Home > Microsoft, TMG 2010, UAG 2010 > TMG, UAG, DirectAccess, Unicast NLB and VMware… phew!

TMG, UAG, DirectAccess, Unicast NLB and VMware… phew!


A Customer of mine utilise ESX 4.1 to host their UAG and DirectAccess solution.


VMware KB article 1006778 (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006778) dictates that for a Unicast NLB to function within VMware, the following statements must be true;

  • Need two machines running Windows Server 2003 or later
  • Each machine needs to have at least one network card and at least one fixed IP address
  • Two adapters in each machine is recommended for best performance
  • One adaptor mapped to the real IP Address (Microsoft calls this the Dedicated IP) and one mapped to the ‘virtual’ IP Address (Microsoft calls this the Cluster IP)
  • One benefit of unicast mode is that it works out of the box with all routers and switches (since each network card only has one MAC address)
  • In unicast mode, since all hosts in the cluster all have the same MAC and IP address, they do not have the ability to communicate with each other via their NLB network card
  • A second network card is required for communication between the servers

As UAG Direct Access requires an internal and external NLB there are, by default, no none-NLB interfaces. This is contrary to the requirements set by VMware, so we must define a tertiary NIC just for NLB and TMG array communication.

This has been applied as per the following diagram;


Each UAG server has had the tertiary NIC defined as can be seen above. These are configured with a private IP range.

This should be enough to make Unicast NLB work Smile If not, drop me a line as I have some further steps I put in (that I don’t think are required)


UPDATE: After speaking with Microsoft on something entirely different it has come to light that the above solution, although workable, is fully NOT SUPPORTED by Microsoft. In short the only supported solution for Microsoft is to have both UAG servers on the same VMware host (in which scenario you don’t require the Intra-Array link). Note that this is also the case currently for Multicast scenarios (which supposedly is supported generally and still waiting for a Technet update)

Categories: Microsoft, TMG 2010, UAG 2010
  1. Ash
    May 6, 2011 at 4:28 am

    in our project, we have 2 TMG with NLB and 1 juniper internal firewall and 1 external juniper firewall. we’re not sure where to deploy both TMG, either behind external firewall and in front of internal firewall. or behind internal firewall and in front of core switch. which would be better?

    • July 15, 2011 at 2:59 pm

      IMHO place it behind your public firewall – in the DMZ

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: