• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

New Multiple Server Array Setup

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> New Multiple Server Array Setup Page: [1]
Login
Message << Older Topic   Newer Topic >>
New Multiple Server Array Setup - 27.Jan.2009 1:12:45 PM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
I am prepping for a migration from a 3 server array (1 CSS Server, 2 FW Array members) to a 5 server array (again 1 CSS and 4 FW Array members) This is going to be handling our 100Mbit internet connection that we are getting in the next few months. The setup requires it to be a 3-Leg perimeter design. These will do publishing of our internal resources (approximately 20 websites/applications) as well as serve our user community proxy services for internet connectivity and provide VPN services to a select subset of users. I want to make sure I do this install right and I have a few questions.

1. Intra-Array communications - what is the best setup for this? Currently I have a separate NIC in each server that is for dedicated Intra-Array communications, This is done by connecting each Intra-array NIC into a switch that has three ports in a separate vlan, the NICs are addressed with a 192.168.0.1-192.168.0.3 scheme. There is a network created in ISA Management that specifies this network is intra array communications. Is this the best way to handle the intra-array communications or is there a better way?

2. Publishing to the External Network - We publish around 20 different sites and applications. Is NLB on the external interfaces the best way to achieve this when you have multiple listeners that listen on different ports for different services? (this is how we currently have it setup.)

Thanks for the advice.

Ryan
Post #: 1
RE: New Multiple Server Array Setup - 27.Jan.2009 5:37:25 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Ryan,

It sounds like you have it pretty much sorted!

One comments though...why only 1 CSS?

Your intra-array setup sounds fine. A lot of people try to avoid using the dedicated NIC approach for the intra-array as with Win2k3 SP1 you no longer strictly need it, but it is still the best security and performance option. Just make sure the network has the FW client disabled and the Web proxy enabled. Then configure each array member to use the correct intra-array IP address.

NLB is a good solution if done properly and should be fine. You could look at hardware load balancers, but they are generally quite expensive, and i've personally used NLB for a 30k user setup and been very happy with the results. Lots of people downplay NLB, but if you accept the way it works and make sure the network environment is setup accordingly, it does provide a good scalability solution. 

You might find the following info useful:

http://blog.msfirewall.org.uk/2008/10/resource-guide-for-using-microsoft-nlb.html

Good luck with the upgrade!

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rmharp)
Post #: 2
RE: New Multiple Server Array Setup - 9.Feb.2009 2:42:02 PM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
quote:

ORIGINAL: Jason Jones

Hi Ryan,

It sounds like you have it pretty much sorted!

One comments though...why only 1 CSS?

Your intra-array setup sounds fine. A lot of people try to avoid using the dedicated NIC approach for the intra-array as with Win2k3 SP1 you no longer strictly need it, but it is still the best security and performance option. Just make sure the network has the FW client disabled and the Web proxy enabled. Then configure each array member to use the correct intra-array IP address.

NLB is a good solution if done properly and should be fine. You could look at hardware load balancers, but they are generally quite expensive, and i've personally used NLB for a 30k user setup and been very happy with the results. Lots of people downplay NLB, but if you accept the way it works and make sure the network environment is setup accordingly, it does provide a good scalability solution. 

You might find the following info useful:

http://blog.msfirewall.org.uk/2008/10/resource-guide-for-using-microsoft-nlb.html

Good luck with the upgrade!

Cheers

JJ


I was just going to use one of the array members for the backup CSS but now I have a full compliment of servers for the new install. I will have 4 array members and 2 CSS's all on matching hardware. I have a question about the dedicated NIC for intra-array communications. What is the thought about connecting the CSS's up to the Intra-Array VLAN along with a connection to our company network?

(in reply to Jason Jones)
Post #: 3
RE: New Multiple Server Array Setup - 9.Feb.2009 6:44:14 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Why would you connect the CSS to the Intra-Array VLAN?

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rmharp)
Post #: 4
RE: New Multiple Server Array Setup - 19.Feb.2009 1:52:50 PM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
I thought I read that it would improve communications between the CSS and the Array members?

(in reply to Jason Jones)
Post #: 5
RE: New Multiple Server Array Setup - 27.Feb.2009 11:54:38 AM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
Question...

If I plan on implementing Multicast NLB can I still use the intra-array setup I mentioned above?

Thanks,

Ryan

(in reply to Jason Jones)
Post #: 6
RE: New Multiple Server Array Setup - 27.Feb.2009 8:07:51 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yep...and still recommended for security/performance...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rmharp)
Post #: 7
RE: New Multiple Server Array Setup - 2.Mar.2009 8:50:17 AM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
After implementing Multicast w/IGMP for NLB Do I still need to configure my router with the multicast mac/virtual IP if my router is not a Cisco device and does support multicast groups?

If so where do I find the multicast MAC address for the NLB cluster? I'm sure I have seen this somewhere but I cannot think of where to look for the life of me. Monday mornings kinda tough!

Thanks,

Ryan

(in reply to Jason Jones)
Post #: 8
RE: New Multiple Server Array Setup - 3.Mar.2009 2:12:51 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: rmharp

After implementing Multicast w/IGMP for NLB Do I still need to configure my router with the multicast mac/virtual IP if my router is not a Cisco device and does support multicast groups?

If so where do I find the multicast MAC address for the NLB cluster? I'm sure I have seen this somewhere but I cannot think of where to look for the life of me. Monday mornings kinda tough!

Thanks,

Ryan


I'm not totally sure, as I have mainly used unicats or multicast without IGMP. NOt becuase I wanted to, but becuase that is all that my customers have been able to provide.

I don't think that the cluster MAC address is exposed in the ISA GUI and you need to look in the NLB properties reachable in the network card bindings GUI.   

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rmharp)
Post #: 9
RE: New Multiple Server Array Setup - 23.Mar.2009 8:43:14 AM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
Jason,

I have a question about logging. In my setup described above, I have it set to MSDE logging. I guess I have grown accustomed to the historical log analysis inside of the ISA management console. Not knowing much about SQL and not really wanting to utilize another server for a SQL database for the logs, is there a third party tool or something that will allow me to analyze the file based logs if I go that route?

Thanks,

Ryan

(in reply to Jason Jones)
Post #: 10
RE: New Multiple Server Array Setup - 23.Mar.2009 9:06:25 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yes, quite a few, as it uses the W3C standard.

I have used this third party one: http://www.fwanalyzer.com/

In terms of free ones, you have lots of choice...

If you are looking for specific info, Log Parser is handy:

http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Some good info here on using Log Parser: http://www.securityfocus.com/infocus/1712

Cheers

JJ




_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rmharp)
Post #: 11
RE: New Multiple Server Array Setup - 30.Mar.2009 10:19:56 AM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
Thanks!

(in reply to Jason Jones)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> New Multiple Server Array Setup Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts