Announcement

Collapse
No announcement yet.

How do you make Forefront TMG 2010 redundant in case disaster strike ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do you make Forefront TMG 2010 redundant in case disaster strike ?

    Hi,

    At the moment I'm using MS TMG 2010 as my firewall to publish my Exchange Server and IIS website to the internet, however it is just one VM in the DMZ network with just one network card (vNIC), what sort of redundancy method that is suitable for making this firewall VM redundant / automatically failover ?

    Because it is very important in the event of disaster recovery all important email through various mobile device will still need to operate and it is impossible if this TMG 2010 VM is offline.

    is it by using:
    1. NLB
    2. Clustering
    3. Vmware HA / FT (one VM in production, the other VM in DR site ?)

    Any suggestion and idea willl be appreciated.

    Thanks.

  • #2
    Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

    you can build a farm of ISA2006 servers - I remember we had it setup like that in a way old job.

    however, exactly how it's done i'm not sure - but with TMG you could almost definitely do it

    just not sure how off the top of my head sorry

    all the changes had to be made on a 3rd server, which used a database to control the rules and things
    Last edited by tehcamel; 2nd March 2011, 20:05.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

      Albertwt,

      Is VMware Virtualisation really the correct place for this post? You've been here long enough based on your post count to know which forums you should be posting in.

      Reported to admins to move.

      Michael
      Michael Armstrong
      www.m80arm.co.uk
      MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      Comment


      • #4
        Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

        Originally posted by tehcamel View Post
        you can build a farm of ISA2006 servers - I remember we had it setup like that in a way old job.

        however, exactly how it's done i'm not sure - but with TMG you could almost definitely do it

        just not sure how off the top of my head sorry

        all the changes had to be made on a 3rd server, which used a database to control the rules and things
        I am thinking to deploy it in VMware as normal VM (like now) and then implmenting the TMG 2010 integrated mode.

        so I just wanted to know if anyone else have deployed this configuration before on top of Vmware.

        Comment


        • #5
          Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

          Done it in Hyper-V and it is supported virtualised, you need TMG Enterprise to create an array though and it'll need to be Dual-NIC edge firewall rather than single-NIC reverse proxy.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

            Originally posted by cruachan View Post
            Done it in Hyper-V and it is supported virtualised, you need TMG Enterprise to create an array though and it'll need to be Dual-NIC edge firewall rather than single-NIC reverse proxy.
            hm.. While I was reading article regarding hi availability of TMG 2010, I read that I must do the multicast NLB, in my current situation my TMG 2010 is standard edition with just one vNIC on top of VMware ESX and this TMG 2010 publish my CAS for Exchange Activesync which is vital for my company.

            based on your suggestion then I should look for the Enterprise edition and then set 2x vNIC on each VM per site ?

            Comment


            • #7
              Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

              Actually you'll need at least 3 NICs per TMG server. One each for the internal and external networks and one for the intra-array networks so that the TMG servers can talk to each other. This can be a purely virtual network though.

              TMG arrays are only possible in Enterprise though, which ain't cheap.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

                Originally posted by cruachan View Post
                Actually you'll need at least 3 NICs per TMG server. One each for the internal and external networks and one for the intra-array networks so that the TMG servers can talk to each other. This can be a purely virtual network though.

                TMG arrays are only possible in Enterprise though, which ain't cheap.
                oh... so Standard can't be configured in that way ?
                hm may be the only redundancy can be performed from hypervisor level (in this csae with VMware HA) ?

                Comment


                • #9
                  Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

                  You can have an array in TMG standard, but it can only contain one member. Which is pointless, but that's the way MS have done it.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment


                  • #10
                    Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

                    Originally posted by cruachan View Post
                    You can have an array in TMG standard, but it can only contain one member. Which is pointless, but that's the way MS have done it.
                    hm.. it seems that I must utilize the hypervisor layer HA features to perform the redundancy method.

                    otherwise I'll have to deploy the following:

                    1. deployment of 1x TMG Enterprise 2010 site as single vNIC - in production site
                    2. deployment of 1x TMG Enterprise 2010 site as single vNIC - in DR site
                    3. deployment of 1x EMS on dedicated server to create and manage the above TMG 2010 in production site.
                    4. Configure the servers above as array of Multicast NLB configuration.

                    Comment


                    • #11
                      Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

                      Sorry, I misunderstood slightly. TMG arrays are primarily for HA in a single site, not for DR.

                      For HA at the main site you're looking at 2 x TMG Enterprise in an array, with an EMS Server for management purposes.

                      For DR, you'll need to provide some more details on your setup I.e. how instant failover needs to be, version of Exchange and how it's setup, what services are published and what devices are connecting to them.
                      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                      sigpic
                      Cruachan's Blog

                      Comment


                      • #12
                        Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

                        Originally posted by cruachan View Post
                        Sorry, I misunderstood slightly. TMG arrays are primarily for HA in a single site, not for DR.

                        For HA at the main site you're looking at 2 x TMG Enterprise in an array, with an EMS Server for management purposes.

                        For DR, you'll need to provide some more details on your setup I.e. how instant failover needs to be, version of Exchange and how it's setup, what services are published and what devices are connecting to them.
                        Great, many thanks cruachan for your reply.

                        how instant failover needs to be
                        it can be manually initiated eg. changing the DNS record myself.

                        version of Exchange and how it's setup
                        Exchange Server 2007 Enterprise SP1 with CCR cluster in the DR site using VLAN over dark fiber.

                        what services are published and what devices are connecting to them.
                        The service that I want to make sure it is running is the Exchange Server email pushed by activesync during the emergency.

                        Comment


                        • #13
                          Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

                          Cool, 1 TMG Standard in each site will do the job in that case. You only really need an array if you need local HA as well. You'll need to setup all of the appropriate publishing rules on TMG for the CAS Server at the DR site, and you'll also need a certificate with the same SANs as the certificate at the main site. Then it's just a case of changing the DNS records in the event of an outage to point the DR site IP rather than main site.
                          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                          sigpic
                          Cruachan's Blog

                          Comment


                          • #14
                            Re: How do you make Forefront TMG 2010 redundant in case disaster strike ?

                            can i make a physicality machine backup and to sync every day or every week

                            Comment

                            Working...
                            X