Tuesday, 18 May 2010

Workgroup Deployment with Forefront TMG Enterprise Edition – Part 2: Creating the Standalone Array

Now that we have prepared the environment for workgroup deployment, as discussed in Part 1 of this series, we can now create the standalone array.

This will involve the following steps:

  • Create and configure an intra-array network
  • Update the Remote Management Computers computer set
  • Edit the HOSTS file on each Forefront TMG server
  • Assign server certificate to the Array Manager
  • Join the Forefront TMG server to the standalone array

Create the Intra-Array Network

Where possible, I always use dedicated Intra-Array networks in my Enterprise Edition designs. Many people think this approach is no longer necessary, but in fact, it is still very much recommend by Microsoft as discussed here.

In the event that you do wish to create an intra-array network, you will need a dedicated network interface card (NIC) per array member to facilitate this. Assuming this is the case, as per our example lab environment, we need to configure this new network within the Forefront TMG console.

For TMG03 only:

Update the Remote Management Computers Computer Set

In order to successfully join the array when using an intra-array network, it is necessary to add the intra-array IP address of the joining server to the Remote Management Computers computer set on TMG03.

For TMG03 only:

Edit HOSTS Files

To ensure that the intra-array IP addresses are used for all communications between array members and ensure correct connectivity, it is necessary to edit the HOSTS file on each array member.

First for TMG03:


Next for TMG04:


Assign Server Certificate to Array Manager

In addition to copying the relevant server and root CA certificates to the local machine certificate store on TMG03 as covered in Part 1, we also need to use the Install Server Certificate task from the TMG Management Console to bind the certificate fully.

For TMG03 only:

Join the Standalone Array

So, we should now have everything in place to join TMG04 to the standalone array hosted by TMG03.

For TMG04 only:

For next time…

With the standalone array created, we now have a single point of administration, configuration storage and system monitoring. However, in order to provide a high availability solution, we need to add Network Load Balancing (NLB) in the form of Integrated NLB to the appropriate array networks.

Please Note: If you want to download all walkthroughs provided above in a single file you can use the Download as .zip link from here. However, be aware that this is a 12MB download!

See you next time…


  1. Hi I'm kinda confuse. Did I miss a blog about how to deploy TMG on work group environment? The steps you provided above has TMG console already.

    BTW this is very nice blog.

  2. Hey Ton,

    Part 1 covers the prep, but you are correct I haven't documented the actual TMG install for the servers.

    The install is pretty easy/standard as all the work is done once TMG is installed.



  3. On the set-up Scenario did you use Enterprise Management Server for centralized array management as an option?


  4. No, just a standard installtion on each server. A standalone array doesn't need an EMS server.

  5. for part 1 and 2 not picture not show

  6. Eh? They are not pictures, they are links to MHT download files which provide step-by-step pictures from the Microsoft Problem Steps Recorder utility.

  7. Thanks! I first read "Part 3" with direct access to screenshots :)

  8. Next stage of NLB need your comment.
    ISP network is xx.xx.xx.xx/30, TMG cannot do Virtual IP from other network, different that NIC addresses.
    If I set NIC addresses from xx.xx.xx.xx/29 (after consultation with ISP admin), I can build NLB, but access to ISP do with NIC address, not Virtual IP.
    Can this correct? New ISP addresses very long time? up to 2 month or greater.
    Sorry for my english :)

  9. Yeah, sorry, I decided to return to pictures as MHT didn't work out :(

  10. In general, NLB virutal IP addresses need to be on the same network subnet as the dedicated IP addresses.

    ISA 2006 had the following update, but not sure if this applies to TMG: http://support.microsoft.com/kb/959310



  11. Good update, but applied to ISA 2006 SP1 EE only :(
    netsh interface ipv4 set interface XXXX weakhostsend=enable
    this way can help me?

  12. Sorry, not sure :(

    I always design the VIPs to be on the same subnet as the DIPs...

  13. Thank you, Jason.
    Good design is good, but inherited network must work.
    I'm plannig test "update" and "netsh" into a virtual enviroment.
    Real servers with TMG now work as heaters :)

  14. http://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx
    If ISASTGCTRL not answer on port 2172, read a article.
    JJ, please add this reference in your message.

  15. Not sure I would recommend configuring AD LDS outside of TMG, but added your comment anyhow...

  16. All is bad! :( "Netsh .... weakhostsend=enable" don't help. "Update"(that for ISA2006) - script is work, new VIP is added, but packets out from DIP !!!
    DIP = AA.AA.AA.DIP/24
    VIP = XX.XX.XX.VIP/30 (gateway XX.XX.XX.GW)
    route add mask XX.XX.XX.GW 1

    ping XX.XX.XX.GW - 0% loss
    ping - 100% loss

    In "Logs & Reports" show ClientIP = AA.AA.AA.DIP

  17. When using NLB, the source IP will always be the DIP of the array manager handling the traffic at that time...this is by design and just how NLB works.

  18. Maybe my experience help to other TMG admin :) CentOS can send packages from VIP, but I'm not Linux admin. Change CentOS to TMG fail in this network configuration. I'm now needed to extend XX.XX.XX.XX/30 to XX.XX.XX.XX/29, this is a very long time process, but this is one way.
    Maybe you can send as MVP, letter to Microsoft? :) And in TMG SP1 SU2 (or TMG SP2) VIP can work as full interface? :)

  19. Regarding the creation of the intra-array, is it me or is this step completely missing:


  20. Yes, I thought I had covered that elsewhere...once you have defined the intra-array network, you also need to reconfigure the array members to use an IP address from this range. Sorry :(

  21. ok where do i use that svc_tmgarray account? Nowhere have u used it. Do i log in with that?

  22. Jason, can this exact same procedure also be used to setup a dedicated intra-array network when both tmg 2010 servers are a member of an TMG EMS array?

    Or is there no point in setting up a dedicated intra-array network between the TMG 2010 members when they are part of a TMG EMS array?

  23. Yes, a dedicated intra-array is still valid for an EMS-managed array.

    Even with TMG, Microsoft still recommendeds usign a dedicated intra-array adapter for performance and security needs for intra-array communications.

  24. Hi Jason,
    Thank you for such a useful collection of posts regerding NLB in TMG.

    Now I am trying to create the cluster, but still have one problem which disables its proper work. I configured a dedicated network for intra-array communication and specified the settings both TMG console and hosts files. When I make a refresh button in NLB console on a, let's say, INTERNAL cluster I still get blocking events in TMG log as the connection still goes through INTERNAL network and not through intra-array communication network.

    Did I miss something?

    Thank you!


  25. Hi,

    For TMG server certificate installation please read the thread.



    Prince Verma

  26. Hello, I have gone through the steps on Part 1 and 2. Within the "Configuration Status" of the Array manager, the manager is sync'd and the array member is not. Description: "Forefront TMG Management cannot establish a connection with the Forefront TMG computer." On the Member server the "Configuration Status" states that both members are Synced. Is this correct?