TMG ISP Redundancy ‘unleashed’

In this article I want to provide a detailed view on the configuration features of the ISP Redundancy features, which are not available from the TMG Management console.

For a good overview about the ISP Redundancy feature and the configuration options in the management console have a look at Keeping High Availability with Forefront TMG’s ISP Redundancy Feature.

Note: Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

The examples provided in this blog have to be run on a node running the firewall services. They won’t work when executed on an EMS server.

Configuring verification of link status

In the default setting, TMG checks the status of the ISP link by trying to establish a TCP connection on port 53 (DNS zone transfer) to a list* of root DNS server on a round robin basis. If a connection can be established, TMG will consider the link active.

Although, the IP addresses and the TCP port used for the verification cannot be configured directly from the management console, If you need to modify these settings, e.g. because you setup your TMG server without direct access to the internet, you can do this by using the TMG COM, through simple Visual Basic script like this one:

Note: Please take an export of TMG configuration prior to running the script. To get the original behavior you need to import the original configuration

‘ ==================================================================

‘ we need to get the ISP Redundancy configuration object first:

set oRoot = CreateObject(“FPC.Root”)

set oArray = oRoot.GetContainingArray()

set oExternalNetwork = oArray.NetworkConfiguration.Networks(“External”)

set oISPRCfg = oExternalNetwork.ISPRedundancyConfig

‘ ===================================================================

‘ if you want to remove the complete list of connectivity verification

‘addresses:

oISPRCfg.ConnectivityVerificationRemoteIpAddresses.RemoveAll()

‘ To add a new address (in this case 192.168.1.1) to check the connectivity:

oISPRCfg.ConnectivityVerificationRemoteIpAddresses.Add “192.168.1.1”

‘ To change the TCP port for connectivity verification (default: 53)

oISPRCfg.ConnectivityVerificationRemotePort = 53

‘ To save the changes

oISPRCfg.Save

Important: Please be aware that this is a sample script. When executed on TMG this script will modify the TMG ISPR configuration to make connectivity checks only to the IP address 192.168.1.1 on port 53, and removes the list of predefined IP addresses. You have to make sure to modify the values used in this script to match your setup, before running this script on your TMG server.

* Default destination addresses in TMG RC: 192.58.128.30,193.0.14.129,198.32.64.12,202.12.27.33,198.41.0.4,192.228.79.201,192.33.4.12,128.8.10.90,192.203.230.10,192.5.5.241,192.112.36.4,128.63.2.53,192.36.148.17

Modifying dead link detection periods

The primary goal of link detection is to accurately determine the state of the ISP link being examined. One additional goal was to prevent ‘link flapping’; a condition where TMG shifts back and forth between ISP links.

This ISP link test and anti-flapping mechanisms are controlled by 5 COM objects:

  • MinimalResumeTime – (default 300) Minimal time before we resume using an ISP link / Min failed time in seconds.
  • TestIntervalLinkAvailable – (default 60) Time in seconds between two successive connectivity verification tests when an ISP is available.
  • TestIntervalLinkUnavailable – (default 60) Time in seconds between two successive connectivity verification tests when an ISP is not available.
  • SuccessesToAvailable - (Default - 3) Number of successive connectivity verification successful test attempts before an Internet service provider (ISP) link is considered available.
  • FailuresToUnavailable - (Default - 3) Number of successive connectivity verification failed test attempts before an Internet service provider (ISP) link is considered unavailable.

image 

This timeline shows the intervals with those default settings. If the ISP link is available, TMG performs line verification every 60 seconds (TestIntervalLinkAvailable) if the connection to one of the IPs configured for verification is available.

If the test connection can’t be established, TMG will perform two additional connection attempts, each with another 60 sec interval (TestIntervalLinkAvailable). If 3 successive checks fail (FailuresToUnavailable), the link will be considered down.

Once the Link is down, TMG will wait 300 seconds (MinimalResumeTime) before trying to establish a new connection through the failed link to one of the verification IP addresses. If the connection fails again, TMG will try to establish a new connection every 60 seconds (TestIntervalLinkUnavailable). There must be 3 successful (SuccessesToAvailable) connection attempts in a row (each with an interval of 60 seconds) in order to consider the Link to be up again.

  • With TMG default settings, TMG will wait at least 3 minutes until a link is considered down
  • With TMG default settings, a link will be considered down for at least 7 minutes (min failed time with 300 seconds + 2x OK interval with 60 seconds each)
  • With TMG default settings, a link has to be stable for at least 3 minutes once TMG will bring the link up again.

You can modify those default values by changing the highlighted values in the following VBS script:

‘ =====================================================================

‘ we need to get the ISP Redundancy configuration object first:

set oRoot = CreateObject(“FPC.Root”)

set oArray = oRoot.GetContainingArray()

set oExternalNetwork = oArray.NetworkConfiguration.Networks(“External”)

set oISPRCfg = oExternalNetwork.ISPRedundancyConfig

‘ =====================================================================

‘ Minimal time before we resume using an ISP link / Min failed time in seconds (default 300)

oISPRCfg.MinimalResumeTime = 300

Time between two successive connectivity verification tests when an ISP is available in

‘seconds (default 60)

oISPRCfg.TestIntervalLinkAvailable = 60

Time between two successive connectivity verification tests when an ISP is unavailable in

‘seconds (default 60)

oISPRCfg.TestIntervalLinkUnavailable = 60

‘Number of successive connectivity verification successes before an Internet service provider

‘(ISP) link is considered available. (Default - 3)

oISPRCfg.SuccessesToAvailable = 3

Number of successive connectivity verification failures before an Internet service provider

‘(ISP) link is considered unavailable. (Default - 3)

oISPRCfg.FailuresToUnavailable = 3

‘ To save the changes

oISPRCfg.Save

 

Author

Philipp Sand

Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Eric Detoc & Jim Harrison & Bala Natarajan

Microsoft CSS Forefront Security Edge Team