• RSS
  • Twitter
  • FaceBook

A Closer Look at TMG 2010 Enterprise Edition Standalone Arrays

A Closer Look at Standalone Arrays with Forefront Threat Management Gateway (TMG) 2010 Enterprise Edition.
Richard Hicks photo

Introduction

A few months ago we looked at the various array options for Microsoft Forefront Threat Management Gateway (TMG) 2010 Enterprise Edition. In this month’s article we will dig a little deeper into one Enterprise array option – the standalone array. We will take a look at how it differs from an Enterprise Management Server (EMS) managed array, and what to do if the array manager is unavailable.

Standalone Array

As I outlined in my previous article, a standalone array is a group of TMG Enterprise Edition firewalls configured as a single logical firewall. In a standalone array, one of the array members is designated as the array manager, and each member of the array will synchronize their configuration with this system. In a standalone array there is no concept of an enterprise. There is no option to configure enterprise level policies or networks, and only a single array with up to 50 members is supported (limited to 8 with Network Load Balancing (NLB) enabled). The standalone array is managed in the same way as a single TMG Standard Edition firewall, with the added benefits of redundancy and high availability provided by NLB, along with centralized configuration and policy management for all array members.

Looking at a TMG Enterprise standalone array in the management console, it appears to be identical to a TMG Standard Edition firewall. As you can see, there are no enterprise-level policies or networks.


Figure 1

In fact, the only indication that this is a TMG Enterprise standalone array is shown when you highlight the System node in the navigation tree and select the Servers tab. Here you will see this standalone array has three members.


Figure 2


Figure 3

Array Manager

advertisement

Each member of a standalone array will synchronize their configuration with the array manager. The array manager is created by joining one TMG Enterprise Edition firewall to another. There is no special configuration required to prepare a TMG firewall to be an array manager. In a standalone array there can be only one array manager. This differs from EMS-managed arrays, where multiple EMS can be deployed for redundancy. If the array manager is temporarily unavailable, the remaining array members will continue to function using the configuration they received during their last successful synchronization. During the time the array manager is unavailable, you will not be able to make changes to the array policy or configuration or generate reports. Once the array manager is back online you can continue to manage the array normally.

Changing Array Managers

If the system designated as the array manager becomes permanently unavailable for any reason, it will be necessary to designate another array member as the new array manager. To accomplish this, open the management console on the array member you wish to designate as the new array manager and highlight the root node in the console tree.


Figure 4

In the tasks pane, select Set as Array Manager.


Figure 5

A warning message appears indicating that setting the array manager while another server is already configured as the array manager may result in a misconfiguration. Choose Ok to continue.


Figure 6

Note:
The process of setting a new array manager when the original array manager is offline can take several minutes.

Once complete you will now see this system identified as the array manager.


Figure 7

Next you will need to configure the remaining array members to point to the new array manager. On each array member, open the management console and in the tasks pane, select Change Array Manager.


Figure 8

Note:
Opening the management console on the remaining array members may take an extended length of time and appear frozen because the original array manager is offline and cannot be contacted. Be patient. Eventually the management console will open and allow you to specify a new array manager.

Enter the IP address, or preferably the fully qualified domain name (FQDN), of the system you wish to designate as the new array manager.


Figure 9

By default, the original array manager is also the report server for the array. For reporting to function properly after changing the array manager, highlight Logs & Reports in the console tree, then select the Reporting tab.


Figure 10

In the tasks pane select Configure Reporting Settings.


Figure 11

Select the Report Server tab, and then choose another array member to serve as the report server for the array.


Figure 12

Once you have completed these steps you can now you can safely delete the old array manager by right-clicking on the system and selecting Delete.


Figure 13

Conclusion

The standalone array feature of Microsoft Forefront Threat Management Gateway (TMG) 2010 is an excellent deployment option for organizations that require high availability for their TMG firewalls, but do not want the additional overhead of configuring a full EMS managed array. The failure of the array manager does not prevent the remaining array members from processing traffic, and with little effort another array member can easily be configured as an array manager without interruption in service.

About Richard Hicks

Richard Hicks photo Richard Hicks is a Sales Engineer specializing in edge security solutions for security appliance vendor Celestix Networks. He has been working with Forefront Threat Management Gateway (TMG) 2010 and its predecessors for more than 12 years. He has designed and deployed network security solutions using TMG and ISA for SMB''s, military and defense organizations, and Fortune 500 companies around the world. Richard is a Microsoft Most Valuable Professional (MVP) for Forefront Security, and his certifications include Microsoft Certified Professional, Microsoft Certified Systems Engineer, Microsoft Certified Technology Specialist, Microsoft Certified Information Technology Professional - Enterprise Administrator, and Websense Certified Engineer - Web Security.

Click here for Richard Hicks's section.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by Enterprise Security MVP Debra Littlejohn Shinder, containing news, the hottest tips, Forefront TMG / UAG links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Readers' Choice

Which is your preferred Anti Virus solution?