Welcome to ISAserver.org

Multiple External Interfaces Failover

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Multiple External Interfaces Failover

Page: [1] 2 next > >>

Message

<< Older Topic Newer Topic >>

Multiple External Interfaces Failover - 22.Apr.2004 10:11:00 AM

kristan_slack

Posts: 3
Joined: 22.Apr.2004
From: Ooty, South India
Status: offline

I manage a small network in a school in the south of India and we have a bunch of unreliable internet options. DSL has just become available, and we currently use ISDN also - both via network interfaces.

I'm looking at using ISA2004 but need to know if I can set up both internet interfaces and have ISA failover from DSL to ISDN when DSL fails?

(I don't need both at once though, although in the future we may end up having two DSL connections and would like to use both - what do we do then?)

So, two questions I guess:

1. With ISA2004 can I setup two external network interfaces with one as the primary and one as the interface to use when the primary fails?

2. In future, is it possible (just using ISA2004 and not rainconnect or any additional software) to make use of two external interfaces connected to DSL lines?

Post #: 1

Featured Links*

RE: Multiple External Interfaces Failover - 22.Apr.2004 3:13:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kristan,

I've heard that this can be scripted, but I have never seen such a script.

You might try putting a box in front of the ISA firewall that has the Sygate Office network in front of it http://smb.sygate.com/products/son/son_ov.htm since it looks like it will pool bandwidth. I'll test this solution in the near future.

thanks!
Tom

(in reply to kristan_slack)

Post #: 2

RE: Multiple External Interfaces Failover - 23.Apr.2004 10:35:00 AM

paulbaldwin

Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline

Hi Kristan,

I have done this with Windows 2000 RRAS, but not with ISA installed. The setup relies on Windows 'dead-gateway detection' so if the dsl connection is on a router (gateway ip is router, not the isp) I don't see it working.

code:

               LAN1----DSL-----\
              /                 \(x.x.x.x)
LAN---ISA/RRAS                   ISP---INTERNET
              \                 /
               LAN2---ISDNROUTER
                    (10.0.0.1)
 
RRAS Static Routes:
destination  netmask  gateway  interface metric
  0.0.0.0    0.0.0.0  x.x.x.x    LAN1      2
  0.0.0.0    0.0.0.0  10.0.0.1   LAN2      5

I remember it was important to create both static routes: don't use the 'default gateway' configured in TCP/IP (something about the priority given to the different route sources - static, local, static(non demand dial), etc., that sort of thing). My 'LAN2' was actually a demand-dial interface on the RRAS server.

I am sure equalising the metrics wont result in load-balancing.

If no-one corrects me with issues doing this with ISA, then it might be worth trying.

Paul

(in reply to kristan_slack)

Post #: 3

RE: Multiple External Interfaces Failover - 23.Apr.2004 11:06:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Paul,

I've used dead gateway protection in non-ISA setups, but no in an ISA environment. One thing to keep in mind is that while it will do autofailover, it won't fail back when the line comes back up.

Thanks!
Tom

(in reply to kristan_slack)

Post #: 4

RE: Multiple External Interfaces Failover - 23.Apr.2004 5:00:00 PM

kristan_slack

Posts: 3
Joined: 22.Apr.2004
From: Ooty, South India
Status: offline

This is all very well but hasn't truly answered my question.

I'll rewrite it for clarity.

Without 3rd party software, and using ISA2004, is it possible to allow the system to switch from the network card connected to our ISDN modem over to the network card connected to our DSL modem when the ISDN modem fails? And from that could it possibly use dial-up as the third failover option?

IS this possible and how is it possible?

If not, is there a low cost solution I can employ? We are a mission school, albeit an international one, but we don't have loads of cash.

(in reply to kristan_slack)

Post #: 5

RE: Multiple External Interfaces Failover - 23.Apr.2004 6:18:00 PM

paulbaldwin

Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline

Hi Kristan,

But the RRAS technique is a fail-over solution without third-party software. Although perhaps not perfect! Maybe I didn't describe it well?

But neither Tom or I have tried it together with ISA (be it 2000 or 2004). It shouldn't make a difference but we're waiting for:

Someone to say it will definitly work.
Someone to come up with something better.
You to try it, find out, and tell us!

If there was an easy built-in method that avoided all that tricky routing business, I think I'd know about it (and Tom certainly would!).

The question 2 issue (load-balancing) is one that appears alot: Tom will be trying one possible solution. All other suggestions I've seen to this question involved third party products.

