Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Info on NLB "workaround" for ISA 2004 SE
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Info on NLB "workaround" for ISA 2004 SE - 21.Jul.2004 11:22:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Justin,
Configure NLB on both interfaces, and configure ISA with UseISAAddressInPublishing=1 - causes return traffic to traverse the NLBd interfaces correctly.
Alternative method - this was documented in a newsgroup post by Sean House, who works in Windows Networking here - this is quite lengthy:
The NLB registry settings are located at:
HKLM\System\CurrentControlSet\Services\WLBS\Parameters\Interface\{GUID}
Where {GUID} is the GUID of the NIC to which NLB is bound. If you have bound NLB to multiple interfaces (which you should), then you will see multiple GUIDs under "Interface". Use the "ClusterIPAddress" registry value under each GUID to distinguish them. Under both clusters that you wish to team, add a registry KEY (not value) called BDATeaming. Under that key, on both clusters, add the following registry VALUES (not keys):
TeamID (REG_SZ)
Master (REG_DWORD)
ReverseHash (REG_DWORD)
The team ID should be a GUID in curly braces; use "uuidgen.exe" or some such program to generate a GUID for you. Set the Team ID under both clusters to be the SAME - this is what teams them together. Now, choose one CLUSTER
(either internal or external) to be the "master" cluster. Typically, you would want this to be the internal, but it doesn't matter. On that cluster, set the Master key to 1, and on the other cluster, set the Master key to 0. On the external cluster, set ReverseHash to 0 and on the internal cluster, set ReverseHash to 1. Below is a sample:
External cluster:
- BDATeaming
- TeamID = {70b26c0a-1c1c-4242-ba7e-6ff0229509c4}
- Master = 0
- ReverseHash = 0
Internal cluster:
- BDATeaming
- TeamID = {70b26c0a-1c1c-4242-ba7e-6ff0229509c4}
- Master = 1
- ReverseHash = 1
Now, go to a command prompt and type "wlbs reload". Hopefully, you don't get an error ;D. Now you can type "wlbs bdateam {70b26c0a-1c1c-4242-ba7e-6ff0229509c4}" and it should show you the configuration of the team. You may see some "errors" in this output if you have other nodes in the cluster that you have not yet added the keys to.
And, until all hosts are properly setup, your cluster will not converge
-
check "wlbs query" output.
Now, go to the other hosts in you cluster(s) and add the same registry keys in a consistent manner (i.e., all external clusters should have the same
settings and all internal clusters should have the same settings). Again, use "wlbs bdateam" to check the configuration. When you're done with all nodes, "wlbs query" should show that the hosts are happy and converged.
HTH,
Tom
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 22.Jul.2004 10:18:00 AM
|
|
|
Guest
|
Thanks Tom - that's great information!
With regards to the first solution you mention:
1. Is there any disadvantage to this method as opposed to Sean's lengthy one?
2. When you say "both interfaces" do you mean the external and Internal interfaces?
3. If we are using web publishing rules only, can we configure NLB just on the external interfaces, and use the option to send the internal interface IP to the published server ("requests appear to come from the ISA server computer"), so that it is always routed back to the same ISA's internal interface? Or does NLB on ISA 2004 always require NLB on the external and "internal" side?
Many thanks again Tom
Cheers
Justin
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 22.Jul.2004 11:23:00 AM
|
|
|
Guest
|
One other thing - does anyone know if there are any issues with either of these NLB workarounds for ISA 2004 when ISA is running in single-interface mode (i.e. just for web publishing)?
Many thanks,
Justin
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 22.Jul.2004 4:53:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Justin,
Do NOT hobble the ISA firewall using a single NIC!
Its like taking three tires off a Ferrari because you think it goes too fast!
What firewall are you using now? Do you beleive is provides superior stateful filter and stateful application layer inspection to that found in the ISA firewall? The chances are *very high* that it does not.
Is there are strong technical reason for crippling the ISA firewall in this scenario?
Thanks!
