Figure 1
NLB with Forefront TMG
If there is a load balancing plan for internal Web Server with Forefront TMG Web Server Farm Load Balancing feature, you should note that Forefront TMG Server may be a Single Point of Failure (SPOF) when TMG is not load balanced. Forefront TMG Enterprise uses NLB to balance the load for TMG Server. We can fully use NLB in integrated mode, priority and incentive mode in Forefront TMG. It is also possible to use NLB with Forefront TMGStandard but this is not officially supported by Microsoft because there are some limitations.
Load balancing mechanism
Round-robin
Webserver requests from different IP addresses will be distributed to members in the web server system (Web farm). The round-robin mechanism ensures that the user's request for a web application served by a Web farm is distributed equally among farm members who are online. When failover occurs, unresponsive servers will be detected and the load will be distributed to available servers.
Session (Cookie) based affinity
Session-based relationships (Cookies) are often used to publish Outlook Web Access (OWA) from Exchange Server 200x Microsoft SharePoint services / Servers. Don't use Session affinity if you want to publish RPC on HTTP (S) services or Outlook Anywhere in Exchange Server 2007 and above. RPC over HTTP (S) is used to provide Outlook clients full access to Exchange Server from the Internet. RPC traffic will be tunneled through the HTTPS mechanism. With Outlook, it cannot use Cookie based affinity.
IP affinity
With IP affinity, web server traffic is distributed based on IP to all members of the Web farm. If a server fails in response, the traffic will be sent to another member of the Web farm.
You should not use IP affinity if the remote clients are located behind the NAT server, this is because the web server (web server farm) will only see the IP address of the TMG Server. If this is the case, you should use Session affinity if possible.
The IP affinity is very useful in an Exchange RPC over HTTP (S) or also called Outlook Anywhere script, where Session affinity cannot be used, in Exchange Active Sync publishing scenario, the client does not understand all HTTP 1.1.
To create a publishing rule, open the TMG management interface and navigate to Firewall policy and create a Web Site Publishing rule.
Name the new policy and allow traffic
Click publish a farm server to load balanced Web servers .
Because we are publishing an internal web server without HTTPS, we need to specify the appropriate option.
Enter the internal Site name and specify the path if you want to publish the web server to a specific route.
The next step is to create a new Farm, enter the Farm name and add the internal web server to the Web Server farm, as you can see in the picture below, specify how Forefront TMG will load balance for requests. send to.
Forefront TMG will create a connection authentication to check the availability of members in the server system. If a certain server is not reachable, a warning will be generated. You can customize the alert actions.
A new window will appear and ask you if you want to enable the system policy rule to allow HTTP requests from Forefront TMG to the published web servers. Click Yes if you want that.
The next step is to create a listener, which is what Forefront TMG uses to listen to incoming traffic. This article focuses on load balancing for the server system, so we do not introduce you to when you publish a web server over HTTP.
Forefront TMG now warns the user that the current configuration may not be safe when authentication requests are sent over HTTP.
To enable client authentication with HTTP mechanisms, you must allow this in the window with Advanced Authentication options in the Listener properties page, as shown in the figure below.
After creating the Webserver publishing rule, navigate to the rules properties page and click the Web Farm tab to verify the correct configuration.
Check the status of web server system (Web Server Farm)
If you want to know which member of the server system is available or not, Forefront TMG will automatically create connection verifiers when you create the web server system. The connection verifier will detect the status of the member in the web server system and report this event to the alert configuration in the TMG Server, from which the TMG server will generate the same messages as the messages. element, or entries in event logs, .
Servers in a web server system can have five different states:
This is the normal state of a web server in the system and indicates that the server is accessible and can accept requests.
Out-of-service
This state indicates that the web server does not respond to the internal connection verifier within the timeout period. No requests are sent to members in this system.
Draining
This status indicates that the web server is currently in the process of Draining . Existing connections will be closed but new requests will not be sent to this server. This feature is useful if you want to put Web Server Farm server in maintenance mode.
Removed
This state indicates that the web server has been removed from the system and does not accept requests.
Unable to verify
Indicates that the server status cannot be verified.
Web server maintenance
If you want to put a web server in maintenance mode, go to the Servers tab, select that server and click the Drain button to put the server into maintenance mode that Forefront TMG knows that this mode is not available for balance the load requirements. With session based affinity , the server will continue to manage the current sessions but will not accept new connections. If you use IP based affinity , then a drain server will stop the requests that are being received, but the existing connections with that server will still be maintained.
Warning actions
To configure alert actions when the servers in the system are unavailable, go to the monitoring button and in the task pane and select Alerts properties , then specify the action you want to perform when a server in the system System not available.
Conclude
In this article, we have tried to provide you with an overview of how Microsoft Forefront TMG allows load balancing web servers to balance web traffic for internal web servers without using it. Hardware Load Balancer solution or NLB (Network Load Balancing) is available in Windows Server 2008 R2. In my opinion, the Forefront TMG Web Server Load Balancing feature is a great feature for some web server limitations with basic functions.