(in reply to kristan_slack)

Post #: 6

RE: Multiple External Interfaces Failover - 26.Apr.2004 11:39:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hey guys,

Its certianly possible. If you're a C++ programmer, you could write a program like RainConnect, Rainfinity did [Smile]

But, there is no simple script based method to provide autofailover and autofailback that I'm aware of. If someone finds one, then they'll be the ISA Server hero of the month [Wink]

Thanks!
Tom

(in reply to kristan_slack)

Post #: 7

RE: Multiple External Interfaces Failover - 26.Apr.2004 12:08:00 PM

Custler

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline

I am ready to send you or post here (but it 125 lines) vb script which I am using now.
But it�s necessary to comment:
1. this script was written according to specific of our main internet provider:
Tracing route to www.com [63.215.91.200]
over a maximum of 30 hops:

1 192.168.111.1 � Isa server with external address 81.211.35.62
2 81.211.35.57
3 10.0.3.17 - this box has 81.211.35.65 also
4 10.0.2.13
5 10.0.2.5
6 x.x.x.x � External addr of main provider - doesn�t matter for me

2. First our external address � 81.211.35.62 - Kovda
Second External address � 81.95.36.11 � Ultra

3. This script � rough draft. Please don�t flay me.

(in reply to kristan_slack)

Post #: 8

RE: Multiple External Interfaces Failover - 26.Apr.2004 12:10:00 PM

Custler

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline

code:

  
KovdaBoxEXT = "81.211.35.65" ' &#1095;&#1090;&#1086; &#1087;&#1080;&#1085;&#1075;&#1091;&#1077;&#1084;
KovdaBoxINT = "10.0.2.5"
KovdaIP = "81.211.35.62"
KovdaGateWay = "81.211.35.57"    ' 
UltraIP = "81.95.36.11"
UltraGateWay = UltraIP
UltraName = "Ultra.NET"
KovdaName = "WAN"
strCuptionRoute = "0.0.0.0"
Dim KovdaMAC 
Dim UltraMAC 
arrKovdaGateways = Array(KovdaGateWay)
arrKovdaMetrics2 = Array(2)
arrKovdaMetrics48 = Array(48)
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
RouteFlag=0
On Error Resume Next
strComputer = "."     ' This computer
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
' Choose KOVDA adapter by Name
Set objKovdaAdapter = objWMIService._
 ExecQuery("Select * from Win32_NetworkAdapter where NetConnectionID = '" _
   & KovdaName & "'") ',,48)
' Choose ULTRA adapter by Name
Set objUltraAdapter = objWMIService._
 ExecQuery("Select * from Win32_NetworkAdapter where NetConnectionID = '" _
   & UltraName & "'") ',,48)

