Extending Forefront TMG's ISP Redundancy Features


Etienne Liebetrau

Etienne Liebetrau

Forefront TMG's ISP redundancy allows you to connect two separate ISP's as routes out to the Internet. There are two configurations; fail-over or load balanced.

Failover configuration provides a robust Internet connection in the event your primary ISP connection goes down by routing traffic to a standby ISP connection. The drawback of this active-passive configuration is that the standby connection is only ever used in the event of a problem.

Load balanced configuration uses both ISP connections simultaneously, balancing traffic loads either evenly or unevenly as specified by the administrator. Load balanced configuration also has failover capability so if one link fails, all traffic is routed through the second.

ISP Redundancy Considerations and Limitations

Having redundant Internet providers can get expensive, so cheaper consumer grade ADSL is often used for the standby or backup ISP connection, resulting in different speeds and capabilities between the Internet links.

For this article, I will refer to the expensive premium service as ISP A and the cheaper consumer grade connection as ISP B.

When using Forefront TMG's load balancing option, you can specify what percentage of the load is sent to ISP A and ISP B:

There is a potential problem with this scenario in that the cheaper consumer grade services from ISP B are not normally performance guaranteed. So even if the performance on the cheap link degrades, the specified percentage of traffic will still be routed through that link despite there being ample bandwidth through ISP A.

For this reason some companies prefer to play it safe and stick with a failover configuration. But as mentioned, this leaves your second ISP link inactive and under utilized until a problem occurs.

Wouldn't it be great if you could utilize your second backup link with ISP B for certain low priority / high volume traffic such as Windows Server Update Services (WSUS), preserving ISP A's bandwidth for mission critical data?

The good news is that you can!

Static ISP Mappings

You can route your low priority traffic through ISP B using static ISP mappings.  To enable this configuration, Forefront TMG must first be configured for ISP redundancy (See

Even though the steps below can be applied in both failover and load balanced mode, I recommend setting ISP Redundancy to failover for simplicity and testing purposes.

1. Create Network Objects for ISP B

Network objects need to be created for the low priority clients or servers using the TMG Management console. To do this:

  1. Select Firewall Policy
  2. Select Toolbox
  3. Expand Network Objects
  4. Select New – Computer Set
  5. Call the collection “ISP B computers”
  6. Add the servers or clients that will only use ISP B

2. Create A Network Rule for ISP B

It is important to know that static NAT rules are prioritised over ISP redundancy. We will take advantage of this fact and define a static NAT rule for the low priority traffic.

  1. Select Networking
  2. Select Network Rules
  3. Select Create new network Rule
  4. Specify a name such as “Backup ISP” or “Cheap Internet”
  5. Add the “ISP B computers” Object created earlier as the source
  6. Select the External Network as the destination
  7. Select Network Address Translation (NAT) as the relationship
  8. Select Use Specified IP address and choose  ISP B’s IP address
  9. Finish the Wizard and apply the changes


Testing the Static ISP Mapping

To test that the “ISP B computers” only leave the company on ISP B’s external IP, login to an ISP B computer and browse to  You should see ISP B's external IP as the source address. For all other computers, the site should display ISP A's external IP.

A key point to remember here is that the "ISP B computers" will always be routed through ISP B regardless of the ISP redundancy settings. Even if you set ISP redundancy to load balanced, all the traffic from "ISP B computers" will go through ISP B.

This also means that if ISP B's connectivity is broken, the traffic from "ISP B computers" will NOT be routed via ISP A.  This therefore guarantees that your low priority traffic will never use ISP A regardless of what happens.


Unfortunately, Forefront TMG does not log any ISP redundancy data. There are no log fields that will tell you which ISP is being used. You can however gain some visibility be creating a separate Internet Access Rule for the ISP B Computers objects. Any Internet request by these computers will now be logged under that firewall rule.

You can then generate comprehensive reports on this traffic by filtering your reports by this rule using either Fastvue TMG Reporter or Webspy Vantage.

Looking forward to your comments!

Take Fastvue Reporter for a test drive

Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.

  • Share this story

Make The World A Better Place with Fastvue and Microsoft Reputation Services (MRS)

TMG Reporter can find sites that have not been categorized by Forefront TMG. You can then submit these sites to Microsoft Reputation Services (MRS), so everyone can benefit from your discovery!
TMG Reporter

Fastvue TMG Reporter Voted Best Reporting Application - Readers Choice

It's official. Fastvue TMG Reporter is the best reporting application for Forefront TMG as voted by readers!
TMG Reporter