Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Failover options
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Failover options - 12.Dec.2005 5:42:43 PM
|
|
|
quantum555
Posts: 16
Joined: 2.Dec.2005
Status: offline
|
Our organization has recently decided to use Celestix's MSA3000 appliances for our primary firewall. We are replacing two Cisco Pix 515's. These 515's operate in failover mode and we would like to preserve this feature with the ISA appliances. Is there a common setup that would provide redundancy in case one of the appliances failed? Thanks.
Jeff
|
|
|
|
RE: Failover options - 12.Dec.2005 6:27:38 PM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jeff,
I know that the Network Engines ISA hardware firewalls have the same kind of fail over feature as the PIX boxes, but I don't think the Celestix boxes do. You can use RainWall from Rainfinity to get NLB support for your array.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Failover options - 12.Dec.2005 9:28:20 PM
|
|
|
quantum555
Posts: 16
Joined: 2.Dec.2005
Status: offline
|
I contacted Celestix about this and their answer was that yes you can do NLB with two appliances. You should set up a virtual IP address on one and use round-robin DNS to balance between the two appliances. I'm not sure how to setup round-robin on DNS...anyone have any experience with this situation?
Thanks,
Jeff
|
|
|
|
|
RE: Failover options - 13.Dec.2005 3:10:59 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jeff,
OK, think about it:
1. If NLB is enabled, why use round robin DNS?
2. NLB is not supported on ISA SE, only on ISA EE
RR DNS is only used to support Firewall clients. You won't get bidirectional affinity if you don't use ISA EE NLB, and since ISA SE isn't integrated with NLB, if the firewall service dies on one of the NLB array members, the NLB service won't be aware of it and will continue to load balance connections to the dead firewall service ISA firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Failover options - 9.Jan.2006 6:55:14 PM
|
|
|
quantum555
Posts: 16
Joined: 2.Dec.2005
Status: offline
|
Thanks for the reply. So the best way to have failover is to use NLB? After looking through the admin guide for the Celestix RAS 3000 (www.celestix.com/resources/ras/RAS3000_AdministratorsGuide.pdf) It gives instructions on how to setup NLB with the two appliances. I dont think that this appliance comes with enterprise edition but can still take advantage of NLB. Do you see any problem with setting it up this way for a primary firewall?
Thanks,
Jeff
|
|
|
|
|
RE: Failover options - 9.Jan.2006 7:03:36 PM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jeff,
It is possible to do NLB with Standard Edition, but you should check out the warnings regarding this as discussed in the articles on this site. Unless Celestix has done something to enable NLB (like add RainWall), then NLB and ISA are not aware of each other, and bad things can happen due to that.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Failover options - 9.Jan.2006 10:08:24 PM
|
|
|
quantum555
Posts: 16
Joined: 2.Dec.2005
Status: offline
|
Ok, so whenever a hard drive fails on one of the cluster nodes, the connections are failed over to the functioning node. But, when a service fails, no cluster config is made and the node that had the service fail will continue to recieve traffic but be unable to route it. Is this a correct assumption?
What are the "bad things" that can happen?
It seems like the service would then try to restart itself and if successful, continue to route traffic. If unsuccessful, monitored services would throw up a flag to someone and they could manually fail the node.
Thanks,
Jeff
|
|
|
|
|
RE: Failover options - 11.Jan.2006 4:10:25 PM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jeff,
That's the thing. NLB is not ISA firewall aware, not even OS aware. So, if the firewall service fails or some other critical service fails, connections are still load balanced over the array as long as the NLB service is still running. This leads to connections being balanced to a machine that can't connect users to the Internet.
Also, you will need to do some Registry edits to get BDA to work, and you're limited to BDA for only two Networks.
If those issues aren't problems, then you're good to go.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