Wscript.Echo "==================================================================="
For Each objItem in objKovdaAdapter
 Wscript.Echo "Kovda MACAddress: " & objItem.MACAddress
 KovdaMAC = objItem.MACAddress
Next
For Each objItem in objUltraAdapter
 Wscript.Echo "Ultra MACAddress: " & objItem.MACAddress
 UltraMAC = objItem.MACAddress
 UltraInterfaceIndex = Hex(objItem.InterfaceIndex)
 Wscript.Echo "Ultra InterfaceIndex: " & UltraInterfaceIndex
Next
Wscript.Echo "==================================================================="
' Choose KOVDA adapter CONFIGURATION by MACAddress
Set CONFobjKovdaAdapter = objWMIService._
 ExecQuery("Select * from Win32_NetworkAdapterConfiguration where MACAddress = '" _
   & KovdaMAC & "'") ',,48)
' Choose ULTRA adapter CONFIGURATION by MACAddress
Set CONFobjUltraAdapter = objWMIService._
 ExecQuery("Select * from Win32_NetworkAdapterConfiguration where MACAddress = '" _
   & UltraMAC & "'") ',,48)
For Each objItem in CONFobjKovdaAdapter
 Wscript.Echo "Kovda Description: " & objItem.Description
 KovdaMAC = objItem.MACAddress
Next
For Each objItem in CONFobjUltraAdapter
 Wscript.Echo "Ultra Description: " & objItem.Description
 UltraMAC = objItem.MACAddress
Next
Wscript.Echo "==================================================================="
Do
'################## 0 = 0 Then '
 ' Ping - Kovda alive? - 10.0.2.5
 Set objPingINT = GetObject("winmgmts:{impersonationLevel=impersonate}")._
   ExecQuery("select * from Win32_PingStatus where address = '" _
            & KovdaBoxINT & "'")
    For Each KovdaStatusInternal in objPingINT
        If IsNull(KovdaStatusInternal.StatusCode) or KovdaStatusInternal.StatusCode<>0 Then  ' Kovda &#1080;&#1079;&#1076;&#1086;&#1093; - 10.0.2.5
   WScript.Echo "KovdaStatusInternal " & KovdaBoxINT & " PING Status Code: " & KovdaStatusInternal.StatusCode
   If RouteFlag = 1 Then
    WScript.Echo " " & Now() & "  ####### We goes through ULTRA ##########"
    For Each objItem in CONFobjKovdaAdapter
    ReturnCode = objItem.SetGateways(arrKovdaGateways, arrKovdaMetrics48)
    ReturnCode = objItem.SetIPConnectionMetric(arrKovdaMetrics48(0))
    Next
    ' route CHANGE 0.0.0.0 MASK 0.0.0.0  172.16.2.52 METRIC 48 IF 0x60006")
    Set oExec = WshShell.Exec("route CHANGE 0.0.0.0 MASK 0.0.0.0 " & _
       UltraGateWay & " METRIC " & arrKovdaMetrics2(0) & " IF 0x" & UltraInterfaceIndex)
    Do While oExec.Status = 0
    WScript.Sleep 100
    Loop
    RouteFlag=2
   End If
   Set objPingEXT = GetObject("winmgmts:{impersonationLevel=impersonate}")._
   ExecQuery("select StatusCode from Win32_PingStatus where address = '"_
            & KovdaBoxEXT & "'")
   For Each KovdaStatusExternal in objPingEXT
   WScript.Echo "KovdaStatusExternal " & KovdaBoxEXT & " PING Status Code: " & KovdaStatusExternal.StatusCode
            If (Not IsNull(KovdaStatusExternal.StatusCode) and KovdaStatusExternal.StatusCode=0 and RouteFlag=2)  or RouteFlag=0 Then ' Kovda 65 &#1091;&#1089;&#1087;&#1077;&#1096;&#1085;&#1086; &#1087;&#1080;&#1085;&#1075;&#1091;&#1077;&#1090;&#1089;&#1103;
    ' route CHANGE 0.0.0.0 MASK 0.0.0.0  81.211.35.57 METRIC 2 IF 2")
    For Each objItem in CONFobjKovdaAdapter
    ReturnCode = objItem.SetGateways(arrKovdaGateways, arrKovdaMetrics2)
    WScript.Echo " " & Now() & "  We goes to KOVDA! -- "
    ReturnCode = objItem.SetIPConnectionMetric(arrKovdaMetrics2(0))
    Next
    ' route CHANGE 0.0.0.0 MASK 0.0.0.0  172.16.2.52 METRIC 48 IF 0x60006")
    Set oExec = WshShell.Exec("route CHANGE 0.0.0.0 MASK 0.0.0.0 " & _
       UltraGateWay & " METRIC " & arrKovdaMetrics48(0) & " IF 0x" & UltraInterfaceIndex)
    Do While oExec.Status = 0
    WScript.Sleep 100
    Loop
    RouteFlag = 1
   End If
   Next
   '++++++++++++ Print Route +++++ 
   Set objKovdaRoute = objWMIService._
    ExecQuery("Select * from Win32_IP4RouteTable where Caption = '" _
      & strCuptionRoute _
      & "' and NextHop = '" & KovdaGateWay & "'") ',,48)
   ' Default Route string to UltraNET
   Set objUltraRoute = objWMIService._
    ExecQuery("Select * from Win32_IP4RouteTable where Caption = '" _
      & strCuptionRoute _
      & "' and NextHop = '" & UltraGateWay & "'") ',,48)
   For Each objItem in objKovdaRoute
   WScript.Echo "KovdaRoute.Metric: " & objItem.Metric1
   Next
   For Each objItem in objUltraRoute
   WScript.Echo "UltraRoute.Metric: " & objItem.Metric1
   Next
   '++++++++++++++++++++++++++++++++
   Wscript.Echo "==================================================================="
        End If
    Next
    WScript.Sleep 60000
loop

(in reply to kristan_slack)

Post #: 9

RE: Multiple External Interfaces Failover - 26.Apr.2004 12:33:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Custler,

Thanks! Does this script fail-back too?

Tom

(in reply to kristan_slack)

Post #: 10

RE: Multiple External Interfaces Failover - 26.Apr.2004 1:43:00 PM

Custler

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline

Yes, the draft algorithm of it is follow:
1. Set routing table(RT) to route to main provider (Kovda).
2. Ping 10.0.2.5 � if success � do nothing and sleep for 60 secs.
3. In case RT route to Kovda and ping in (2) fails � switch to backup provider (Ultra)
4. If RT route to Ultra do ping 81.211.35.65 (nearest from us real IP inside Kovda trace)
If it success � return to main provider.
This algorithm was choose because 99% of network fails occur inside the provider network due to a few hops in trace (shown above) are 802.11.
Of course, it�s possible to include in the script a few protections from false switching and many more�
But it works two weeks already and I haven�t time to work on it.

(in reply to kristan_slack)

Post #: 11

RE: Multiple External Interfaces Failover - 26.Apr.2004 1:55:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Custler,

Very good! We'll try it out and see how it goes.

Thanks!

Tom

(in reply to kristan_slack)

Post #: 12

RE: Multiple External Interfaces Failover - 26.Apr.2004 2:20:00 PM

Custler

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline

One more notice:
run this script in CScript, not in WScript due to output to console.
On W2003 server CScript alredy registered as default.
On XP computer it's necessary to execute "CScript /H:CScript" to register CScript as default.

P.S. A sent you the script as attached file to hotmail.

(in reply to kristan_slack)

Post #: 13

RE: Multiple External Interfaces Failover - 26.Apr.2004 3:09:00 PM

Jim Harrison

Posts: 231
Joined: 5.May2001
From: Redmond, WA
Status: offline

Nicely done, but this script only works on Win2k3; Win2K will choke the script on "NetConenctionID" and "Win32_PingStatus".

I have some alternate methods for those mechanisms if you're interested...

(in reply to kristan_slack)

Post #: 14

RE: Multiple External Interfaces Failover - 26.Apr.2004 3:31:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jim,

Let us have it!

This is all great info.

Thanks!
Tom

(in reply to kristan_slack)

Post #: 15

RE: Multiple External Interfaces Failover - 26.Apr.2004 3:38:00 PM

Custler

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline

We haven't W2K Servers already...
But As I saw in MSDN for Win32_PingStatus, ExecQuery, etc. Requirements are:
===== citation on =====
Windows NT/2000/XP: Requires Windows NT 4.0 SP4 or later
Namespace: Included in \root\cimv2
MOF: Declared in Ping_desc.mof
===== citation off =====
But I don't test it on W2K, and you may know better.

Anyway, alternate methods are very interesting for me.

(in reply to kristan_slack)

Post #: 16

RE: Multiple External Interfaces Failover - 9.Jun.2004 8:50:00 PM

JohnBullinger

Posts: 53
Joined: 25.Apr.2003
From: Texas
Status: offline

Has anyone tried this script out? Does it work? Will it do a failover to a 2nd ISP on a ISA 2000 Server running on Windows 2003?

How should the 2nd External NIC be configured?

ANy help appreciated.. Been looking for a failover solution for a while

Thanks

John

(in reply to kristan_slack)

Post #: 17

RE: Multiple External Interfaces Failover - 10.Jun.2004 6:59:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi John,

I haven't tested it, but it should work. It just doesn't provide the functionality I think people are expecting when they have multiple external interfaces. However, if all you expect is a hotfail "spare" then it should work.

Try it in your test lab first.

HTH,
Tom

(in reply to kristan_slack)

Post #: 18

RE: Multiple External Interfaces Failover - 10.Jun.2004 11:13:00 AM

Custler

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline

=> 1) Does this work on a Windows 2003 Machine with ISA Server 2000?

I have not tried the script with ISA2K. And I can't say that it will work,
bat due to the script change only route metric in Windows routing table, I suppose it will work.

=> 2) Is this script made to failover (change the Default
=> Gateway and whatever) to a 2nd ISP if the 1st goes down?

Yes. This script is made for failover. But it uses our specific network config with one of our ISP:

ISA 2004 Computer
| |
DG ISP1 DG ISP2
| |
x1 ...
|
x2
|
x3

Mainly we use ISP1 because we have close relations with him.
ISP2 we use as back up.
In 99% cases connection problem appear between x1 � x2 � x3, because it is radiochannels between these machines. Each DG-x1-x3 has 2 IP at least (local 10.0� and public 81.211�). DG ISP1 stays in our office near ISA computer.
So, idea of the script is:
1. We are pinging Local IP of x3 through DG ISP1.
2. If ping fail we change metric of this route to 48 and change route metric through DG ISP2 to 2. After that traffic goes through DG ISP2
3. Now we pinging public IP of x1 through DG ISP2 until ping is success.
4. Change route metrics vice versa and goes to step 1.

=> 3) Is there anything special that needs to be done on the
=> 2nd External NIC Card? I.e. how did you configure it, with
=> or without a Default gateway?

Yes, you have to configure Default gateways on both external NICs, and
set interface metrics on its to: 1 on main ISP and 50 on backup ISP.
In this case your traffic will goes through main ISP after reboot without running the script.
Also you can change traffic direction manually. For example:

Rem SET ROUTE TO MAIN ISP
route CHANGE 0.0.0.0 MASK 0.0.0.0 81.211.35.57 METRIC 1 IF 2
route CHANGE 0.0.0.0 MASK 0.0.0.0 81.95.36.11 METRIC 50 IF 0x40006
pause

(in reply to kristan_slack)

Post #: 19

RE: Multiple External Interfaces Failover - 10.Jun.2004 3:42:00 PM