Forefront TMG's ISP redundancy allows you to connect two separate ISP's as routes out to the Internet. There are two configurations; fail-over or load balanced.
Failover configuration provides a robust Internet connection in the event your primary ISP connection goes down by routing traffic to a standby ISP connection. The drawback of this active-passive configuration is that the standby connection is only ever used in the event of a problem.
Load balanced configuration uses both ISP connections simultaneously, balancing traffic loads either evenly or unevenly as specified by the administrator. Load balanced configuration also has failover capability so if one link fails, all traffic is routed through the second.
Having redundant Internet providers can get expensive, so cheaper consumer grade ADSL is often used for the standby or backup ISP connection, resulting in different speeds and capabilities between the Internet links.
For this article, I will refer to the expensive premium service as ISP A and the cheaper consumer grade connection as ISP B.
When using Forefront TMG's load balancing option, you can specify what percentage of the load is sent to ISP A and ISP B:
There is a potential problem with this scenario in that the cheaper consumer grade services from ISP B are not normally performance guaranteed. So even if the performance on the cheap link degrades, the specified percentage of traffic will still be routed through that link despite there being ample bandwidth through ISP A.
For this reason some companies prefer to play it safe and stick with a failover configuration. But as mentioned, this leaves your second ISP link inactive and under utilized until a problem occurs.
Wouldn't it be great if you could utilize your second backup link with ISP B for certain low priority / high volume traffic such as Windows Server Update Services (WSUS), preserving ISP A's bandwidth for mission critical data?
The good news is that you can!
You can route your low priority traffic through ISP B using static ISP mappings. To enable this configuration, Forefront TMG must first be configured for ISP redundancy (See https://technet.microsoft.com/en-us/library/dd440984.aspx).
Even though the steps below can be applied in both failover and load balanced mode, I recommend setting ISP Redundancy to failover for simplicity and testing purposes.
Network objects need to be created for the low priority clients or servers using the TMG Management console. To do this:
It is important to know that static NAT rules are prioritised over ISP redundancy. We will take advantage of this fact and define a static NAT rule for the low priority traffic.
To test that the “ISP B computers” only leave the company on ISP B’s external IP, login to an ISP B computer and browse to https://whatismyip.org. You should see ISP B's external IP as the source address. For all other computers, the site should display ISP A's external IP.
A key point to remember here is that the "ISP B computers" will always be routed through ISP B regardless of the ISP redundancy settings. Even if you set ISP redundancy to load balanced, all the traffic from "ISP B computers" will go through ISP B.
This also means that if ISP B's connectivity is broken, the traffic from "ISP B computers" will NOT be routed via ISP A. This therefore guarantees that your low priority traffic will never use ISP A regardless of what happens.
Unfortunately, Forefront TMG does not log any ISP redundancy data. There are no log fields that will tell you which ISP is being used. You can however gain some visibility be creating a separate Internet Access Rule for the ISP B Computers objects. Any Internet request by these computers will now be logged under that firewall rule.
Looking forward to your comments!
Download the free 30 day trial, or schedule a demo and we'll show you how it works!
Make The World A Better Place with Fastvue and Microsoft Reputation Services (MRS)
Fastvue TMG Reporter Voted Best Reporting Application - ISAServer.org Readers Choice