Tom
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 23.Jul.2004 1:35:00 PM
|
|
|
Guest
|
Hi Tom,
We are looking at ISA 2004 as a reverse proxy solution to provide more secure access to OWA/OMA/ActiveSync and other web sites - not for server publishing.
ISA will be placed in a DMZ in workgroup mode and use a combination of radius and forms auth. I am trying to gather information on the best config options - obviously sungle NIC is not recommended! We are using ISA in addition to the existing firewall for the specific reasons you state, but using it as the only gateway to the Internet behind the hardware firewalls we have is out of my control - hence the use of ISA in a DMZ off the hardware firewalls.
Appreciate that you are extremely busy, but if you could give me some info on the questions I posted previously that would be great:
1. Is there any disadvantage to using the "quick" NLB method you provide (UseISAAddressInPublishing=1) as opposed to Sean's lengthy one?
2. When you say "both interfaces" do you mean the external and Internal interfaces?
3. If we are using web publishing rules only in a dual-homed ISA, can we configure NLB just on the external interfaces, and use the option to send the internal interface IP to the published server ("requests appear to come from the ISA server computer"), so that it is always routed back to the same ISA's internal interface? Or does NLB on ISA 2004 always require NLB on the external and "internal" side?
Many thanks again for your great feedback - when is your book becomming available?
Cheers
Justin
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 23.Jul.2004 3:56:00 PM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi ,
This is a communice between us and microsoft Isreal ( the ISA programmers ) about NLB :
----------------------------
I have a question about NLB and using the ISA as a policy based router / switch.
We have found it's impossible to configure ISA 2004 to use NLB. We use ISA 2004 as our central policy based router. All VLAN's in our network are connected by the ISA server and the ISA server decides which ID is allowed to access which resources. This was not possible with ISA 2000 but with ISA 2004 it works like a charm and we're very very happy with the product's performance.
However , we have 4700 users , and a gigabit up and downstream to SURFnet and some exchange servers / webservers , so we are affraid the ISA won't be able to route all this traffic around quickly enough.
This is why we wanted to NLB 3 servers parralel. This is not possible !
We have tried all kinds of solutions : NLB / Rainfinity / Stonesoft etc..
Rainfinity works very well, but has some nasty bugs that we found out about so we're not keen on running Rainfinity. ( plus rainfinity is very expensive )
We would like to run NLB on our ISA router ( multi-direction ). Mind you , we are able to make webclusters using NLB because traffic goes only one-way. That is the main problem , NLB and 4-way traffic.
Could you help us ?
---- REPLY FROM MSFT ----
[private] In general, by itself NLB on Windows 2003 does not support load balancing in all directions in Routing mode (as opposed to NAT mode). This means that if you use Windows 2003 as a Router (e.g. using RRAS) and without ISA, it is still not possible to use NLB for load-balancing/fault-tolerance of 2 such Windows machines.
ISA 2004 Standard Edition has no specific support for NLB so the same limitation applies. ISA 2004 Enterprise Edition (not shipped yet) will most likely provide additional NLB support that will make this scenario work.
--------
Kind regards,
Lex P
ps : our own opinion is : Don't NLB a Standard 2004 server , we tested this for months using all kinds of products ( including native NLB with the registry options and also the alternative method )
It just gives too many problems to get a stable network.
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 23.Jul.2004 3:59:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Justin,
I apologize for coming off so harshly. I sometimes lose patience with bonehead firewall experts who swallowed the "hardware firewall" cool-aid pill! Check out http://www.isaserver.org/articles/2004tales.html for details.
Since the setup is out of your control, we need to make the best of a bad situation! Of course, using an ISA firewall is full firewall setup would be more secure, and secure your entire network much better. However, we can still use the unihomed ISA firewall to provide secure remote access to OWA, OMA and ActiveSync.
Option #1 isn't required with the ISA firewall because Web Publishing Rules automatically use the ISA firewall's address as the source;although you do have the option of preserving the source IP address.
