• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Advice : Dual ISA server ?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Advice : Dual ISA server ? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Advice : Dual ISA server ? - 14.Aug.2009 11:06:01 AM   
snowmunki

 

Posts: 10
Joined: 14.Aug.2009
Status: offline
Just wondering if anyone has two ISA servers for redunancy reasons. We currently have one and use it just as a Internet Proxy server.

Reading up on it and enterprise seems a lot better with CARP and single management console etc, howevet checking the price, standard is 400 whereas enterprise is 4000 !!!

Anyone run two standard ISA servers, assume it still works just not as good ?

Advice on where to start, we're going to virtualise the servers, so just the case of installing and copying the rules across ?

Thanks,
Post #: 1
RE: Advice : Dual ISA server ? - 14.Aug.2009 11:35:39 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
The redundancy comes from using an Array.  With the standard edition you have no Array.

Why get all worried about redundant ISAs?  I have ran ISA for 8 years and it has never went down,...ever, aside from some normal reboots & reconfigurations that I have done myself along the way.  If you backup the ISA config and store it you can load-up a new box, install ISA, and import the config in about an hour.  We have employees waste that much time a day on a smoke break.  If I had to reload ours I tell them go take a smoke break, go to the bathroom,..it will be running when you get back.

Another option is to buy a cheap home user Linksys box or similar. If the ISA goes down stick the linksys in there for a little bit until the ISA is fixed.  Have the Linksys pre-configured ahead of time so you can just swap it in, swap it out, it can sit on a shelf the rest of the time. You'd have to build the ISA with different IP#s then switch them after the Linksys is out of the way.

I know my answer isn't the industry expected exotic, esoteric, prefect redundancy, answer that everyone expects, but it fits the real world,...particularly for small/medium business that can't afford all the exotic "toy$".

_____________________________

Phillip Windell

(in reply to snowmunki)
Post #: 2
RE: Advice : Dual ISA server ? - 14.Aug.2009 12:13:01 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
I concut with Philip...hmm that's twice this week..something wrong somewhere!

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to pwindell)
Post #: 3
RE: Advice : Dual ISA server ? - 14.Aug.2009 12:33:01 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You're scaring me Steve.

_____________________________

Phillip Windell

(in reply to SteveMoffat)
Post #: 4
RE: Advice : Dual ISA server ? - 17.Aug.2009 4:49:46 AM   
snowmunki

 

Posts: 10
Joined: 14.Aug.2009
Status: offline
Hi,

We want to upgrade to ISA 2006 anyway and got the budget to get 2. At the moment if ISa goes down means we loose internet activity for over 200 users.

I work for accountants so literally every minute of downtime counts, but I understand where you're coming from.

Thanks,

(in reply to pwindell)
Post #: 5
RE: Advice : Dual ISA server ? - 17.Aug.2009 10:32:27 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
If you have the money for two then I guess go for it. 
I just spent the weekend in a test LAB to get an array to work correctly.  Yeah, I'm a former ISA MVP but have never setup an NLB Array,...just keep that quiet,..don't tell anyone. I will proably mess with it some more over the next few days but I did find some annoyances to pass on.

1. Add a dedicated Nic to each ISA for the two ISA's to communicate dierectly between each other.  Yes it is supposed to not be required now that it is capable of multi-cast NLB.  But just forget it,..don't fight it,...just add the nics, create the "new" network, and a "new" IP Segment for them,... and use them.

2. Install the CSS on a separate box, and not a DC.  Can you run it on one or both of the ISA's, yes,...can you run it on a DC?, yes,.....well don't anyway!!  You'll run to permissions/rights issues on the DC that you have to solve with local security policies or GPOs, or you'll have to make there Service Account a Domain Admin.  If you try it on the ISA(s) then you will have communication issues to dealt with,...yes, that's right being on the same box together means it can have trouble communicating with itself on itself.  So just put it on a different machine that is not a DC and forget it.

3. I would have assumed that communication for all aspects of the array would already be compensated for by System Policies that should be automatically "created" suring the NLB array setup.  Yea, well, nice fantasy,...but it didn't for me, so I created and "allow everything" rule between the "LocalHost" and the CSS box.  Then I created a second "allow everything" rule to run between LocalHost and the Inter-Array Network (that extra Nic I mentoned).   There is probably a better more elegant way,..but that is the best I could do so far.

_____________________________

Phillip Windell

(in reply to snowmunki)
Post #: 6
RE: Advice : Dual ISA server ? - 20.Aug.2009 5:10:13 AM   
snowmunki

 

Posts: 10
Joined: 14.Aug.2009
Status: offline
Hi,

Thanks very much for your reply. Assuming you're talking about ISA 2006 standard edition, as we don't really have the money for 2 * Enterprise Ed.

I'll install it on vmware later to have a play with it, but you suggest adding a 2nd nic so that they can communicate directly with each other ?

Thanks again,

(in reply to pwindell)
Post #: 7
RE: Advice : Dual ISA server ? - 20.Aug.2009 10:05:39 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
No, no, no.

Standard Edition = your screwed

You said they approved the purchase of two ISA,...then they have to buy the Enterprise Edition.  There is no compromise there.  It they only are buying the Standard Edition,...then they bought the wrong product,..it is that simple.

If they "want what they want" that bad,...then they have to pay what it costs.   They cannot say "We want this really bad" and then say "We don't want to pay for it".


_____________________________

Phillip Windell

(in reply to snowmunki)
Post #: 8
RE: Advice : Dual ISA server ? - 20.Aug.2009 10:29:58 AM   
snowmunki

 

Posts: 10
Joined: 14.Aug.2009
Status: offline
Thanks again for your reply, and well. being so blunt about it

Basically Enterprise edition is 4000 each. Standard is 400 each. My boss wants two ISA's servers, but no way will he budge for 8000 !

Anyway, I thought, and correct me if I am wrong...

I can have two ISA servers standard edition, and either setup something using a PAC file or Group policy so that half the company points to one ISA server and the other half the other ISA server. Or use round robin / NLB to achieve this.

However I understand it would be two sets of log files, cache duplicated, making sure that the configs are exactly the same, etc etc. A PITA but hey....

... i've just got the job to set it up,

hope that helps clarify things a bit ?

(in reply to pwindell)
Post #: 9
RE: Advice : Dual ISA server ? - 20.Aug.2009 11:31:41 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

Thanks again for your reply, and well. being so blunt about it

Sorry...I just get so used to people wanting to do the things the "wrong" way and then just arguring with me about it for two days when I give them the right way to do it unless I am very empahatic about it.  It just becomes a habit after a while.

Can't help with PAC files,...never touched one or ever seen one.

GPO,...yes you can push proxy settings out with GPO and use different GPOs (hence different proxy settings) to different users.  But GPO is horrible is you have mobile machines because it cannot compensate for the machine when the move araound or try to operate off of the LAN such as hotel rooms and such.   For example a user has their forced proxy settings get in the way of them getting to the Internet when in a hotel room.

There is no round-robin anything that I can think of.

A Windows-only NLB?,...I heard there was some hack-job way to use ISA with it,...but I think it is one of those "unsupported" configs that MS won't want to talk to you about if you ever have to call MS support for your ISAs.  Remember that you may have to call MS Support someday for the ISA and it would be nice if they were willing to talk to you 

Proxy autodetection is pretty much out.  There can only be one WPAD entry per subnet if using the DHCP method,....and only one WPAD config at all ever if using the DNS method. 

So you are looking at manual proxy config to divide up the Clients between the ISAs,..or half use automatic (WPAD) settings and half use manual. 

The GPO method is still considered "manual",...it is just that the GPO is automatically inserting the "manual" config for you (think about that one for a minute ).


_____________________________

Phillip Windell

(in reply to snowmunki)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Advice : Dual ISA server ? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts