• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

multi-ISPs in the post rainwall/reconnect world

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> multi-ISPs in the post rainwall/reconnect world Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
multi-ISPs in the post rainwall/reconnect world - 26.Jun.2006 11:00:43 AM   
lewinr

 

Posts: 9
Joined: 25.Jun.2006
Status: offline
Hi

We are currently doing a project to improve the uptime of our systems, and as part of this we are implementing an ISA2004 EE array.
We need to support redundant ISPs because our ISPs are not so reliable.

We had originally thought about using Rainwall/Rainconnect, but now it is discontinued and we have been informed that even if we want to buy it as a discontinued product, we cannot get it.

So what are our other options?

Questions:
1.  I have seen a few times people recomment a Cisco 1841.  A few questions about this option:
- I am not crazy about it because it becomes a single point of failure.  Are there any alternatives to this product that at least support redundant power supplies or can work as an "array" in case one box fails?

2.  Does anybody know any other products with the Cisco 1841's ability to support load-balancing on external ISPs, maybe from another manufacturer?

3.  Any chance that we'll see another software solution in the near future?   Even something simple?

Thanks
Ron



Post #: 1
RE: multi-ISPs in the post rainwall/reconnect world - 27.Jun.2006 2:52:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ron,

I believe the Network Engines 9200 supports ISP fail over. You might want to give them a call.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to lewinr)
Post #: 2
RE: multi-ISPs in the post rainwall/reconnect world - 20.Jul.2006 11:36:58 AM   
lewinr

 

Posts: 9
Joined: 25.Jun.2006
Status: offline
I've done some research and come up with a few different products, some of them low-end and some of them high-end that can do WAN-link failover.

I would be interested in your opinion on them, since I am not confident that all products have all necessary features to work cooperatively with ISA2004.  On the other hand, I'm not sure that we need some features that many of the boxes have, since we plan to use ISA for practically everything (firewall, etc).  For example, some of these boxes support "affinity", but I understand that ISA2004 supports this... does it mean that we dont need it in the hardware device, or that we need it?  You advice here is highly appreciated.

Just a quick note on our environment:  we have two ISPs, each of which feeds us with a simple 100mbps ethernet cable.  We have an ISA2004 array, a DMZ with a few published web servers and a couple of VoIP boxes (vonage, etc), and behind the array we have exchange plus a LAN that needs normal web access and some of the LAN clients sometimes need to use VPN clients to connect to remote non-ISA VPN servers such as Checkpoint Firewall-1.  We are using ISA for firewall, etc.  What we want is for the router to detect if a WAN link is down (or significantly degraded) and if so move traffic to the second WAN link.


Here are the products I've found:

DI-LB604  >  4-Port Load Balancing Router  http://www.dlink.com/products/?pid=452&sec=0
possibily the lowest cost choice at around $100 per unit.  But it seems like a very simply device (according to the manual online at the address above, it does not support affinity) so I'm not sure we could use it with our ISA array. 

Barracuda Load Balancers  http://www.barracudanetworks.com/ns/products/balancer_overview.php
They have 3 different models you can see here: http://www.barracudanetworks.com/ns/products/balancer_models.php
This is a new product and they do not have prices online yet, but the rep told me that the list price for the model 240 will be $1,999 for the unit $ 499.00 For 1 year updates $1,243 for 3 yr $1,996 for 5 yr.

XRoad Networks Edge2Wan
http://www.xroadsnetworks.com/products/Edge2WAN.xos
This product has two interesting features:
  • The Edge2WAN UBM (Unified Bandwidth Management) appliances incorporate intelligent load balancing for traffic that originates from both the LAN and WAN networks (i.e. inbound and outbound). Inbound SMART load balancing and redundancy is provided via our ActiveDNS Server. With this capability the Edge2WAN appliances can automatically re-route requests in the event of a network failure. This method avoids the use of traditional BGP/OSFP routing protocols for network multihoming, and thus eliminates the extra expense and complexity involved with those solutions.

  • Additionally, the Edge2WAN UBM (Unified Bandwidth Management) appliances include Best Path RoutingTM which can automatically determine the best path for routing critically defined traffic. Example: A business has their HQ in New York and a branch office in Los Angeles, both with dual-WAN connectivity. Best Path RoutingTM continuously checks each possible path and dynamically determines which provides the lowest overall latency and packet loss and routes the critical traffic via the selected path.   (this is important for us because one of our key requirements is to keep VPN links between our offices stable).

The only price I could find for the model 700 was $795 (here: http://shopping.netsuite.com/s.nl/c.307725/sc.1/.f), which is more than DLINK but compares favorably with the Cisco 1841.

EDIMax
http://www.edimax.com/html/english/products/list-PRIrouter.htm
The PRI-682 seems to be cheapest one that supports inbound connections.  http://www.edimax.com/html/english/products/PRI682.htm  It is available online for $389 here: http://www.zipzoomfly.com/jsp/ProductDetail.jsp?ProductCode=253487

RADWare Linkproof  http://www.radware.com/content/products/lp/default.asp
Based on this http://www.rad-direct.com/Application-load-balance-routers.htm this product will do what we need.  But to be honest, I found the main page for the product confusing and it is not clear to me if this device is really appropriate.   It appears to cost $4000+.

So, what do you guys think?
Hopefully this thread will be useful to others who want multiple WAN links at a low cost and without too much complexity.

Thanks
Ron

< Message edited by lewinr -- 20.Jul.2006 3:12:05 PM >

(in reply to tshinder)
Post #: 3
RE: multi-ISPs in the post rainwall/reconnect world - 20.Jul.2006 12:10:24 PM   
lewinr

 

Posts: 9
Joined: 25.Jun.2006
Status: offline
oops, I forgot one more option:

Xincom XC-DPG602/3  http://www.xincom.com/twr602.html and http://www.xincom.com/twr603.html.  It appears the main difference is the 603 supports IPSEC for VPNs.  I wonder if we would need that if we will use ISA for all our VPN connections.

This appears to be a low-end device that supports inbound failover via integrated DNS: http://www.xincom.com/papers/inbound_loadBalancing.html
The 602 model is available for around $500 and the 603 model appears available for approx $600

(in reply to lewinr)
Post #: 4
RE: multi-ISPs in the post rainwall/reconnect world - 20.Jul.2006 12:55:25 PM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline
Any New Cisco router will perform Load Balancing in the outbound direction.  All you need is two routes to the internet with the same cost (static routes created without specifying a cost would have the same cost).  The router will forward every other packet out each interface.  I believe this works with up to 6 routes...

To get a built in redundant power supply, I think you have to go all the way up to a 3845.... probably a little steep for this application.

Inbound is another animal... IMHO, the best way to do inbound is to use BGP.  BGP would provide immediate redundancy for inbound connections.  From my understanding of other solutions, you would need to rely on DNS changes, which means assuming that people are honoring the TTL of your zones and that the TTL is very low.  Even if you set your TTL to 60 minutes, my experience is that your inbound connection outage could affect some internet users for hours.  With BGP, the remote user more than likely wouldn't even notice the failure.... no local dns cache to flush...  it's still the same remote IP!

BGP requires getting your own block of IP's and your own Autonomus System number and working with your ISP's to set it up.  It's a little more painful to set up, but it's complete redundancy in both directions.

(in reply to lewinr)
Post #: 5
RE: multi-ISPs in the post rainwall/reconnect world - 20.Jul.2006 3:58:31 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: lewinr

I've done some research and come up with a few different products, some of them low-end and some of them high-end that can do WAN-link failover.

I would be interested in your opinion on them, since I am not confident that all products have all necessary features to work cooperatively with ISA2004.  On the other hand, I'm not sure that we need some features that many of the boxes have, since we plan to use ISA for practically everything (firewall, etc).  For example, some of these boxes support "affinity", but I understand that ISA2004 supports this... does it mean that we dont need it in the hardware device, or that we need it?  You advice here is highly appreciated.

Just a quick note on our environment:  we have two ISPs, each of which feeds us with a simple 100mbps ethernet cable.  We have an ISA2004 array, a DMZ with a few published web servers and a couple of VoIP boxes (vonage, etc), and behind the array we have exchange plus a LAN that needs normal web access and some of the LAN clients sometimes need to use VPN clients to connect to remote non-ISA VPN servers such as Checkpoint Firewall-1.  We are using ISA for firewall, etc.  What we want is for the router to detect if a WAN link is down (or significantly degraded) and if so move traffic to the second WAN link.


Here are the products I've found:

DI-LB604  >  4-Port Load Balancing Router  http://www.dlink.com/products/?pid=452&sec=0
possibily the lowest cost choice at around $100 per unit.  But it seems like a very simply device (according to the manual online at the address above, it does not support affinity) so I'm not sure we could use it with our ISA array. 

Barracuda Load Balancers  http://www.barracudanetworks.com/ns/products/balancer_overview.php
They have 3 different models you can see here: http://www.barracudanetworks.com/ns/products/balancer_models.php
This is a new product and they do not have prices online yet, but the rep told me that the list price for the model 240 will be $1,999 for the unit $ 499.00 For 1 year updates $1,243 for 3 yr $1,996 for 5 yr.

