Microsoft Forefront TMG - Webserver load balancing

In this article, I will show you how to configure the Load Balancing Webserver feature on Forefront TMG Server to perform load balancing of internal web servers.

Introduce

In this article we will show you how to configure the Load Balancing Webserver feature on Forefront TMG Server to perform load balancing between internal web servers. We will also cover some of the network load balancing basics (NLB) in Forefront TMG and Windows Server 2008 R2 to create an overview of Forefront TMG's load balancing capabilities and Windows Server 2008 R2.

Begin

Forefront TMG can distribute web traffic to similarly configured web servers, which is usually done by hardware load balancer.Webserver Load Balancing can distribute network traffic to different hosts in the local network without using the old NLB functions of the Windows operating system.

It is possible to publish a hardware load balancing device to balance web traffic for the internal web server but Forefront TMG web farm balancing (load balancing for Forefront TMG web servers) is also very many other advantages (however, there are no disadvantages):

Some hardware load balancers use source IP addresses (originating addresses) to balance requests, but this solution may only be suitable for environments where the servers are not located. behind NAT. Forefront TMG does not forward the original IP address in a standard web server publishing scenario. The IP address from the external client is always masked by the IP address of the TMG Server. If you want to forward the original client IP (client IP) from the external client (client), then the published web server will have to set its Default Gateway to Forefront TMG, which is not appropriate in some environments. .

Another way to distribute payroll for web servers is to use network load balancing (Network Load Balancing - NLB) included in Windows. NLB allows distribution of network traffic based on port rules (rules). All nodes in the NLB cluster (NLB cluster) use a virtual IP address (VIP), which is used by Forefront TMG to forward traffic. The NLB algorithm will distribute traffic across all NLB cluster members.

The basics in NLB

Can speak briefly; NLB is a cluster technique, not just for Microsoft Windows. NLB is part of the Windows Server 200x operating system and is used to distribute network traffic up to 32 hosts in the network. NLB uses distributed algorithms to be able to load inbound load with all nodes in the NLB group. Therefore, NLB can be used to provide failover and load balancing capabilities.

You can enable Network Load Balancing in Windows Server 2008 versions. The following figure shows the Windows Server 2008R2 Network Load Balancing Manager program window with a NLB button.

NLB with Forefront TMG

If there is a load balancing plan for internal Web Server with Forefront TMG Web Server Farm Load Balancing feature, you should note that Forefront TMG Server may be a Single Point of Failure (SPOF) when TMG is not load balanced. Forefront TMG Enterprise uses NLB to balance the load for TMG Server. We can fully use NLB in integrated mode, priority and incentive mode in Forefront TMG. It is also possible to use NLB with Forefront TMGStandard but this is not officially supported by Microsoft because there are some limitations.

Load balancing mechanism

Round-robin

Webserver requests from different IP addresses will be distributed to members in the web server system (Web farm). The round-robin mechanism ensures that the user's request for a web application served by a Web farm is distributed equally among farm members who are online. When failover occurs, unresponsive servers will be detected and the load will be distributed to available servers.

Session (Cookie) based affinity

Session-based relationships (Cookies) are often used to publish Outlook Web Access (OWA) from Exchange Server 200x Microsoft SharePoint services / Servers. Don't use Session affinity if you want to publish RPC on HTTP (S) services or Outlook Anywhere in Exchange Server 2007 and above. RPC over HTTP (S) is used to provide Outlook clients full access to Exchange Server from the Internet. RPC traffic will be tunneled through the HTTPS mechanism. With Outlook, it cannot use Cookie based affinity.

IP affinity

With IP affinity, web server traffic is distributed based on IP to all members of the Web farm. If a server fails in response, the traffic will be sent to another member of the Web farm.

You should not use IP affinity if the remote clients are located behind the NAT server, this is because the web server (web server farm) will only see the IP address of the TMG Server. If this is the case, you should use Session affinity if possible.

The IP affinity is very useful in an Exchange RPC over HTTP (S) or also called Outlook Anywhere script, where Session affinity cannot be used, in Exchange Active Sync publishing scenario, the client does not understand all HTTP 1.1.

To create a publishing rule, open the TMG management interface and navigate to Firewall policy and create a Web Site Publishing rule.

Name the new policy and allow traffic

Click publish a farm server to load balanced Web servers .

Because we are publishing an internal web server without HTTPS, we need to specify the appropriate option.

Enter the internal Site name and specify the path if you want to publish the web server to a specific route.

The next step is to create a new Farm, enter the Farm name and add the internal web server to the Web Server farm, as you can see in the picture below, specify how Forefront TMG will load balance for requests. send to.

---

Forefront TMG will create a connection authentication to check the availability of members in the server system. If a certain server is not reachable, a warning will be generated. You can customize the alert actions.

A new window will appear and ask you if you want to enable the system policy rule to allow HTTP requests from Forefront TMG to the published web servers. Click Yes if you want that.

The next step is to create a listener, which is what Forefront TMG uses to listen to incoming traffic. This article focuses on load balancing for the server system, so we do not introduce you to when you publish a web server over HTTP.

Forefront TMG now warns the user that the current configuration may not be safe when authentication requests are sent over HTTP.

To enable client authentication with HTTP mechanisms, you must allow this in the window with Advanced Authentication options in the Listener properties page, as shown in the figure below.

After creating the Webserver publishing rule, navigate to the rules properties page and click the Web Farm tab to verify the correct configuration.

Check the status of web server system (Web Server Farm)

If you want to know which member of the server system is available or not, Forefront TMG will automatically create connection verifiers when you create the web server system. The connection verifier will detect the status of the member in the web server system and report this event to the alert configuration in the TMG Server, from which the TMG server will generate the same messages as the messages. element, or entries in event logs, .

Servers in a web server system can have five different states:

This is the normal state of a web server in the system and indicates that the server is accessible and can accept requests.

Out-of-service

This state indicates that the web server does not respond to the internal connection verifier within the timeout period. No requests are sent to members in this system.

Draining

This status indicates that the web server is currently in the process of Draining . Existing connections will be closed but new requests will not be sent to this server. This feature is useful if you want to put Web Server Farm server in maintenance mode.

Removed

This state indicates that the web server has been removed from the system and does not accept requests.

Unable to verify

Indicates that the server status cannot be verified.

Web server maintenance

If you want to put a web server in maintenance mode, go to the Servers tab, select that server and click the Drain button to put the server into maintenance mode that Forefront TMG knows that this mode is not available for balance the load requirements. With session based affinity , the server will continue to manage the current sessions but will not accept new connections. If you use IP based affinity , then a drain server will stop the requests that are being received, but the existing connections with that server will still be maintained.

Warning actions

To configure alert actions when the servers in the system are unavailable, go to the monitoring button and in the task pane and select Alerts properties , then specify the action you want to perform when a server in the system System not available.

Conclude

In this article, we have tried to provide you with an overview of how Microsoft Forefront TMG allows load balancing web servers to balance web traffic for internal web servers without using it. Hardware Load Balancer solution or NLB (Network Load Balancing) is available in Windows Server 2008 R2. In my opinion, the Forefront TMG Web Server Load Balancing feature is a great feature for some web server limitations with basic functions.