Failover options

Failover options (Full Version)

All Forums >> [ISA Server 2004 Misc.] >> ISA Firewall Appliances

Message

quantum555 -> Failover options (12.Dec.2005 5:42:43 PM)
Our organization has recently decided to use Celestix's MSA3000 appliances for our primary firewall. We are replacing two Cisco Pix 515's. These 515's operate in failover mode and we would like to preserve this feature with the ISA appliances. Is there a common setup that would provide redundancy in case one of the appliances failed? Thanks. Jeff

tshinder -> RE: Failover options (12.Dec.2005 6:27:38 PM)
Hi Jeff, I know that the Network Engines ISA hardware firewalls have the same kind of fail over feature as the PIX boxes, but I don't think the Celestix boxes do. You can use RainWall from Rainfinity to get NLB support for your array. HTH, Tom

quantum555 -> RE: Failover options (12.Dec.2005 9:28:20 PM)
I contacted Celestix about this and their answer was that yes you can do NLB with two appliances. You should set up a virtual IP address on one and use round-robin DNS to balance between the two appliances. I'm not sure how to setup round-robin on DNS...anyone have any experience with this situation? Thanks, Jeff

tshinder -> RE: Failover options (13.Dec.2005 3:10:59 AM)
Hi Jeff, OK, think about it: 1. If NLB is enabled, why use round robin DNS? 2. NLB is not supported on ISA SE, only on ISA EE RR DNS is only used to support Firewall clients. You won't get bidirectional affinity if you don't use ISA EE NLB, and since ISA SE isn't integrated with NLB, if the firewall service dies on one of the NLB array members, the NLB service won't be aware of it and will continue to load balance connections to the dead firewall service ISA firewall. HTH, Tom

quantum555 -> RE: Failover options (9.Jan.2006 6:55:14 PM)
Thanks for the reply. So the best way to have failover is to use NLB? After looking through the admin guide for the Celestix RAS 3000 (www.celestix.com/resources/ras/RAS3000_AdministratorsGuide.pdf) It gives instructions on how to setup NLB with the two appliances. I dont think that this appliance comes with enterprise edition but can still take advantage of NLB. Do you see any problem with setting it up this way for a primary firewall? Thanks, Jeff

tshinder -> RE: Failover options (9.Jan.2006 7:03:36 PM)
Hi Jeff, It is possible to do NLB with Standard Edition, but you should check out the warnings regarding this as discussed in the articles on this site. Unless Celestix has done something to enable NLB (like add RainWall), then NLB and ISA are not aware of each other, and bad things can happen due to that. HTH, Tom

quantum555 -> RE: Failover options (9.Jan.2006 10:08:24 PM)
Ok, so whenever a hard drive fails on one of the cluster nodes, the connections are failed over to the functioning node. But, when a service fails, no cluster config is made and the node that had the service fail will continue to recieve traffic but be unable to route it. Is this a correct assumption? What are the "bad things" that can happen? It seems like the service would then try to restart itself and if successful, continue to route traffic. If unsuccessful, monitored services would throw up a flag to someone and they could manually fail the node. Thanks, Jeff

tshinder -> RE: Failover options (11.Jan.2006 4:10:25 PM)
Hi Jeff, That's the thing. NLB is not ISA firewall aware, not even OS aware. So, if the firewall service fails or some other critical service fails, connections are still load balanced over the array as long as the NLB service is still running. This leads to connections being balanced to a machine that can't connect users to the Internet. Also, you will need to do some Registry edits to get BDA to work, and you're limited to BDA for only two Networks. If those issues aren't problems, then you're good to go. Tom

Page: [1]