Upstream ISA/TMG Server Deployment

This option is similar to the Downstream ISA/TMG Server Deployment. It can be used with any of the basic deployment options. It allows the Web Appliance to work with an ISA/TMG server, although in this case, one that is upstream in the network from the Web Appliance (see diagram below).

  • Allows the Web Appliance to work with an ISA/TMG server.
  • Allows you to use multiple Web Appliances in a simple load-balancing deployment.
  • Does not support individual user opt-out.


The operation varies according to the basic deployment scenario that you choose. As an example, this option is shown in the diagram above and described in the points below as a Bridged Deployment.

  • Users' HTTP and HTTPS requests are passed through the Web Appliance .
  • The Web Appliance assesses URLs.
  • The Web Appliance blocks disallowed requests, checks if allowed URL requests are currently cached, and passes URL requests that are not cached through to the ISA/TMG server .
  • The ISA/TMG server retrieves new pages or files from the internet , and passes them back to the Web Appliance .
  • The Web Appliance receives the allowed pages or files, caches them, and passes them on to the users .
  • The users receive only safe and allowed pages and files or a notification page.


Follow the configuration instructions for the basic network deployment scenario that you want to use—Explicit Deployment, Transparent Deployment, or Bridged Deployment—but locate your Web Appliance between the ISA/TMG server and your users.

Even if you have an upstream proxy (a proxy between the Web Appliance and the internet) configured, you still need to configure the Web Appliance with access to your organization's DNS server, which is set on the Configuration > Network > Network Interface page.
A simple way to set up load balancing amongst multiple Web Appliances is to set up a DNS round robin scheme. If you do this, you should disable DNS caching because Windows DNS caching can mask the round robin effect. Also, you must ensure that you have a firewall with network address translation (NAT), but not an ISA/TMG server in firewall mode, between the Web Appliances and the internet. This firewall must be configured to present a single IP for the Web Appliances to external sites. The NAT, or IP masquerading, prevents sites that check and record the IP address of visitors in cookies from encountering multiple IP addresses. To disable Windows DNS caching, see the Microsoft support article
Explaining how to configure an ISA/TMG server is beyond the scope of this documentation. For details on ISA/TMG server configuration, see Microsoft's ISA Server Deployment page or the Microsoft Forefront TMG Deployment page.