|
kas -> issue with ISA 2006 EE CSS servers and NLB (10.Jun.2008 10:19:22 PM)
|
although we are not new to ISA, we are new to ISA 2006 EE. we are installing ISA 2006 EE as a new install, with primary and alternate CSS servers, and one ISA array (so far), with two ISA servers in this first ISA array.
we have configured IntraArray communcations between the array members to use a non-nlb network segment separate from the internal network segment. IntraArray communications are working successfully.
prior to our having enabled ISA integrated network load balancing on the Internal adapters of the ISA array, the CSS servers showed both array members as active in the ISA adminstrator console.
ISA logs show the entries listed at the end of this post after the statement ***** before nlb isa log ******* for this successful connection
After ISA Integrated Network Load Balancing is enabled on the Internal network adapters of the ISA array, only one of the array servers shows active in the ISA administrator tool on the CSS servers. The other shows the error message "unable to retrieve data from 'servername'.
ISA logs show the entries listed at the end of this post after the statement **** after nlb isa log **** for this unsuccessful connection
HOWEVER
1. ISA configuration changes made on the CSS server are still replicated to both array members
2. all functions of both members of the ISA array that have been tested to-date are still working successfully..including network load balancing
3. in the ISA administrator tool of the array members themselves, both array members show active
and perhaps the most interesting symptom of all:
4. the problem of the one of the array member servers not showing active in the ISA administrator tool of the CSS server will flip from one array member to the other depending on the order in which ISA firewall services are started on the array members
Note that based on the error in the isa logs, an ISA network route rule was added between the internal and intra-array network segment in an attempt to work around this error.
This resulted in the application event log error 21215 from the microsoft firewall service (short description: route rules cannot be added for networks where one is network-load-balanced and the other is not). This network route rule has since been revoked.
A high-level description of these ISA servers, followed by a detailed description of the network topology/IP addressing, is listed at the end of this post after the statement ***** isa server description *******. the external ip addresses are obfusciated, all other ip addressing info is accurate.
Microsoft support has so far been unable to provide any assistance in resolving this issue. Thank you in advance to anyone who responds to this post with any suggestions/recomendations.
*** before nlb isa log ***
Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type
10.100.10.213 - TCP - - - 6/10/2008 8:53:39 PM 1610 0 0 0 0x0 0x0 - 6/10/2008 1:53:39 PM 10.100.10.213 172.31.10.2 3847 MS Firewall Control Initiated Connection [System] Allow remote management from selected computers using MMC 0x0 ERROR_SUCCESS Internal Local Host - ISA02 Firewall
10.100.10.213 - TCP - - - 6/10/2008 8:53:41 PM 1626 0 0 0 0x0 0x0 - 6/10/2008 1:53:41 PM 10.100.10.213 172.31.10.1 3847 MS Firewall Control Initiated Connection [System] Allow remote management from selected computers using MMC 0x0 ERROR_SUCCESS Internal Local Host - ISA01 Firewall
**** after nlb isa logs ****
Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type
10.100.10.213 - - TCP - - - - - - 6/9/2008 7:10:03 PM 1941 0 0 0 0x0 0x0 6/9/2008 12:10:03 PM 10.100.10.213 172.31.10.1 3847 MS Firewall Control Initiated Connection [System] Allow remote management from selected computers using MMC 0x0 ERROR_SUCCESS - Internal Local Host ISA01 Firewall
10.100.10.213 - - TCP - - - - - - 6/9/2008 7:09:57 PM 1936 0 0 0 0x0 0x0 6/9/2008 12:09:57 PM 10.100.10.213 172.31.10.2 3847 MS Firewall Control Denied Connection - 0xc0040012 FWX_E_NETWORK_RULES_DENIED - Internal IntraArray ISA01 Firewall
****** isa server description ****
1. All servers are W2k3 R2 Standard SP2 with current security patches plus patch 948496
2. All servers have ISA 2k6 EE with patch 939455
3. All servers have Receive Side Scaling disabled on the NICs
4. all servers are domain members
5. two servers are installed as ISA Configuration Storage Services on Internal network segment
6. two servers are installed as ISA Array member servers
7. ISA IntraArray communication between the array member servers are configured to use a separate non-NLB network segment rather than the internal network segment per microsoft best practice recommendations
8. internal dns entries added for both intra-array adapters and the internal nlb address of the isa array (as well as of course the dynamically-added dns entries of the internal adapters)
9. dns entries for the intra-array adapters registered to active directory
A. ISA Array members "ISA01", "ISA02" in array "ISA"
1 . Internal Network segment (defined to ISA by default as Internal Network) 10.100.10.0/24
ISA01 - 10.100.10.239
ISA02 - 10.100.10.240
ISA NLB - 10.100.10.241
manual static route to internal network via internal network router
internal dns servers
2. IntraArray Network segment (defined to ISA as Internal Network, with firewall client disabled and web proxy client enabled) 172.31.10.0/30
ISA01 - 172.31.10.1
ISA02 - 172.31.10.2
ISA IntraArray communication configured to use these adapters on this non-nlb network segment instead of the default nlb Internal network segment
3. "Authenticated"DMZ Network segment (defined to ISA as Perimeter Network) 172.31.11.0/26
ISA01 - 172.31.11.60
ISA02 - 172.31.11.61
ISA NLB - 172.31.11.62
4. "Anonymous"DMZ Network segment (defined to ISA as Perimeter Network) 172.31.12.0/26
ISA01 - 172.31.12.60
ISA02 - 172.31.12.61
ISA NLB - 172.31.12.62
5. External Network segment (defined to ISA by default as External Network) xxx.xxx.xxx.xxx/28
ISA01 - xxx.xxx.xxx.1
ISA02 - xxx.xxx.xxx.2
ISA NLB - xxx.xxx.xxx.3
default gateway=internet router
6. Non-default Network rules added
(a) Route rule: "Authenticated"DMZ->Internal
(b) NAT rule: Internal->"Anonymous"DMZ
7. default "Internet Access" Network rule modified
(a) "Authenticated"DMZ and "Anonymous"DMZ added as source networks '
B. Configuration Storage Servers on internal network segment
Primary ISA Configuration Storage Server - "ISACSS1" - 10.100.10.213
Alternate ISA Configuration Storage Server - "ISACSS2" - 10.100.10.212
|
|
|
|