Unfortunately, I have not tested the unihomed Web proxy with the NLB hack. I have had the opportunity to test the NLB hack with Web Publishing using the ISA firewall in full firewall setup and it works a treat. So, it *may* work in single NIC firewall mode.
If you try it out, let us know what happens!
Thanks!
Tom
[ July 23, 2004, 04:04 PM: Message edited by: tshinder ]
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 23.Jul.2004 4:03:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Lex Penrose:
Hi ,
This is a communice between us and microsoft Isreal ( the ISA programmers ) about NLB :
----------------------------
I have a question about NLB and using the ISA as a policy based router / switch.
We have found it's impossible to configure ISA 2004 to use NLB. We use ISA 2004 as our central policy based router. All VLAN's in our network are connected by the ISA server and the ISA server decides which ID is allowed to access which resources. This was not possible with ISA 2000 but with ISA 2004 it works like a charm and we're very very happy with the product's performance.
However , we have 4700 users , and a gigabit up and downstream to SURFnet and some exchange servers / webservers , so we are affraid the ISA won't be able to route all this traffic around quickly enough.
This is why we wanted to NLB 3 servers parralel. This is not possible !
We have tried all kinds of solutions : NLB / Rainfinity / Stonesoft etc..
Rainfinity works very well, but has some nasty bugs that we found out about so we're not keen on running Rainfinity. ( plus rainfinity is very expensive )
We would like to run NLB on our ISA router ( multi-direction ). Mind you , we are able to make webclusters using NLB because traffic goes only one-way. That is the main problem , NLB and 4-way traffic.
Could you help us ?
---- REPLY FROM MSFT ----
[private] In general, by itself NLB on Windows 2003 does not support load balancing in all directions in Routing mode (as opposed to NAT mode). This means that if you use Windows 2003 as a Router (e.g. using RRAS) and without ISA, it is still not possible to use NLB for load-balancing/fault-tolerance of 2 such Windows machines.
ISA 2004 Standard Edition has no specific support for NLB so the same limitation applies. ISA 2004 Enterprise Edition (not shipped yet) will most likely provide additional NLB support that will make this scenario work.
--------
Kind regards,
Lex P
ps : our own opinion is : Don't NLB a Standard 2004 server , we tested this for months using all kinds of products ( including native NLB with the registry options and also the alternative method )
It just gives too many problems to get a stable network.
Hi Lex,
Great info! ![[Big Grin]](/image/smiles/biggrin.gif)
What were the specific problems you had with the native WLBS using the Registry hack?
What were the problems you had with RainWall? We're you testing a beta version?
Did you only have problems when using a route relationship between networks? Or did you see the same problems when using a NAT relationship between networks?
Thanks a bunch!
Tom
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 25.Jul.2004 5:02:00 PM
|
|
|
Guest
|
Hi Lex/Tom
Thanks very much for the info.
I am still unclear on the following ...
Scenario:
-----------
ISA is running in dual-homed "external/internal" mode
Am only using ISA to publish OWA to a server on the "internal" network, and have left the option for "requests appear to come from the ISA server computer" as default - therefor I do not need to set the UseISAAddressInPublishing=1 setting.
I am not interested in load-balancing outbound (internal -> external) responses, or requests from internal clients.
Only interested in ensuring inbound requests to the ISA web listen have fault tolerance and are load balanced while maintaining session affinity.
Questions:
-----------
Based on this scenario, do I:
1. Still need to configre NLB on the Internal interface of each ISA server? (am assuming not, and am also assuming that MS does not support this, even if I did want to configure it).
2. Still need to use Sean's hack at all?
This is probably how I should have phrased the question in the first place ![[Smile]](/image/smiles/smile.gif)
Thanks again
Justin
p.s. talking to Rainfinity last week, a new code release has been completed and made available in the last week or so. I was led to believe that this was the supported version for ISA 2004 (?)
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 25.Jul.2004 5:26:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Justin,
You don't need to configure the UseIPAddress entry in the Registry because the default for Web Publishing Rules is the preserve the IP address of the ISA firewall's internal interface as the source when forwarding the connection request to the OWA site.
So, if you just want to NLB the external interface, and don't want to use bidirectional affinity, then things should work fine. If one of the ISA firewall's goes down, the other will take over and the OWA site won't care because it just responds to the ISA firewall that forwards the requests to it.
HTH,
Tom
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 26.Jul.2004 10:37:00 AM
|
|
|
Guest
|
Thanks Tom - I assumed that was the case, I just wanted to check
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 26.Jul.2004 2:42:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Justin,
Great! Let us know how things works out for you.
Thanks!
Tom
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 28.Jul.2004 11:24:00 AM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi ,
Well I was asked to get things working anyway so I'm back on testing NLB and Rainwall etc.
I will let you posted if the RTM release works different than the Beta release( I know they changed some things regarding NAT / ROUTE ) so actually it might work this time.
If I succeed I will post a how-to on NLB'ing 2 ISA's.
Kind regards,
Lex P
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 29.Jul.2004 2:33:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Lex,
That will be great! I hope you can get around this issues you've identified.
Thanks!
Tom
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 29.Jul.2004 10:22:00 AM
|
|
|
paulbaldwin
Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline
|
To answer one of Justin's questions that appeared to get lost: Using the UseISAAddressInPublishing=1 trick (Tom: do we need that now it can be selectively enabled in 2004?) you will have trouble with logging (the ISA server IPs always appears) and SMTP servers never see who sent the email (again, it always thinks its the ISA Server which will screw up headers, filtering and reverse-DNS options). To use NLB effectively with ISA Server you must use Win2k3's bidirectional affinity (the long-winded method).
But:
It appears bi-directional affinity doesn't appear to work with ISA 2004 (this thread isn't the first time I've heard this). I've not tried, but had it running with ISA 2000 for over a year with no trouble (well... okay on load-balancing, a bit naff on fault-tolerance unless the whole server goes down!). Much trumpeted when Windows 2003 came out its funny why MS are so cagey about the details of using it.
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 29.Jul.2004 10:36:00 AM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
To try and clear things up here's why NLB doesn't work on ISA :
It works when you have only 2 networks , BUT :
We have 4 networks , and you can have only 1 master and 1 non-master , not 1 master and 3 non-masters.
I will try to explain with 2 networks you have this :
Network1 master <-> Network2 non-master
works...
with 3 networks you SHOULD have something like this :
network1 Master <-> Network2 non-master
Network2 Master <-> Network3 non-master
Network3 Master <-> Network1 non-Master
And 1 nic can't have multiple BDATeams
Kind regards,
LEx P
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 29.Jul.2004 10:40:00 AM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
btw :
I just installed Rainwall SP5 and it has worked without a single error so far.
We are testing 2 isa 2004 RTM's NLB over gig up/down. Lotsa traffic and rainwall seems to keep up.
Kind regards,
Lex P.
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 29.Jul.2004 11:33:00 AM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
haha paul ,
happy it saved you some time. We've been testing NLB with ISA 2004 since the very first beta version because it's an essential need for our network ( 5000 users ). We have now so far tested around 3 or 4 different products including stonesoft , rainfinity , NLB microsoft and a last one that was based on Java can't even remember the name but only rainfinity came close to working without problems.
We are anxiously waiting for enterprise version of ISA 2004.
This is a reaction from Microsoft on our NLB questions :
---------------------------------------
[MSFT]
In general, by itself NLB on Windows 2003 does not support load balancing in all directions in Routing mode (as opposed to NAT mode). This means that if you use Windows 2003 as a Router (e.g. using RRAS) and without ISA, it is still not possible to use NLB for load-balancing/fault-tolerance of 2 such Windows machines.
ISA 2004 Standard Edition has no specific support for NLB so the same limitation applies. ISA 2004 Enterprise Edition (not shipped yet) will most likely provide additional NLB support that will make this scenario work.
---------------------------------------
Kind regards,
Lex P
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
).