10:22 AM
    Thursday, May 13, 2010 4:47 PM
  • The answer to my initial question 'can you put in proxy details for an ISP' is yes, through web chaining.

    The answer to the other bit - different ISPs for different users is simple enough - have two TMG servers and specify which gateway to use in group policy :)

    • Marked as answer by daveHassen Tuesday, May 18, 2010 9:53 AM
    Tuesday, May 18, 2010 9:53 AM

All replies

  • Dave,

    The only way TMG will use multiple ISPs is for load balancing or redundancy. In the load balancing scenario it would split the traffic between the two (also has failover). In the redundancy scenario it would use one and then switch to the other if the first one fails.

    Unfortunately there is no way to set TMG up to force certain users to use one particular ISP.

    HTH.

     

    Tuesday, May 11, 2010 8:00 PM
    Answerer
  • You can direct traffic via different ISPs (using NAT rules) based upon source IP address, but not users/groups.

    http://blogs.technet.com/isablog/archive/2009/02/16/keeping-high-availability-with-forefront-tmg-s-isp-redundancy-feature.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, May 11, 2010 9:07 PM
  • This is the sort of thing that Web Chaining was made to address.  But for some reason I can't fathom, they didn't build it to route based on the access rule.

    Collective has this on the ideas whiteboard as a good filter to make.  But it's non-trivial since we'd have to essentially duplicate the web chaining back end and use ours instead of the built-in one.

    • Marked as answer by daveHassen Friday, May 14, 2010 10:22 AM
    Thursday, May 13, 2010 4:47 PM
  • thanks for the replies guys. Shame that, and it does seem a little strange because you'd think it would be so easy for them to implement.

    We did see that we can use web chaining to use the ISPs proxy settings etc, but if we can't choose who can use what, there's no point for us.

    I'll post back if we find a way round it.

     

    Thanks

    Friday, May 14, 2010 10:22 AM
  • The answer to my initial question 'can you put in proxy details for an ISP' is yes, through web chaining.

    The answer to the other bit - different ISPs for different users is simple enough - have two TMG servers and specify which gateway to use in group policy :)

    • Marked as answer by daveHassen Tuesday, May 18, 2010 9:53 AM
    Tuesday, May 18, 2010 9:53 AM