XRoad Networks Edge2Wan
http://www.xroadsnetworks.com/products/Edge2WAN.xos
This product has two interesting features:
  • The Edge2WAN UBM (Unified Bandwidth Management) appliances incorporate intelligent load balancing for traffic that originates from both the LAN and WAN networks (i.e. inbound and outbound). Inbound SMART load balancing and redundancy is provided via our ActiveDNS Server. With this capability the Edge2WAN appliances can automatically re-route requests in the event of a network failure. This method avoids the use of traditional BGP/OSFP routing protocols for network multihoming, and thus eliminates the extra expense and complexity involved with those solutions.

  • Additionally, the Edge2WAN UBM (Unified Bandwidth Management) appliances include Best Path RoutingTM which can automatically determine the best path for routing critically defined traffic. Example: A business has their HQ in New York and a branch office in Los Angeles, both with dual-WAN connectivity. Best Path RoutingTM continuously checks each possible path and dynamically determines which provides the lowest overall latency and packet loss and routes the critical traffic via the selected path.   (this is important for us because one of our key requirements is to keep VPN links between our offices stable).


The only price I could find for the model 700 was $795 (here: http://shopping.netsuite.com/s.nl/c.307725/sc.1/.f), which is more than DLINK but compares favorably with the Cisco 1841.

EDIMax
http://www.edimax.com/html/english/products/list-PRIrouter.htm
The PRI-682 seems to be cheapest one that supports inbound connections.  http://www.edimax.com/html/english/products/PRI682.htm  It is available online for $389 here: http://www.zipzoomfly.com/jsp/ProductDetail.jsp?ProductCode=253487

RADWare Linkproof  http://www.radware.com/content/products/lp/default.asp
Based on this http://www.rad-direct.com/Application-load-balance-routers.htm this product will do what we need.  But to be honest, I found the main page for the product confusing and it is not clear to me if this device is really appropriate.   It appears to cost $4000+.

So, what do you guys think?
Hopefully this thread will be useful to others who want multiple WAN links at a low cost and without too much complexity.

Thanks
Ron


Hi Ron,

Great research! I think the major differentiator here is whether you need load balancing and failover for inbound connections. A brain-dead Spyphco router can do outbound load balancing, but many of these products have DNS agents that enable failover and fault tolerance for the incoming connections.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to lewinr)
Post #: 6
RE: multi-ISPs in the post rainwall/reconnect world - 20.Jul.2006 4:29:24 PM   
lewinr

 

Posts: 9
Joined: 25.Jun.2006
Status: offline
yes, we need it for inbound too.

As Tony pointed out, there are basically two ways to do it: DNS or BGP.

I think all of the devices except the D-Link support inbound failover based on DNS.

That may be enough for us, as almost all inbound connections are name based... except maybe some VoIP devices that connect to us based on IP addresses.

As Tony also pointed out, DNS based inbound failover can be a bit unpredictable.  But in our case inbound is important but not critical.

Nevertheless BGP may be the way to go for us, since we have easy access to the technical resources necessary to set it up.

(in reply to tshinder)
Post #: 7
RE: multi-ISPs in the post rainwall/reconnect world - 20.Jul.2006 4:32:12 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ron,

BGP is the way to go if you have the resources and the cooperation of the ISPs. Otherwise, any of these devices with the DNS agents are a good second choice.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to lewinr)
Post #: 8
RE: multi-ISPs in the post rainwall/reconnect world - 20.Jul.2006 6:26:39 PM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline
I agree!  You wouldn't believe how many people start out wanting to do BGP until they realize what a pain it can be to work with your ISP's and that it's not something that you want implemented by someone who hasn't done BGP before!

Tony

(in reply to tshinder)
Post #: 9
RE: multi-ISPs in the post rainwall/reconnect world - 21.Jul.2006 7:33:26 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tony,

Exactly! That's why there are so many of the "workaround" solutions to help avoid the pain of working with the ISPs

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tonygauderman)
Post #: 10
RE: multi-ISPs in the post rainwall/reconnect world - 21.Jul.2006 9:17:09 PM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline
I have been the ISP, the integrator, and the client in these types of installations.  I don't understand why competition doesn't make the ISP more cooperative in scenarios like this, but it doesn't seem to phase them that the consumer has choice!  As the integrator, I always tried to shelter the client from the pain of having to deal with the ISP's any more than they had to.  Now, as the client in my current job, I haven't decided that our internet needs are sufficient enough to warrant the pain of dealing with multiple ISP's even though I have the experience myself to do the BGP config!

