Welcome to ISAserver.org

Two ISA2K4SE As Edge Firewall Servers and Dead Gateway Detection

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Two ISA2K4SE As Edge Firewall Servers and Dead Gateway Detection

Page: [1]

Message

<< Older Topic Newer Topic >>

Two ISA2K4SE As Edge Firewall Servers and Dead Gateway ... - 29.Jun.2006 11:48:09 AM

MSchaefer

Posts: 25
Joined: 28.Jun.2006
Status: offline

This question is for Tom and some of the other experts.

I am going to post the network and ISA configuration that I have been using without problems for the last two years. I have read several posts that seem to say that the type of configuration that I am using will not work without something like Rainwall or Rainconnect. Well, I can say that I have not seen a need of any add-on products and my configuration is in-expensive, self load balances, and provides failover redundancy. I have also read that Rainwall and Rainconnect have been dropped recently by EMC, not sure if this is true. Here is my configuration:

             T-1 Internet
                  /        \
              /                \
           /                      \
Round Robin      Round Robin
External DNS     External DNS
   MX-10               MX-20
       |                             |
x.x.x.101                x.x.x.102
ISA2K4SE            ISA2K4SE
10.0.0.1                 10.0.0.2
       |                        WPAD
        \                          /
          \                      /
          250 Workstations
                FTP Sites
               15 Servers
          (Exchange 2000 Ent
           On Windows 2000)
(All with duel Gateways 10.0.0.1 & .2)

Why does this work and what do I see for load balancing? First of all, about 90% of the email comes in one the ISA Server with the low MX record. At any one time 60-70% of the workstations are connected to the WPAD ISA Server through the use of auto-discovery. By default, auto-discovery instructs the clients to find an alternate Internet connection if the Web Proxy Server does not respond fast enough (defined as unavailable). As a result, 30-40% decide that non-WPAD Web Proxy Server is the faster or better choice. The net result is that the network and clients self Load Balance the two ISA Server Standard Edition Servers. The Mac's and Linux computers have a slightly different issue, but I only have eight so it's not too hard to configure them.

Redundancy and Failover is again automatic in Windows 2000 and 2003/XP clients. I have duel gateways built into my Servers and Workstations (through DHCP). Dead Gateway Detection is built into TCP/IP on Windows 2K and up. (Available but slightly different in WIN95 and WIN98). These computers detect if one of the ISA Servers (Gateways) is un-available and automatically switch to the one that is available. On re-boot, or if the secondary gateway becomes unavailable, the clients automatically switch back to their primary gateway. I have started and stopped the Firewall Service and rebooted ISA Servers in the middle of the day (on rare occasions). The client computers automatically switch to the backup gateway.  In some instances, they may need to restart their web browser.

Why did I go though this detailed description? Because I have two years of having it work. Also, because I need to get into the next topic, which is bi-directional affinity. I need bi-directional affinity to work with Exchange, EDI/AS2 connections, and FTP sites. I also need bi-directional affinity for my round robin external DNS to work. Bi-directional connections work simultaneously through multiple gateways on Windows 2000 and 2003 pre-sp1 servers. How do I know this, because I have it working now and had it working for two years.

My FTP sites and EDI/AS2 are on Windows 2000 and 2003, pre-sp1 servers. I recently upgraded from Exchange 2000 to Exchange 2003. Unfortunately, I installed sp1 and R2 on my Exchange Server. I did not understand the changes to TCP/IP dead gateway detection until it was too late. Now I only have external bi-directional functionality though the "current default" gateway on my Exchange because of the TCP/IP changes in sp1. Bi-directional connections to the backup gateway fail until it becomes the "current default" gateway. This kills Round Robin External DNS, which in turn kills having two MX records, OWA, ActiveSync/RPC over HTTP, Redundancy and Failover. I am head of the Department of Redundancy Department and I hate loosing my redundancy.

The only work-around that I have been able to come up with is to change the publishing rules in ISA Server to "Requests appear to come from the ISA Server". NAT'ing the external requests to the internal NIC card is not really a good alternative. I am hoping that someone can add come up with a better work-around or solution. That is my question, request, and current need.

This is a rather long narrative and question. Frankly, I wrote it because I could not find this information in any articles anywhere. A lot of the information that I have read, including some on this site, has been wrong. I hope I have done a good job of explaining the results two Standard Edition ISA Servers as Edge Firewalls, and briefly, dead gateway detection pre and post Windows Server 2003 sp1. I will be glad to answer any questions or provide more information.

Thanks,

Mark Schaefer

Post #: 1

Featured Links*

RE: Two ISA2K4SE As Edge Firewall Servers and Dead Gate... - 29.Jun.2006 4:22:42 PM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

quote:

These computers detect if one of the ISA Servers (Gateways) is un-available and automatically switch to the one that is available

Dead Gateway Detection (DGD) is only triggered with TCP traffic so this usually makes it a non-starter for most environments. I worked in MS Networking support for 5 years and got this question (and resulting debate) for 5 years. UDP will follow the gateway changeover, but only TCP is used by Windows to decide to make the switch.

quote:

I did not understand the changes to TCP/IP dead gateway detection until it was too late.

I've left MSFT since R2 was released - what changes in DGD were made?

(in reply to MSchaefer)

Post #: 2

RE: Two ISA2K4SE As Edge Firewall Servers and Dead Gate... - 29.Jun.2006 5:10:00 PM

MSchaefer

Posts: 25
Joined: 28.Jun.2006
Status: offline

Clint,

Thanks much for the response. I was hoping for some suggestions on my real question though.

Let me discuss a couple of the things about Dead Gateway Detection (DGD). Your comment about DGD being a non-starter is actually wrong. It is a registry entry; either enabled or disabled and by default is enabled on 2000 and 2003. It functions fast and well. I have not timed the change over in default gateways, but I have seen it change in less that a second. I can do an ipconfig /all and see the gateways change from 10.0.0.1 to 10.0.0.2 immediately. I am very happy with how DGD works. The changes in sp1 however void my previous network configuration and functionality.

There were no changes to DGD in R2. The changes were made in sp1. Installing R2 means I cannot un-install sp1. In a nutshell, in sp1, the secondary or backup gateway(s) will not accept any communications. This was a security feature to prevent things like denial of service attacks. From what I am experiencing, pre sp1 servers would only have one "default" gateway, but would accept communications over all gateways simultaneously. Post sp1 servers can only communicate with the "current default" gateway. Communications to the secondary gateway(s) are blocked now. I don't know if this is a good thing or a bad thing.

Any ideas on how to open bi-directional affinity through my secondary gateway?

Thanks,

Mark Schaefer

(in reply to ClintD)

Post #: 3

RE: Two ISA2K4SE As Edge Firewall Servers and Dead Gate... - 29.Jun.2006 7:53:58 PM

MSchaefer

Posts: 25
Joined: 28.Jun.2006
Status: offline

Clint,

Sorry, I was a little tired when I posted the last response. You can't see the "current default" gateway from ipconfig /all. You can see it from >route print.

I guess a lot of the rest of my discussion was maybe patting myself on the back for implementing a Two ISA Server Edge Firewall structure that uses the default behaviors of ISA Server Standard Edition, Windows Client Servers and Workstations to achieve an inexpensive, Load Balanced, Redundant/Failover network. A lot of what I read says it cannot be done this way. My comment to that is not only can it be done; it is the default behavior in Windows 2000 and 2003. I have read a few articles about trying to NLB two Standard Edition ISA Servers. I don't understand why anyone would want to do that when you achieve almost the same exact result by just using the default ISA installation and default behavior of your Windows Internal Network clients.

Why only concern now is if there is a way around the DGD TCP/IP changes implemented with 2003 sp1 that result in blocking simultaneous bi-directional affinity through multiple gateways.

Thanks,

Mark Schaefer

(in reply to MSchaefer)

Post #: 4

RE: Two ISA2K4SE As Edge Firewall Servers and Dead Gate... - 29.Jun.2006 9:00:44 PM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

quote:

Your comment about DGD being a non-starter is actually wrong.

How - exactly?

OK Mark - I've had plenty of people tell me I wrong over the past 5 years, but I've also had the Windows developer who coded Dead Gateway Detection tell me that this is the way it works and that I'm correct.

If DGD worked the way you think it does, then there would be no reason for all of the 3rd party products out there specifically designed to work with this scenario. But hey, what do I know...

Good luck.

< Message edited by ClintD -- 29.Jun.2006 9:04:14 PM >

(in reply to MSchaefer)

Post #: 5

RE: Two ISA2K4SE As Edge Firewall Servers and Dead Gate... - 29.Jun.2006 9:27:34 PM

MSchaefer

Posts: 25
Joined: 28.Jun.2006
Status: offline

Clint,

I did not want to get into an argument with you about whether you were right or wrong. I was hoping to focus on the real issue. The real issue is simultaneous bi-directional affinity through multiple gateways after Windows Server 2003 sp1.

Do you have any ideas on this?

Thanks,

Mark Schaefer

(in reply to ClintD)

Post #: 6

RE: Two ISA2K4SE As Edge Firewall Servers and Dead Gate... - 30.Jun.2006 6:48:52 AM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

As for right and wrong, I don't care for those types of conversations. I just post the facts. To repeat, all I said was that ONLY TCP can trigger the routing table over to the additional default gateway - UDP traffic cannot. Clearly this excerpt from the TCP/IP Implementation Details guide for Windows shows that TCP only is involved in this decision. The main key to help in this decision is TcpMaxDataRetransmissions - not UdpMaxDataRetransmissions (that's a contradiction in terms).

