How to get NLB to work with Forefront TMG when running in Hyper-V.

If you are running your Forefront TMG servers as Windows 2008 Hyper-V guests and you have enabled NLB in Forefront TMG, you may have noticed that the NLB cluster nodes fail to converge.

There is a known issue with Unicast NLB and Hyper-V that affects ISA 2006 and Forefront TMG deployments.

Note: This blog post only applies when running TMG 2010 or ISA 2006 as a guest running on Hyper-V RTM. If you are running Hyper-V R2, checking “Enable spoofing of MAC addresses” on the network adapters settings achieves the same result as the steps below. 

 

To enable NLB on a Hyper-V guests, perform the following steps:

1. For Forefront TMG deployments, you must install the update referenced in MSKB 953828. This update is not required or applicable to ISA Server deployments

2. From one of the Forefront TMG servers, run the following command to find out the
Unicast MAC address (write it down): nlb.exe ip2mac <clusterIP>

 

3. Enable Integrated NLB in the Forefront TMG management console as you would normally do.

 

4. Apply the changes. Wait for the policy to be properly applied before continuing (if you enabled NLB on the Internal network you will get an error that the management console cannot see the servers in the array; at this point you know the policy has been applied).

5. Shutdown the Forefront TMG servers in the array. Shut down is required as we need to change the properties of the network adapter setting in the Hyper-V console.

6. Open the Hyper-V console

a. Right-click the Forefront TMG virtual machine and click Settings

b. Select the network adapter that you enabled NLB in Forefront TMG.

c.  In the details pane, select Static MAC Address and enter the Unicast MAC address you wrote down in step #1.

 

d. Click OK

7.  Repeat steps 6.a - 6.c for the second Forefront TMG in the array.

8.  Restart both Forefront TMG Servers

Important: If you turn off NLB support you will need to shutdown the servers in the array and revert the changes made in step 5 back to Dynamic MAC address.

Note: On a few rare occasions we have seen that NLB has not been properly configured on one of the servers in the array even after following the steps outlined above. To correct this, open the NLB Manager on this server and manually configure the NLB cluster. The cluster IP address should be the VIP address you configured when you enabled NLB in the Forefront TMG management console.

Author

Gershon Levitz

Program Manager - Microsoft Forefront Edge

Technical Reviewers

Jim Harrison

Program Manager - Microsoft Forefront Edge

Bala Natarajan

Support Engineer, Microsoft CSS Forefront Edge Team