All, Has anyone been able to setup a site-to-site (S2S) along with network load balancing integration on TMG 2010 EE? The S2S works fine on its own when NLB integration is disabled; and NLB itself works fine. However, as soon as I enable NLB integration the S2S continually stays in a disabled state in RRAS. Manually enabling it simply results in it being disabled within 15 seconds. If I setup NLB manually (not through TMG) the S2S stays enabled. It’s only when done through TMG. This problem occurs even if I only have 1 server in the array. Any ideas? Thanks, S
Thanks Tom. Anxious to hear your results. If it helps, our setup for each site includes 2 TMG virtuals servers running on Windows Server 2008 R2 x64. The virtuals are running on Hyper-V boxes are is also 2008 R2 x64.
Multicast. however, we can reproduce the problem with out actually setting up any NLB interfaces. If we simply Enable NLB Integration, the S2S gets and stays disabled. Also, we have tried setting up NLB first, then doing the S2S, and vice versa. Any order of ops we do we seem to run into the same problem.
Just an update on more testing we have tried. Enabling the MAC spoofing on the HyperV guest settings makes no difference on the S2S. We can however get NLB to work, without redunancy for the S2S by enabling/configuring NLB then disabling integration but leaving the settings.
Unfortunately we've had to start looking into other firewall solutions since we have this problem and also issues with TMG/ISA blocking the RPC traffic through a S2S to/from Exchange 2010 boxes.
From: Denver, CO
I'm also wondering if anyone has figured this out. I've found that VPN features with NLB seem broken in TMG. I can't get demand-dial connections to work and get the exact same issue with S2S connections (network interface always disabled in TMG RRAS).
From: Denver, CO
I've found that disabling the NLB on the internal side allows my demand-dial VPN connections to work but haven't tested the S2S. It appears, based on logging, that the way TMG handles inbound VPN across the array is by trying the connection across all members. then the one with the IP assigned to the inbound connection can fulfill it.
That doesn't appear to be true NLB. And NLB appears to break a lot of VPN funcitonality.
Disabling the NLB on the internal side (not external) seemed to resolve my issues.
FYI...and I'm sure there will be some clarification by someone more knowledgable.
After nearly 2 months I just got info from MS: it seems to be some kind of timing issue. they are currently working on a private fix, the final fix should be available in some weeks...
Update for all - Appears to be some sort of WMI subscription issue apparently - Hotfix is due out in a couple of weeks. I'll be notified when it's available (we have a support case logged) and will update here.