Wednesday, 19 May 2010

Workgroup Deployment with Forefront TMG Enterprise Edition – Part 3: Enabling Network Load Balancing (NLB)

With the standalone array created, as discussed in Part 2, we can now provide high availability by using the NLB feature of Forefront TMG Enterprise Edition. In addition, NLB will also provide load balancing and allows for array members to operate in an Active/Active workload. More information on Forefront TMG Integrated NLB can be found here.

At a high-level, configuration of integrated NLB includes the following steps:

  • Prepare the environment for NLB
  • Enable Integrated NLB
  • Configure Forefront TMG Firewall Policy for NLB Manager (Optional) 
Please Note: Although this series is based upon the use of a workgroup deployment, the preparation and configuration of integrated NLB is exactly the same for a domain joined TMG scenario.

Prepare the Environment for NLB

Before enabling integrated NLB in TMG, you need to consider the the potential implications of NLB to the existing networking environment and choose the most appropriate NLB operating mode. An overview of NLB considerations for ISA Server 2006 Enterprise Edition is provided in one of my previous blog posts here which contains a lot of information that is still relevant for Windows Server 2008 and Forefront TMG.

If you are running Forefront TMG on a virtualisation platform, like Hyper-V or VMware ESX, there are also additional considerations as discussed next:

If you are using Hyper-V RTM as your virtualisation platform, you will need to enable Static MAC address entries on each virtual machine as discussed here. This will need to be completed for each virtual NIC that will be NLB enabled.

If you are using Hyper-V R2 as your virtualisation platform, you will need to configure a new feature in Hyper-V called Enable Spoofing of MAC addresses on each virtual machine. This will need to be completed for each virtual NIC that will be NLB enabled. This option was first added in Hyper-V R2 as discussed here and an example is provided below for completeness:

First for TMG03:





Next for TMG04:





If you are using VMware ESX as your virtualisation platform, you will need to apply the relevant VMware guidance as discussed here.

Assuming you have the environment ready for NLB, we can now finally enable integrated NLB for Forefront TMG!

Enable Integrated NLB

With all preparations complete, we can now enable integrated NLB for Forefront TMG Enterprise Edition.

For TMG03 only:





Important!: A recent TMG update was released to addresses an NLB issue as discussed here and summarised as “In an array-based TMG 2010 deployment with Integrated NLB enabled, traffic may not reach its destination”. It is therefore strongly recommended to install this update on all NLB enabled Forefront TMG servers. The update can also be downloaded from here.

Configure TMG Firewall Policy for NLB Manager (Optional)

Many people who have used NLB before will be used to using the Network Load Balancing Manager tool. However, when running this on TMG clusters you may notice that the tool is unable to connect to remote cluster nodes/hosts. This is caused by TMG blocking NLB Manager communications between cluster hosts. The default system policies included with TMG allow RPC communication between hosts, but the NLB Manager tool also uses DCOM calls as discussed here which are blocked by the Default Deny rule included with TMG.

When running TMG, it is not actually necessary to use NLB Manager as similar functionality is already provided within the TMG Management Console; hence why I have marked this step as optional.

However, for those who do want to use NLB Manager this can be achieved by adding a custom access rule which permits the necessary DCOM communications between NLB cluster nodes (array members). An example is provided below.

For TMG03 Only:





So there we have it, you should now have a fault tolerant, two-node standalone array which can be deployed to an environment without Active Directory. As discussed throughout the articles in this series, many of the elements discussed (NLB in particular) are also relevant to a domain joined TMG deployments, and can be used as standalone configuration guides for this purpose.

Finally, for those that have followed the entire series, maybe now you can see why I still choose to implement a dedicated Intra-Array Network as this makes the entire configuration easier to manage, more logical, performance optimised and ultimately more secure; hopefully you agree ;)

Hope this helps…


  1. Since you asked for feedback...I do not like the new walkthroughs. While I see the obvious benefits for the person creating the posts, I feel it's cumbersome on this end. The main two reasons are:
    1. The screenshots are pretty blurry.
    2. The automated text descriptions aren't helpful. A quick one-liner typed by you for each screenshot would be MUCH easier to read.

  2. Hmmm..ok thanks. I think I have found a better way to host the screenshots. Please let me know if this is better?

  3. I do like that much better! The screenshots are easier to see and the interface is much nicer overall. Are there supposed to be captions of some kind with the screenshots? I don't see any on my end, if that is by design the only potential problem I could see is that sometimes in the transition between screenshots it's not entirely clear what you clicked on to get to the next screen or the next wizard that pops up. Likely it's something that we the viewers could figure out by trial and error when using these screenshots as a template, but it's not necessarily "step-by-step directions" ready.

  4. Cool - trouble is, 80 screenshots in a single blog step is just insane! There is no easy way to add captions with Windows Live.

    I am currently investigating a better way to take screenshots for step-by-step scenarios...suggestings welcome ;)

  5. Thank you very much for these posts. They have really helped me out.

  6. Cool, thanks for the nice feedback!

  7. Sorry, I think my thoughts came out through the keyboard differently than in my head :) I wasn't asking for more screenshots, just stating that I think captions would compliment the screenshots that do exist. If I happen across any utilities that can accomplish both I'll pass them along.

    And also please don't take me the wrong way, I LOVE the content of your blog and will continue to read every post no matter the engine you use to lay it out! :)

  8. Hi Jason,

    i'm trying to get my standalone array to function. Could you maybe shed your light on these 2 questions i still have after reading your blog?:

  9. Hi ruudboek,

    Replied to your posts!



  10. thank you jason . it's very useful. it's better to add anohter link with step to " how to create workgroup certificate and root certificate" then it's perfect.

  11. i tried this solution but went invain please tell whether i need to restart my servers or is there any other work around???
    RPC server not available while connecting to host

  12. Dear Jason,

    I am also facing same issue.