I have two Threat Management Gateway Enterprise servers set up in a standalone array for authenticated web proxying. I can verify NLB is working, but when I restart tmgA, which is the array manager, tmgB does not maintain the authenticated web proxy as I understand it should. As I understand it, it should maintain the web proxy using the last cached copy of the configuration it synced with the array manager. Both servers are set up using the single network adapter topology. I'm sure I'm forgetting some helpful configuration information here. Any help to get the failover working is much appreciated. Thanks!
Asked
Active
Viewed 1,884 times
0
-
Can you clarify your question? What symptoms are you seeing? Under what conditions? "does not maintain the authenticated web proxy" needs explanation. – TristanK May 18 '11 at 11:40
-
per technet, i expect there to be high availability.that is when tmgA goes down, tmgB should become the new proxy, through which only authenticated users on the domain can get internet access.AreDNS issues involved in pulling this off? should the computers have the TMG client piece installed to pull off high availability? technet documentation makes me believe it should just work once the standalone array is set up.thanks! – Britt Freeman May 18 '11 at 18:27
-
When one node disappears, the other(s) should take over. If this isn't happening, you'll need to provide information such as the error message or symptom, client configuration, server configuration, how you're testing, and so on. No, TMG Client isn't needed. When they're both "alive" either proxy should be usable through their dedicated IP. If not, troubleshoot that first. – TristanK May 19 '11 at 07:14
-
I'm using the integraded NLB within TMG, therefore the two TMG machines have different IPs, which I'm thinking is my issue. May try some DNS magic.no error messages. symptom is no one in the TMG web access policy can get to the web once the array manager goes down(restart for updates, for isntance)client configuration is proxy set up in lan settings on client's browser. Thanks! – Britt Freeman May 19 '11 at 12:31
1 Answers
0
You can get better availability from TMG in one or more of the following ways:
Web Proxy Autodetection
Network Load Balancing
DNS RR
WPAD
The TMG boxes in an Array maintain an updated wpad.dat, even if autodiscovery is turned off. This file containes a list of all the nodes in the array, local name or ip exclusions, and so on, according to the settings on the relevant Network properties dialog, on the Web Browser tab (and related tabs). The algorithm used is the client-side implementation of CARP, and this includes a failover mechanism if the proxy used doesn't respond.
To use this, you need to configure clients to use (and your network to support) WPAD autodetection, or if that's hard, point them at autoconfig URL explicitly http://proxy:8080/wpad.dat. An NLB IP is fine; a dedicated IP or name is fine.
The default file format includes IP addresses of each node, and each node may be a backup for each other node, so if the connection to .1 fails, .2 may be tried for the same URL. You get "loose" availability in this way, just by using the script, without NLB being involved, depending on client behaviour.
Network Load Balancing
Every node in an array has a dedicated IP address (and the dedicated i.e. unique IP should be the one specified for intra-array communication, and the first IP listed in NIC properties->IPV4), but every node also shares any virtual IP addresses with all other nodes.
Pointing a client at NLBIP:8080 means that when one node fails, the client will connect to the other node, after NLB reconverges.
NLB provides box-dead failover only, and using Integrated NLB means that when TMG stops the firewall service on a node, it also helpfully turns off NLB at the same time, so that the node stops trying to accept incoming traffic.
DNS Round Robin
The worst solution for availability, but won't hurt unless the name overlaps with something important.
How This Affects The Question
Your clients should be configured either for:
- Explicit proxy, targeting the Virtual (shared) IP of the proxy, port 8080 (assuming you haven't changed the default), bypass for local (and an exclusion list)
or
- Autodetect (with WPAD pointing at http://VIP/wpad.dat)
or
- Automatic config script, http://vip:8080/wpad.dat
Then, when one node is turned off, the others should still be client-accessible, and should still work.
If that's not your problem, you need to troubleshoot it.
TristanK
- 9,073
- 2
- 28
- 39
-
MS default DNS caching TTL means that our DNS RR is just a temporary workaround while we implement the non-TMG-integrated NLB. Thanks for the point in the right direction – Britt Freeman May 23 '11 at 20:21