locked
UAG NLB no work RRS feed

  • Question

  • I have two UAG SP3 (TMG 7.0.9193.575) servers on VMWare:

    1. Define Internal, External networks (UAG - Admin - Network Interfaces)

    2. Set array manager (UAG - Admin - Array managment)

    3. Add second member to array (UAG - Admin - Array managment)

    4. Apply, reload servers

    5. Add Vitrual IP (UAG - Admin - Network Load Balancing - External,Multicast)

    6. Apply, reload servers

    7. Set static ARP in my Cisco

    In servers ipconfig I see my VIP address, but nlb not start in TMG console. TMG alerts register event: "Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server UAG1. The following providers may define filters that conflict with the Forefront TMG firewall policy: UAG-DA NLB." If manualy start nlb - its work some time and stop without error. If create test trunk in UAG - no work from external, work only fron localhost. How I can correctly configure NLB on UAG servers? Why no work?
    In TMG console my VIP address set on External network, maybe this incorrect? Maybe I need create DMZ network with my Internet IP and set VIP on this DMZ network? How UAG work if I change config TMG?


    • Edited by inevg Thursday, March 14, 2013 7:37 AM
    Thursday, March 14, 2013 7:02 AM

Answers

  • Do not adjust the NLB settings from inside TMG. All of your NLB configurations need to be made from inside UAG. It sounds like you have taken the right steps, though you may want to delete the VIP and re-add it with Unicast. Multicast is now supported for DirectAccess, but from your description (the fact that you aren't setting up an internal VIP), it sounds like you are not using DirectAccess and so I assume you are using a UAG portal, and I believe that only Unicast is supported for UAG portal NLB (somebody please correct me if that is wrong).

    You said something about starting NLB from the TMG console - this is not the correct place to do it. After you setup the array and add in the VIP, then set a trunk to run on the VIP, then you go into the UAG Web Monitor and from the Farm section - this is where you can start and stop the NLB services. You do not have to touch anything inside TMG with regards to NLB.

    • Marked as answer by inevg Friday, March 15, 2013 6:21 AM
    Thursday, March 14, 2013 5:51 PM

All replies

  • Do not adjust the NLB settings from inside TMG. All of your NLB configurations need to be made from inside UAG. It sounds like you have taken the right steps, though you may want to delete the VIP and re-add it with Unicast. Multicast is now supported for DirectAccess, but from your description (the fact that you aren't setting up an internal VIP), it sounds like you are not using DirectAccess and so I assume you are using a UAG portal, and I believe that only Unicast is supported for UAG portal NLB (somebody please correct me if that is wrong).

    You said something about starting NLB from the TMG console - this is not the correct place to do it. After you setup the array and add in the VIP, then set a trunk to run on the VIP, then you go into the UAG Web Monitor and from the Farm section - this is where you can start and stop the NLB services. You do not have to touch anything inside TMG with regards to NLB.

    • Marked as answer by inevg Friday, March 15, 2013 6:21 AM
    Thursday, March 14, 2013 5:51 PM
  • thanks, it works really unicast
    Friday, March 15, 2013 6:20 AM
  • Hi experts,

    I have installed the Threat Management Gateway in 2014 now decided to install the UAG 2010 on that machine .The UAG 2010 installed successfully but after installation when <g class="gr_ gr_28 gr-alert gr_tiny gr_spell gr_run_anim ContextualSpelling multiReplace" data-gr-id="28" id="28">i</g> activate the UAG 2010 then below error occurred.

    -- NLB setting could not be configured.

    --Error occurred while activating the configuration.

    and in TMG 2010 Alert the below alert

      

     -Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server TMG-XYZ. The following providers may define filters that conflict with the Forefront TMG firewall policy: UAG-DA NLB.

    I have not configured any configuration related to NLB in TMG 2010 and UAG 2010.I don't know from where this error come.

    Need experts help.


    • Edited by NajeebUllah Saturday, December 3, 2016 3:30 PM image
    Saturday, December 3, 2016 3:29 PM
  • That is a normal error to see in TMG when you are running UAG, you can safely ignore those. However, you did not take a supported path to installing UAG and so you really should go back and build it up the "right" way. You should never install TMG and then install UAG on top of it. The UAG installer includes TMG, and you should only ever run the UAG installer on a clean server that is not being used for any other purpose.

    When you are using UAG on a box, even though it includes TMG, it is not supported to use TMG to do any "TMG things". UAG uses TMG in order to shuttle traffic and to protect itself, but you are not supposed to configure TMG for anything like proxy, reverse proxy, VPN, or anything else while it is running on a UAG box.

    Friday, January 6, 2017 9:06 PM