Extending Forefront TMG’s ISP Redundancy Features

Posted January 10, 2013

Forefront TMG’s ISP redundancy allows you to connect two separate ISP’s as routes out to the Internet. There are two configurations; fail-over or load balanced.

Failover configuration provides a robust Internet connection in the event your primary ISP connection goes down by routing traffic to a standby ISP connection. The drawback of this active-passive configuration is that the standby connection is only ever used in the event of a problem.

Load balanced configuration uses both ISP connections simultaneously, balancing traffic loads either evenly or unevenly as specified by the administrator. Load balanced configuration also has failover capability so if one link fails, all traffic is routed through the second.

ISP Redundancy Considerations and Limitations

Having redundant Internet providers can get expensive, so cheaper consumer grade ADSL is often used for the standby or backup ISP connection, resulting in different speeds and capabilities between the Internet links.

For this article, I will refer to the expensive premium service as ISP A and the cheaper consumer grade connection as ISP B.

When using Forefront TMG’s load balancing option, you can specify what percentage of the load is sent to ISP A and ISP B:

There is a potential problem with this scenario in that the cheaper consumer grade services from ISP B are not normally performance guaranteed. So even if the performance on the cheap link degrades, the specified percentage of traffic will still be routed through that link despite there being ample bandwidth through ISP A.

For this reason some companies prefer to play it safe and stick with a failover configuration. But as mentioned, this leaves your second ISP link inactive and under utilized until a problem occurs.

Wouldn’t it be great if you could utilize your second backup link with ISP B for certain low priority / high volume traffic such as Windows Server Update Services (WSUS), preserving ISP A’s bandwidth for mission critical data?

The good news is that you can!  

Static ISP Mappings

You can route your low priority traffic through ISP B using static ISP mappings.  To enable this configuration, Forefront TMG must first be configured for ISP redundancy (See http://technet.microsoft.com/en-us/library/dd440984.aspx).

Even though the steps below can be applied in both failover and load balanced mode, I recommend setting ISP Redundancy to failover for simplicity and testing purposes.

1. Create Network Objects for ISP B

Network objects need to be created for the low priority clients or servers using the TMG Management console. To do this:

  1. Select Firewall Policy
  2. Select Toolbox
  3. Expand Network Objects
  4. Select New – Computer Set
  5. Call the collection “ISP B computers”
  6. Add the servers or clients that will only use ISP B

2. Create A Network Rule for ISP B

It is important to know that static NAT rules are prioritised over ISP redundancy. We will take advantage of this fact and define a static NAT rule for the low priority traffic.

  1. Select Networking
  2. Select Network Rules
  3. Select Create new network Rule
  4. Specify a name such as “Backup ISP” or “Cheap Internet”
  5. Add the “ISP B computers” Object created earlier as the source
  6. Select the External Network as the destination
  7. Select Network Address Translation (NAT) as the relationship
  8. Select Use Specified IP address and choose  ISP B’s IP address
  9. Finish the Wizard and apply the changes


Testing the Static ISP Mapping

To test that the “ISP B computers” only leave the company on ISP B’s external IP, login to an ISP B computer and browse to http://whatismyip.org.  You should see ISP B’s external IP as the source address. For all other computers, the site should display ISP A’s external IP.

A key point to remember here is that the “ISP B computers” will always be routed through ISP B regardless of the ISP redundancy settings. Even if you set ISP redundancy to load balanced, all the traffic from “ISP B computers” will go through ISP B.

This also means that if ISP B’s connectivity is broken, the traffic from “ISP B computers” will NOT be routed via ISP A.  This therefore guarantees that your low priority traffic will never use ISP A regardless of what happens.


Unfortunately, Forefront TMG does not log any ISP redundancy data. There are no log fields that will tell you which ISP is being used. You can however gain some visibility be creating a separate Internet Access Rule for the ISP B Computers objects. Any Internet request by these computers will now be logged under that firewall rule.

You can then generate comprehensive reports on this traffic by filtering your reports by this rule using either Fastvue TMG Reporter or Webspy Vantage.

Looking forward to your comments!

Posted in , , , , ,

Etienne Liebetrau

Based in Cape Town, South Africa he is an IT Professional working in various environments building, testing and maintaining systems for a large national retail chain. An IT professional since 1996 Etienne has worked in various environments and is certified by Comptia, Dell and Microsoft. Etienne is the technical blogger and primary technical consultant for FixMyITsystem.com a solutions provider company based in Cape Town with a global client base.

Follow me on twitter


  1. Nice Article , the one what I was looking for long time.

    In this case what if the ISP B goes down? Will it go through ISP A ?

  2. Well done. I am using it and its working perfect :)

  3. Well done. I am using it and its working well. But internet speed is bit low on ISP B.


  4. I am having a weired problem. I have exchange server 2010 and an ISP with 4 static IPs.

    Two days ago I configured ISP redundancy at TMG and everything was working fine. One fine morning when I sent an email to an xyz person, a notification came back to my inbox saying my IP is blacklisted hence the email was rejected. The which it displayed was the IP address of my second ISP which I added recently, that to its not static.

    My question is, how can I configure TMG or Exchange so that it should send/receive emails through my 1st ISP only.

    Your response shall be helpful to me.

    Thank you,


    • You can bind your Exchange server to only use ISP A by defining it as the source and your ISP A as the NAT.

      If you look at the screenshot on the article you will notice the source object for Cheap Internet is “Test Laptop” and the destination NAT address is specified.

      You should be able to configure your Exchange like this explicitly.

Leave a Response

If you have a question or comment, or just need to get in touch, please use the form below.