Forefront Threat Management Gateway (TMG) 2010 Web Proxy Client Redundancy Deep Dive (Part 1) – DNS Configuration

If you would like to read the other parts in this article series please go to:


Forefront TMG 2010 Enterprise edition allows an administrator to configure clustered arrays of TMG firewalls to provide redundancy, high availability, and scalability. In a forward (outbound) web proxy scenario there are several options to configure redundancy for the web proxy array, and choices to make when configuring web proxy and firewall clients. Each option has its advantages and disadvantages. In part one of this three-part series I’ll discuss DNS configuration for TMG enterprise arrays. In future articles I’ll explore the intricacies of client configuration and demonstrate how to configure Kerberos authentication in load balanced scenarios.

Load Balancing Options

The options to configure Forefront TMG 2010 for redundancy and high availability are:

  • DNS Round Robin (RR) – This is the simplest and least expensive load balancing configuration, but has some drawbacks.
  • Network Load Balancing (NLB) – This is a bit more complex than DNS RR, but it addresses some issues that DNS RR has and is still inexpensive.
  • External Load Balancer – This is the most complex and expensive solution, but it is by far the best solution for large enterprises with the highest demands for availability, throughput, and performance.

Each configuration has its advantages and disadvantages. Let’s explore these in more detail.

DNS Round Robin (RR)

DNS RR is a simple and effective way to provide basic redundancy for a web proxy array. However, it is important to understand that DNS RR is not true load balancing. When DNS RR is configured, web proxy requests are distributed evenly across the array without consideration for the actual nature of the request (e.g. basic web page, streaming media, etc.). In scenarios where DNS RR is enabled, it is possible to see an equal number of requests distributed across the nodes of the array, while at the same time seeing different levels of utilization on each individual node.

To configure DNS RR, create multiple A host records in DNS using the proxy array name. Each host record will resolve to the internal IP address of each individual member of the array.

Figure 1

In addition, to support Web Proxy Auto Discovery (WPAD), create a CNAME record that points to the proxy array name configured previously.

Figure 2

Creating a CNAME record as shown here is a generally accepted best practice. However, it is possible to create multiple A host records for WPAD that resolve to the internal IP address of each individual member of the array. Also, don’t forget to configure your DNS server to support WPAD.

When a client makes a DNS query for the proxy array name, the DNS server will respond with multiple IP addresses as shown here:

Figure 3

The method by which a client selects an IP address from the DNS response is outside the scope of this article. More information on that topic can be found here.

DNS RR suffers from the limitation that requests can be sent to an array member that is offline. If the client selects an IP address from the DNS response for an array member that is unavailable or not responding, the client may experience a delay when loading web pages. If the remaining members of the array are online and responsive, the client will eventually attempt to connect to another node. However, using an intelligent DNS or Global Server Load Balancing (GSLB) solution can mitigate this issue.


Enabling NLB on the web proxy array has the potential to provide higher availability than using DNS RR alone. Depending on the client configuration (more on that in part two of this three-part series) clients configured to point to the Virtual IP Address (VIP) are less likely to have their requests sent to an array member that is offline, as is possible when using DNS RR.

Configuring DNS with NLB requires creating DNS records differently than described earlier. Here we’ll create a single DNS A resource record for the proxy array name that resolves to the NLB VIP, instead of multiple A resource records resolving to each node’s internal interface IP address.

Figure 4

The WPAD DNS record is created in the same manner as described earlier. You can create a CNAME record called WPAD that points to the A host record for the proxy array name, or you can create an A host record that resolves to the NLB VIP.

The drawback to using NLB is that it produces a lot of network chatter, as it leverages layer two network broadcasts for heartbeat communication. This can be mitigated using isolated VLANS for NLB-enabled TMG firewalls, or by configuring NLB in multicast operational mode. NLB is also limited to eight nodes per array and has a 500Gbps throughput limit.

External Load Balancer

External load balancers offer several distinct advantages over using DNS RR and NLB. Most external load balancers can perform basic health checks against TMG firewalls to determine if array members are online and responsive. If an array member is unavailable, client requests will not be routed to that node. Many external load balancers have advanced health check capabilities, including the ability to measure request response times and query load balanced nodes for additional detailed information in order to more accurately determine utilization. This provides more efficient load distribution across the TMG array.

Using external load balancers increases the complexity and adds to the expense of the solution. External load balancers can themselves introduce a single point of failure, so be sure to plan for redundancy of the load balancers as well. Remember also that Forefront TMG 2010 is a stateful packet inspection firewall and as such, external load balancers must be configured to support IP address affinity. If the load balancer fails to do this properly, legitimate traffic will be interrupted resulting in failed connections.

The process of configuring DNS with an externally load balanced TMG proxy array is exactly the same as that of DNS with NLB described previously. The only difference is that the VIP is assigned to the hardware load balancer and not to the TMG array. DNS records will resolve to this VIP and traffic will be routed to TMG array members by the external load balancer.


There are several options to choose from when developing a load balancing strategy. Using DNS round robin (DNS RR), integrated Network Load Balancing (NLB), or an external load balancer to provide redundancy and high availability for the TMG enterprise array will all have their own distinct advantages and disadvantages. DNS RR is a simple and cost effective solution that works fairly well, but without additional intelligence there is the potential to send client requests to a node that is offline. Leveraging integrated NLB can mitigate some of the issues associated with DNS RR, however, NLB produces additional network traffic with its heartbeat communication and it also has a native limitation on throughput. Using an external load balancer addresses many of these concerns but adds additional complexity and expense to the solution. For each load balanced scenario the client configuration is slightly different, which is a topic we’ll explore in part two of this three-part series on web proxy client redundancy.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top