quote:

ORIGINAL: mascalia

Thanks, Jason. It would be nice to not have to create so many L2 VLANs for all our NLB clusters (not just ISA - app server web farms, too!).

quote:


To coordinate their actions, all NLB hosts communicate with each other by periodically exchanging heartbeat messages on a common subnet, which is also used to receive incoming client requests. This subnet must be physically protected from intrusion. Otherwise, unauthorized heartbeat messages could be delivered to NLB hosts and disrupt cluster operations. Note that NLB heartbeat messages use a uniquely assigned Ethertype (0x886F) which is not normally routed across subnets. However, the cluster administrator must ensure that unauthorized computers and devices which could emit invalid NLB heartbeat packets are not placed directly on the NLB subnet. The effects of these disruptions are described below in the subsection "Rogue Servers".

quote:


Rogue NLB servers on an NLB subnet could emit heartbeat packets that disrupt cluster operations. Disruptions can include impeding NLBs convergence process such that cluster hosts cannot be added and recovery for a failed host cannot be completed. In addition, disruptions can block some or all of NLBs service to clients. NLB subnets must be physically protected from intrusion by unauthorized computers and devices.

• I have a L2 VLAN set up for the ISA interfaces used to build the NLB array, so Unicast port flooding is not an issue.
  
• The L2 VLAN is hosted on a L3 switch with routing enabled, so the NLB heartbeat traffic moving across the NLB NICs isn't routed or otherwise available for tampering (unless someone jacks a rogue server into the VLAN ).
  
• I have a private VLAN set up for intra-array communications, and have added HOSTS file entries on all array members so that they can "find" each other over this network (I've also moved the Intra-array VLAN NIC up to the top in the adapter binding order as well - the only "tip" I found useful from the various unofficial "How to force NLB heartbeats out a different NIC" articles).

quote:

ORIGINAL: mascalia

Thanks, Jason.  I think you're right.  I found a couple of other supporting articles, too.  While there seems to be a lot of interest out in GoogleSpace about using alternate NIC's to pass the heartbeat traffic, the general consensus (such as it is) is that NLB heartbeat traffic passes between the NLB NICs themselves.

Which, in an offhand way, makes sense.  If you have three servers in an array, assume they each have two NIC's in different Networks.  One Network is external, customer-facing and the other is a back-end connection to the corpnet with DC's, DNS, etc....

Further assume that there is a NLB array across the external NICs on the three servers.

Reading the documentation out there, the "heartbeat" is sent to all servers in the array once every second.  If an acceptable reply is not received, convergance begins to remove the unresponsive array member.

From a "NLB for Dummies" perspective, wouldn't it make sense that that traffic would HAVE to go out over the NLB NICs?  Those are the NICS used to create the array.  What good would it do to have your NLB heartbeat going out over NICs that aren't in the array?  The idea the heartbeat is to see if a specific NLB host (and NIC) is responsive.  I my simplistic mind, that would be most effective going from NIC to NIC across the NLB array.

Now, I also found a bunch of sites claiming to have custom configs that will supposedly force the NLB heartbeat to go out over a different NIC.  But, even if it works, is it wise?  What about the case (common in ISA arrays) where you may have three or more NIC's in a box, and maybe have NLB built across two of them?  If the NLB heartbeat goes out the NLB "back-end" of the servers, what happens if only one of the NLB configs goes belly up on a server, but the other one is working fine? 

My guess is that NLB would be killed for the entire server, essentially taking it out of every NLB array - even if it's not necessary.  If the NLB heartbeat for a specific array goes out over the NLB NICs for that array, however, then failure of NLB on one array wouldn't necessarily cause the server in question to withdraw from all NLB arrays (assuming that ISA server is smart enough to act that way ).

Just my thoughts after a good night's sleep.  Overall, I guess you could force heartbeats out over another interface (and for MSCS, you actually want to do this).  But for WLBS/NLB, do you want to?  From what little I've been able to find, my current answer is NO.

What do you think? 

Mike

quote:

ORIGINAL: mascalia

So, with all that said, back to my original thought:  Why use Multicast NLB?

• I have a L2 VLAN set up for the ISA interfaces used to build the NLB array, so Unicast port flooding is not an issue.
  
• The L2 VLAN is hosted on a L3 switch with routing enabled, so the NLB heartbeat traffic moving across the NLB NICs isn't routed or otherwise available for tampering (unless someone jacks a rogue server into the VLAN ).
  
• I have a private VLAN set up for intra-array communications, and have added HOSTS file entries on all array members so that they can "find" each other over this network (I've also moved the Intra-array VLAN NIC up to the top in the adapter binding order as well - the only "tip" I found useful from the various unofficial "How to force NLB heartbeats out a different NIC" articles).

With all that said, I don't see any reason to implement Multicast or IGMP Multicast on my current ISA array.  Now, if any of those things change (which they will for arrays in other sites), then I'll have to re-evaluate.

The only consolation I'm making is to go ahead and update the CSS as outlined in the Microsoft KB so that it can support other arrays that might have to use Multicast.

My only other question is whether or not I still need to make the Registry hack to enable NLB communications over Unicast (as outlined in this KB:  http://support.microsoft.com/kb/898867).  Is this "fix" needed and/or compatible with ISA NLB?

Thoughts, anyone?

Thanks,
Mike

quote:


Securing Intra-Array Communication


To secure intra-array communication, follow these guidelines:

• Upon installation, a pair of private and public keys are created for each array member. These keys are used to transfer confidential data between array members. If you believe that the keys have been compromised, create a new key pair by uninstalling and then installing ISA Server.
  
• We recommend that you use a dedicated network adapter in a network used only for intra-array communication.

• With Windows Server 2003 Service Pack 1, dedicated network adapters are not required for host-to-host communication.
  
• 
  (...)
• 
  By default, the intra-array IP address is set to the IP address assigned to the array members' network adapter on the internal network.

quote:

Answer 1: In the context of ISA, messages which pass between array members include:
* ADAM replication and ISA synchronization with ADAM.
* ISA level heartbeat (over http) to determine availability of array members. This is done in order to correctly handle and forward CARP requests.
* CARP traffic, where one member forward http request to another member which may cache it.

My Answer: ADAM replication and ISA synchronisation only occur when the CSS role is co-located on the actual array members themselves. This co-location of the CSS role is something I personally try to avoid.

• I'm assuming that the ISA-level heartbeat over HTTP are the port 8080 connections I see in the ISA log?
  
• If the ISA heartbeat is tied to CARP, and you aren't using CARP, then will there be any ISA heartbeats at all?  I'm guessing not, since NLB heartbeats will handle NLB convergence (when necessary).  Maybe that's why I'm not seeing any ISA intra-array comm on my Netmon capture?
  
• Question:  if I have a second NIC on my dedicated CSS, would it be better to plug it into the private VLAN used for Intra-array comm?  I know this would only benefit "local" arrays that can support such physical connections, but would it be better than having ADAM connections go out through the internal network interface?