• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2004 EE HTTP/S Broadcasting

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> ISA 2004 EE HTTP/S Broadcasting Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2004 EE HTTP/S Broadcasting - 18.Jul.2008 1:43:31 PM   
grantrh

 

Posts: 12
Joined: 1.Feb.2005
Status: offline
Hi Everyone,

Having a really strange issue that I've had no luck in tracking down.  I have 2 ISA 2004 EE servers in a NLB configuration.  When I sit at my computer behind the 2 ISA firewalls and use wireshark to listen to the network traffic, I can see every HTTP and HTTPS request being sent to and from the ISA server's Internal nic.  It almost like there is a hub inbetween broadcasting all traffic, but they are connected to network switches and my computer is 3 switches away from the ISA servers yet I can see all the HTTP/S traffic from all computers destined for either of the 2 ISA servers.  Its creating a semi-flood on my internal network.  I do not see any other traffic except traffic destined to and from the ISA.

The clients are Webproxy and Firewall client if that helps shed any insight into this strange networking problem.  I'm not 100% sure it is an ISA problem but I can not pick up any other traffic except web traffic so again I'm confused as to what the problem may be.

Any help would be much appreciated.  Thank you!
Post #: 1
RE: ISA 2004 EE HTTP/S Broadcasting - 18.Jul.2008 7:01:28 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
That's how unicast NLB works...all hosts in the NLB cluster need to receive the packets and the NLB service then decides which server handles the request. Unicast NLB does something called sourceMAC masking to hide the real MAC of the ISA interfaces so that the switches do not learn just one particular NIC - by doing this, you force the switch to have to broadcast and this ensures that both NLB enabled interfaces will receive the traffic - the NLB algorithm then kicks in to do the clever bit. Switch flooding is a common issue with unicast NLB (the default mode with ISA) and this is probably what you are seeing...

You have a few options:
  • Put the ISA interface into a hub and then into your switch (very rubbish!)
  • Create a dedicated VLAN for the ISA NLB enabled interfaces (works well and my usual solution)
  • Change from unicast NLB to multicast NLB (although this will introduce different problems like needing manual ARP entries on layer 3 devices) and you need ISA hotfixes/SP1 as this was only a recently added option for ISA

http://technet2.microsoft.com/WindowsServer/en/Library/884c727d-6083-4265-ac1d-b5e66b68281a1033.mspx

Cheers

JJ

< Message edited by Jason Jones -- 18.Jul.2008 7:05:36 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to grantrh)
Post #: 2
RE: ISA 2004 EE HTTP/S Broadcasting - 21.Jul.2008 8:46:18 AM   
grantrh

 

Posts: 12
Joined: 1.Feb.2005
Status: offline
Hi JJ,

Thanks for the explanation and the link, I think you are right on with what I am seeing.  I noticed you mention SP1 as a needed fix to use multicast mode NLB, are you referring to ISA 2006?  Does 2004 support multicast NLB.  I would prefer to use IGMP Multicast and put turn on IGMP Multicast learning on the switch.  I understand this is a Win 2003 NLB feature, I'm just curious if anyone has done it with ISA 2004 installed.  I don't see why there would be a problem, but you never know.

(in reply to Jason Jones)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> ISA 2004 EE HTTP/S Broadcasting Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts