Iím know this Topic has be discussed before, ButÖ.
I canít get it to work.
NLB in ISA 2006.
I have Two Windows 2003 Servers Named ISA54 & ISA55. Each Server has ISA installed with the CSS being on both of them.
ISA54.int.net NIC 1 (External) 10.5.26.54 (Gateway 10.5.26.1) NIC 2 (Internal) 10.5.7.54 (No Gateway) NIC 3 (Intra-Array) 192.168.7.54 (No Gateway)
ISA55.int.net NIC 1 (External) 10.5.26.55 (Gateway 10.5.26.1) NIC 2 (Internal) 10.5.7.55 (No Gateway) NIC 3 (Intra-Array) 192.168.7.55 (No Gateway)
The Intra-Array NICs are connected via a Cross-over cable. Each Server is joined to an AD domain. DNS Entry resolves to the Intra-Array Networks Only.
I install ISA 2006 on ISA54 Create an Array called ISA I modify the FW Rule Replicate Configuration Storage Server, to allow 192.168.7.55 I install ISA 2006 on ISA55, Join the Array called ISA
Setup as an Edge Firewall, 1st I create a new Network called Intra-Array, I add the 192.168.7.x network 2nd I Change the intra-array communication to the 192.168.7.x network on each server 3rd I set the alternate configuration storage server to ISA55.int.net
I go to > Networks > Related Tasks Enable Network Load Balancing Integration. Select Next, Do not choose any of the networks, Click Next, Than Finish. I highlight Internal Network > Properties. Go to NLB. Checkmark Enable NLB Set the Primary VIP to 10.5.7.56, same Subnet as the dedicated Adapters. Click ok I than Apply the Changes.
BAM, System dies. Get an Error Message saying that it can no longer communicate with the CSS on ISA54.int.net or ISA55.int.net.
I do an IPconfig on each server and I see that NLB was applied to each of the 10.5.7.x network Cards, with 10.5.7.56 being the Virtual IP.
Once NLB is enabled, I can no longer resolve the DNS entries for intra-array address. I assumed the reason why I could no longer talk to the CSS was because I could not resolve the FQDN of the CSS servers. So I added the Intra-Array Address to the Local Host file and I am able to resolve the Address, but I still get the error unable to communicate with CSS.
Shouldn't the CSS communicate on the 192.168.7.x network? That's what I set it to? Why, if I enable NLB on the 10.5.7.x network does it kill Communication to the CSS?
I have tried many different little changes here and there, but the above is the gist of it. I even created a Firewall rule to Allow all Protocols from "anywhere" to "anywhere" and nothing. Iíve been working on this for 2 weeks, and right now Iím sucking up my pride and want my hand held. :)
It looks like when I enable NLB, I lose access to the AD, and therefore I am unable to connect to the CSS because it can not Authenticate my credentials. How do I setup NLB and Maintain communication with AD?
I have been having the same exact issues with our ISA servers. Identical issues and errors. I've contacted Microsoft ISA team and have been working on it for the past couple of days for almost 14 hours in total and have yet to identify the cause. I will post a reply to this issue once things get resolved.
As I mentioned in my previous reply, I have been facing the same exact issues dealing with ISA NLB. Over the past 4 days with Microsoft Engineering team spending over 3 hours of being on the phone, running every possible tool from Microsoft and sniffing the network, log the entries and etc... etc... etc..., we got to where the issue was.
Problem; Nortel Passport Switch.
Nortel Passport Switch Layer2/3 do not support Unicast. Packets could only get to the switch and then they would drop. This is because the switch does not support registering the MAC address of the VIP.
So, to guide other ISA administrators who have just a patch of haid left, please hang on to your hair and don't pull them all and that includes myself. Before you do that, make sure you have confirmed with your vendor that your switches do support Unicast and if not, look for other alternatives such as having to replace or patch or .....
From: United Kingdom
If that doesn't fix it, are you aware of the changes you need to make when you enable NLB on servers that also host the CSS role?
This covers it:
Multiple Network Adapters and NLB In a complex network topology with NLB enabled, multiple ISA Server array members may be connected through more than one network adapter, and the Configuration Storage server may be installed on one of the array members. In this case, a request to connect from an array member to the Configuration Storage server may fail. In this scenario, to ensure that the connection requests do not fail, perform the following steps:
1. Create a new Domain Name System (DNS) entry pointing to the IP address on the intra-array network of the Configuration Storage server.
2. Register the intra-array name in the Kerberos database using the Setspn.exe tool.
3. Change the array properties to use the new DNS entry.
For example, in the scenario where the Configuration Storage server is installed on a computer named fw1.contoso.com, register fw1a.contoso.com, where fw1a.contoso.com is pointing to the intra-array IP address of the Configuration Storage server. To register the new name in the Kerberos database, run these commands:
setspn -a ldap/fw1a.contoso.com FW1 setspn -a ldap/fw1a.contoso.com:2171 FW1
Modify the Configuration Storage server array property, to fw1a.contoso.com.
The switch does support Multicast. However, it's not a feasable appraoch at this time. If we alter one switch in the organization, then it means we have to do them all approx about 400 of them. I'm not sure if its worth changing the infrastructure network configuration for the sake of two ISA servers.
For those who have the same issues with Unicast and switches, I would recommend looking at the product from EMC called: RainWall or RainConnect. That would probably do the job or look at different models of the passport or cisco switches that support unicast. Also ensure there is the latest firmware on the switches before you implement the NLB.
That appears to be problem, After Twisting the arm of my network folks it appears that the Nortel 8600 Also is an unsupported Nortel Product that does not allow unicast NLB traffic. I moved over to Nortel NSF and that product appears to support this.
as soon as I moved over, I was able to correctly communicate with the CSS.
I don't know. I have to ask the Infrastructure support guys. Were you able to run NLB aside from connecting to CSS? Did you do any testing to see if your workstation or client workstations can go out with the VIP?