Product Documentation

Configuring Multiple Instances of Secure Mobile Gateway in a Threat Management Gateway Array

Sep 27, 2015
To configure multiple instances of Secure Mobile Gateway in a Microsoft Forefront Threat Management Gateway (TMG) array, you must install TMG on each server of the array. Configure the instances of the Secure Mobile Gateway to share a common Secure Mobile Gateway configuration.

Configuration Replication

To configure multiple instances, you replicate the config folder across members of the array or share a common config folder. The ISAPI filter itself responds automatically to changes in the contents of the config folder, so it will dynamically reconfigure itself whether the configuration files are changed by replication, or by an update from the Gateway Configuration Service (GCS) in a shared folder.

In either model, one of the servers running Secure Mobile Gateway is designated as the Managing Host of the Device Manager. This server will perform the communication with the server running Device Manager to retrieve policy updates and then commit them to the config folder. The Managing Host property is set in the SMG Controller Configuration utility on the Config Provider tab. When the resulting configuration is replicated or shared, only the GCS of the Managing Host will communicate with the server running Device Manager.

To deploy configuration replication, you must configure a third-party replication product to replicate the config folder from the Managing Host server to all other servers.

Configuration Sharing

Shared configuration is a model for automatically sharing Secure Mobile Gateway state across all members in a TMG array (or IIS cluster). To set up Shared Configuration, a filesystem share must be created that is accessible from all members of the array. Then each array member must be configured to use the share by using the Shared Configuration tab in the SMG Controller Configuration. To deploy configuration sharing, create a network shared folder that accessible by each server. This folder must have permissions that allow read access by the TMG firewall process or IIS service process (typically NT AUTHORITY\NetworkService) read access, and read/write access by the GCS user, and read/write access by any users that will be using the SMG Controller Configuration. Once the shared folder is created, run the SMG Controller Configuration utility on each member of the array, select the Configuration Store tab, and change the configuration folder. Secure Mobile Gateway automatically detects changes in configuration or configuration location, so no restart of services is required.

The share must have the following permissions:

  • ReadWrite access from any user that runs the SMG Controller Configuration utility
  • ReadWrite access from the user of the XenMobile Gateway Configuration service (default user is LocalService)
  • Read access from the user of the XenMobile Gateway Log Redirector service (default user is LocalService)
  • Read access from the Secure Mobile Gateway ISAPI filter. This filter is the TMG Firewall Service on TMG (user defaults to NETWORK_SERVICE) or Wpw3.exe on IIS (user defaults to an IIS AppPool user)

An alternative to shared configuration is to automate replicate the Secure Mobile Gateway config folder to the other members of the array. Replication is the responsibility of the administrator. Secure Mobile Gateway automatically detects and responds to any changes to .xml files in the config folder.