From http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/tcpip2k.mspx

quote:

Dead Gateway Detection
Dead gateway detection is used to allow TCP to detect failure of the default gateway and to adjust the IP routing table to use another default gateway. The Microsoft TCP/IP stack uses the triggered reselection method described in RFC 816, with slight modifications based upon customer experiences and feedback.
When a TCP connection routed through the default gateway attempts to send a TCP packet to the destination a number of times (equal to one-half of the registry value TcpMaxDataRetransmissions) without receiving a response, the algorithm changes the Route Cache Entry (RCE) for that remote IP address to use the next default gateway in the list. When 25 percent of the TCP connections have moved to the next default gateway, the algorithm advises IP to change the computer's default gateway to the one that the connections are now using.
For example, assume that there are currently TCP connections to 11 different IP addresses that are being routed through the default gateway. Now assume that the default gateway fails, that there is a second default gateway configured, and that the value for TcpMaxDataRetransmissions is at the default of 5.
When the first TCP connection tries to send data, it does not receive any acknowledgments. After the third retransmission, the RCE for that remote IP address is switched to the next default gateway in the list. At this point, any TCP connections to that one remote IP address have switched over, but the remaining connections still try to use the original default gateway.
When the second TCP connection tries to send data, the same thing happens. Now, two of the 11 RCEs point to the new gateway.
When the third TCP connection tries to send data, after the third retransmission, three of 11 RCEs have been switched to the second default gateway. Because, at this point, over 25 percent of the RCEs have been moved, the default gateway for the whole computer is moved to the new one.
That default gateway remains the primary one for the computer until it experiences problems (causing the dead gateway algorithm to try the next one in the list again) or until the computer is restarted.
When the search reaches the last default gateway, it returns to the beginning of the list.

Now, if you're nitpicking about my characterization as a nonstarter, then you've got me there. I can only comment on the hundred odd customers that I talked to and guided through the use of this feature in Windows. Once I explained to them with supporting articles and documentation from the developer of the TCP/IP stack in Windows that DGD does not work as they expect it to (fail over triggered by any type of traffic), they decided to go with a different solution - this is why I called it a non-starter.

As for your success over the past year, I can only say congratulations. I also congratulated the many different folks that assigned 2 default gateways to their systems, assigned ISP DNS servers as secondary entries to their DCs and configured Push-Pull replication with all WINS Servers in their environment. Certainly, these configurations can work (as your apparently does), but that doesn't mean that you'll get support from MSFT nor does it mean that it's a good idea from a support standpoint which is something I would think your job title implies heavily.

Finally, I'm curious, how are you implmenting bi-directional affinity on ISA 2004 Standard Edition? Surely you're not implementing the registry keys a la "Enabling NLB Bi-Directional Affinity (BDI) on ISA Server 2004 Standard Edition Firewalls" http://www.isaserver.org/articles/2004bidirnlb.html are you? Again, this falls to the last sentence of the previous paragraph - not supported in Standard edition.

< Message edited by ClintD -- 30.Jun.2006 7:36:01 AM >

(in reply to MSchaefer)

Post #: 7

RE: Two ISA2K4SE As Edge Firewall Servers and Dead Gate... - 30.Jun.2006 8:47:24 AM

MSchaefer

Posts: 25
Joined: 28.Jun.2006
Status: offline

Clint,

Glad we are continuing this discussion. No I am not using an unsupported NLB configuration. Dead Gateway Detection, bi-directional affinity, etc are all default behaviors that you need to edit the registry to turn off. They just work. And you are right unless you understand them like I do; most people have trouble setting up their system to work properly. As far as support goes, I had my ISA 2000 moth balled and ISA 2004 Servers up and running about 4 months before Tom's first ISA 2004 book was out and before most of the Microsoft support people had gone to ISA 2004 class. I owned Tom's ISA 2000 book and was very glad when the first 2004 was out. I own most of Tom's books and they sure have been good for fine tuning and beefing up security.

Now for the changes in Windows Server operating system made through sp1. I'll draw a picture. Before sp1 all gateways were open for bi-directional communications. This is in drawing number one. Post sp1, only one gateway is open at a time, as in drawing number two. Dead gateway detection simply moves the default, hence open gateway down the line if the first one becomes available. I could move Exchange to a server without sp1, but if there is a way to work within support configurations, I prefer to do that.

Drawing Number One
Gateway 1     Gateway 2    Gateway 3    ETC
     \                     |                   |                 |
       \                   |                   |                 |
         \                 |                   |                 |
         Windows Server 2000 & 2003 pre sp1

Drawing Number Two
Gateway 1     Gateway 2    Gateway 3    ETC
     \
       \
         \
         Windows Server 2003 post sp1

Does that help you to understand how Windows 2003 pre and post sp1 work? I have everything working pretty much as before; I would just like suggestions on alternate configurations or a way to open up the other gateways. I'd even be happy to have you take a look at the inside workings.

Thanks,

Mark Schaefer

(in reply to ClintD)

Post #: 8

RE: Two ISA2K4SE As Edge Firewall Servers and Dead Gate... - 30.Jun.2006 2:25:31 PM