The other thing with multiple internet connections is that most likely, you are not going to get an ISP to do BGP on a SOHO type connection like DSL or cable.  So, to provide any redundancy in that environment, you are probably stuck with some sort of load balancing device and DNS

only 40397 posts left to catch Tom

(in reply to tshinder)
Post #: 11
RE: multi-ISPs in the post rainwall/reconnect world - 22.Jul.2006 5:39:43 PM   
lewinr

 

Posts: 9
Joined: 25.Jun.2006
Status: offline
well, I went for the DNS solution by buying one of the above solutions on ebay:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=290008037103

I decided that for the low price, it is worth it to try the DNS based failover first, and only if that doesnt work well enough for us, to go to BGP.

(in reply to tonygauderman)
Post #: 12
RE: multi-ISPs in the post rainwall/reconnect world - 22.Jul.2006 6:03:53 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ron,

Let us know how it works out for you.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to lewinr)
Post #: 13
RE: multi-ISPs in the post rainwall/reconnect world - 23.Jul.2006 4:32:04 AM   
H4ppyGilmore

 

Posts: 199
Joined: 8.Apr.2006
Status: offline
Ron,

quote:

Just a quick note on our environment:  we have two ISPs, each of which feeds us with a simple 100mbps ethernet cable. 


You said in your initial posting that you have a 100 Mbs ethernet cable from each of your ISPs.  Do those ISPs provide MPLS/VPLS based ethernet-carrier service or sometimes they call this "EFM" or Metro Net?

Thanks
  

(in reply to tshinder)
Post #: 14
RE: multi-ISPs in the post rainwall/reconnect world - 21.Aug.2006 1:23:48 PM   
satyr69

 

Posts: 9
Joined: 9.Jul.2004
From: London
Status: offline
Greetings,

i thought it was worth noting that on the inbound balancing, we were originally looking at a hardware solution, but we did some shopping around for external DNS balancing / failover solutions and found several suppliers including Akamai, UltraDNS and Savvis ITM that all fit the bill.  There are other companies around also i believe but it is important to differentiate plain vanilla DNS hosting providers and ones that provide proper DNS balancing and failover.

The down side is that it is usually some form of monthly cost, but the upside is that the set up is very easy and because it is internet based, it is not dependent on a hardware single point of failure.

With UltraDNS for example, you get a web based console where you can configure any of your domain names to go to 1 or more IP addresses in a balancing or failover solution.  UltraDNS extended network of 'smart' DNS servers poll your servers / services and make a decision on what answer to give to any particular incoming DNS request based on the policy that you have configured.

One advantage of this approach is that it caters for multiple 'incoming' paths, even if they are not all attached to the same piece of hardware.  ie. links going to two different sites.

If anyone is considering this style of solution and needs any additional information, feel free to email me.


(in reply to H4ppyGilmore)
Post #: 15
RE: multi-ISPs in the post rainwall/reconnect world - 21.Aug.2006 4:19:08 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Satyr,

Nice info!
Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to satyr69)
Post #: 16
RE: multi-ISPs in the post rainwall/reconnect world - 26.Aug.2006 7:41:32 PM   
lewinr

 

Posts: 9
Joined: 25.Jun.2006
Status: offline
yes, that is useful info, thanks.

it answers half the problem, which is the inbound failover.
but it still leaves one question which is how to balance and/or failiover outbound traffic (Gateways).
if someone finds a software solution to allow multiple gateways with ISA, then the whole question could be solved without any hardware.

(in reply to tshinder)
Post #: 17
RE: multi-ISPs in the post rainwall/reconnect world - 26.Aug.2006 7:43:32 PM   
lewinr

 

Posts: 9
Joined: 25.Jun.2006
Status: offline
quote:

ORIGINAL: H4ppyGilmore
You said in your initial posting that you have a 100 Mbs ethernet cable from each of your ISPs.  Do those ISPs provide MPLS/VPLS based ethernet-carrier service or sometimes they call this "EFM" or Metro Net?


as far as we know, no.

(in reply to H4ppyGilmore)
Post #: 18
RE: multi-ISPs in the post rainwall/reconnect world - 13.Sep.2006 4:50:30 PM   
s_naik1

 

Posts: 8
Joined: 5.Sep.2006
Status: offline
Any other software based solutions for Load balancing multiple ISP's

(in reply to lewinr)
Post #: 19
RE: multi-ISPs in the post rainwall/reconnect world - 14.Sep.2006 3:54:41 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi S,

None that I know of.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to s_naik1)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> multi-ISPs in the post rainwall/reconnect world Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts