Missing BDA hook rules – impact and potential root cause

Some of you may have already heard and know what NLB is and how it works as described in the general Network Load Balancing Overview [http://technet.microsoft.com/en-us/library/cc725946.aspx]. An integral part of a TMG NLB solution is Bi-direction affinity, which is well described at the following link: Bi-Directional Affinity in ISA Server [http://blogs.technet.com/b/isablog/archive/2008/03/12/bi-directional-affinity-in-isa-server.aspx]. Bi-directional affinity creates multiple…


New in SP2: Kerberos Authentication in Load Balanced Scenarios

In TMG 2010 Service Pack 2, we did put our focus on bug fixing, in order to improve the overall experience with TMG 2010. However next to pure bug fixing, we also introduced some new features. One of these new features introduces the possibility to allow Kerberos Authentication when connecting to TMG in a “High…


Unable to Fail Over from one TMG node to another when using NLB in a Virtual Environment

Introduction This post is about a scenario where TMG Administrator was trying to simulate a failover before put the environment in production. TMG nodes were installed in a third party virtual environment. TMG was using integrated NLB with Unicast, the External TMG adapter was connected to a layer 2 switch. To attempt to simulate failover,…


How to get NLB to work with Forefront TMG when running in Hyper-V.

If you are running your Forefront TMG servers as Windows 2008 Hyper-V guests and you have enabled NLB in Forefront TMG, you may have noticed that the NLB cluster nodes fail to converge. There is a known issue with Unicast NLB and Hyper-V that affects ISA 2006 and Forefront TMG deployments. Note: This blog post…


Network Load Balancing (NLB) configuration settings in Forefront TMG: to clear or not to clear?

Introduction Network Load Balancing integration is one of the features that existed in the previous version of Forefront Threat Management Gateway (TMG), Internet Security and Acceleration (ISA) Server 2006. The concept of this functionality is described in Network Load Balancing Integration Concepts for Microsoft Internet Security and Acceleration (ISA) Server 2006. The main idea is…


Time Matters - When ISA Server is affected by Windows Time settings

1. Introduction   As the title of this post suggests, this is all about time and keeping systems in sync. Many administrators think that time just matters if Kerberos is somehow involved in the deployment, which is not true. This post will describe two scenarios where ISA Server was having problems performing the expected operation…


ISA Integrated NLB - Multicast with IGMP… ISA “blocks” IGMP packets

Introduction After configuring ISA Integrated NLB to use multicast with IGMP, you may see blocked IGMP packets between your ISA array members. The ISA nodes don’t need these packets  to work properly, and it’s ok when they are blocked by the Firewall Engine. As many customers are using Multicast NLB, we added multicast and multicast…