Welcome to ISAserver.org

RE: Multiple External Interfaces Failover

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Multiple External Interfaces Failover

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: Multiple External Interfaces Failover - 17.Jun.2004 5:14:00 PM

rberger007

Posts: 41
Joined: 16.Mar.2004
Status: offline

Couldn't you just use a product like Hawking FR24 which has dual WAN interfaces and connect it to the ISA box? (http://www.hawkingtech.com/prodSpec.php?ProdID=101) The FR24 has a failover mode which will reset to the primary WAN when it returns to service.

That way the clients don't have to change their settings, nor does the ISA box. (I think.)

code:

WAN1---\
        \
         -FR24--ISA2004--LAN
        /
       /
WAN2---

-Rob

[ June 17, 2004, 05:15 PM: Message edited by: rberger007 ]

(in reply to kristan_slack)

Post #: 21

Featured Links*

RE: Multiple External Interfaces Failover - 23.Jun.2004 12:49:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Rob,

I think that would work fine for simple failover for outgoing connections. I don't think that device does bandwidth aggregation, bandwidth prioritization or load balancing for inbound and outbound connections like RainConnect, but for hot standby failover, it looks like it would do the trick.

Thanks!
Tom

(in reply to kristan_slack)

Post #: 22

RE: Multiple External Interfaces Failover - 6.Mar.2005 7:54:00 AM

Custler

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline

Please check this topic again.

May be there is peoples here, who can continue develop above script.

This will solve a part of failover connection questions.

(in reply to kristan_slack)

Post #: 23

RE: Multiple External Interfaces Failover - 14.May2005 8:10:00 AM

Guest

Hi Guys,

I was using a windows 2003 server with DHCP and DND and RRAS to provide internet access to users. I have a backup ISP. Is there a way to add another NIC for the backup ISP and configure failover.

Thanks -- Naveen

(in reply to kristan_slack)

Post #: 24

RE: Multiple External Interfaces Failover - 11.Dec.2006 12:43:04 PM

CyberGuy

Posts: 13
Joined: 24.Oct.2005
Status: offline

I wrote a similar script over a year ago to do the same thing except I added basic load balancing by switching the default gateway approximately every second. It didn�t work 100% because about 5% of the packets were dropped; probably when the default gateway was being changed. I have talked to several Microsoft executives about adding load balancing to Windows, but they told me that they didn�t plan on implementing it because there was not enough of a customer demand and they wanted to allow 3rd parties to implement it. My argument was that load balancing is something that many people want, it�s easy to implement, and only one product, RainConnect, did this. From what I understand, RainConnect will be discontinued.

I have accumulated a large repository of source code for NDIS intermediate drivers including MIO, the Multiple Interface Optimizer which is a load balancing and fail over NDIS intermediate driver with user interface for Windows XP. While MIO works, it needs to be extended. All of the intermediate driver source code I have is written is in C++, which I don�t know. I primarily program in Visual Basic. If there are several C++ programmers really interested in taking what I have and creating an open source project, possibly on SourceForge, then I would rather make this open source and get it working instead of spending a lot of my own time to make a for profit product.
Basic round robin load balancing is pretty simple. It�s basically NAT, but changing the outgoing packet source MAC address to the other NICs MAC address, changing the source IP address to the other NICs IP address, and changing the destination MAC address to the other NICs MAC address of its default gateway. Incoming packets to the other NIC are matched to the NAT table and the MAC and IP addresses are changed and forwarded to the primary NIC.

Interfacing to ISA Server gets more complicated. Since all proxy and Firewall Client traffic is always NATed, the NDIS intermediate driver can�t tell what traffic belongs to which rule. I believe that the ability to load balance based on ISA rules is what people are eventually looking for. While there are several examples in the ISA Server SDK, it�s in C++ .

(in reply to kristan_slack)

Post #: 25

RE: Multiple External Interfaces Failover - 12.Dec.2006 11:18:27 AM

rkamuni

Posts: 1
Joined: 12.Dec.2006
Status: offline

Hai GUYS,

I can not access LAN with Computer Names in My Network Places.
Which policy should to change?

Who knows tell me.

(in reply to Guest)

Post #: 26

RE: Multiple External Interfaces Failover - 7.Aug.2007 6:52:31 PM

robbosch

Posts: 43
Joined: 21.Sep.2004
From: Denver, CO
Status: offline

I took at stab at modifying this script to only make changes with the default route in the routing table rather than changing the NIC configuration. I'm not sure this is any more effective but I found it worked well for what I was trying to do. Thanks for the initial script for the baseline! I also created some variables at the top to manage loop time, IP addresses, and to determine if you want switchback to primary or not.

The script assumes you have two NIC cards connected to different ISP's. I use this on a backup box rather than just the primary since I don't like the DNS timeouts with the round robin approach. I'm looking at using a different way to update DNS which will resolve this problem. Anyway, for anyone who finds it useful.

'
' This script assumes you are using a multi-homed box with two NIC's for two different ISP's. The
' script will check the availability of the PING_IP on the current ISP and then switch between them
' when one fails every XX seconds (managed by WaitVal). If SwitchBack is 1 then it will switch back
' to ISP1 when it is available. The script does NOT change NIC configuration values, only the
' routing table for the default route.
'
strDebug = 2 ' Set variables for output - 0 is no output, 1 is output for initialization, 2 is full output
SwitchBack = 0 ' If switchback=1 then switch back to ISP1 when available
RouteFlag=1 ' Set RouteFlag = 1, 1 is ISP1, 2 is ISP2
WaitVal = 5000 ' Number of milliseconds to wait between gateway checks
SwitchWait = 720 ' Number of loops before rechecking ISP1 if SwitchBack is one. The check may disconnect all internet traffic
'
' Set up the two different ISP IP addresses and names
ISP1_IP = "xx.xx.xx.xx"
ISP1_GateWay = "xx.xx.xx.xx"
ISP2_IP = "xx.xx.xx.x"
ISP2_GateWay = "xx.xx.xx.xx"
PING_IP = "xx.xx.xx.xx"
'
' These adapter names must match the NIC exactly
ISP1_AdapterName = "Primary ISP"
ISP2_AdapterName = "Secondary ISP"
'
' Create necessary objects
Dim WshShell
Dim ISP1MAC
Dim ISP2MAC
Set WshShell = CreateObject("WScript.Shell")
'On Error Resume Next
strComputer = "." ' This computer
'
' Choose ISP1 adapter by Name
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objISP1Adapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapter where NetConnectionID = '" _
& ISP1_AdapterName & "'") ',,48)
'
' Choose ISP2 adapter by Name
Set objISP2Adapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapter where NetConnectionID = '" _
& ISP2_AdapterName & "'") ',,48)
'
' Store the MAC addresses of each interface
if strDebug <> 0 then Wscript.Echo "==================================================================="
For Each objItem in objISP1Adapter
if strDebug <> 0 then Wscript.Echo "Primary ISP MACAddress: " & objItem.MACAddress
ISP1MAC = objItem.MACAddress
ISP1InterfaceIndex = Hex(objItem.InterfaceIndex)
if strDebug <> 0 then Wscript.Echo "Primary ISP InterfaceIndex: " & ISP1InterfaceIndex
Next
For Each objItem in objISP2Adapter
if strDebug <> 0 then Wscript.Echo "Secondary ISP MACAddress: " & objItem.MACAddress
ISP2MAC = objItem.MACAddress
ISP2InterfaceIndex = Hex(objItem.InterfaceIndex)
if strDebug <> 0 then Wscript.Echo "Secondary ISP InterfaceIndex: " & ISP2InterfaceIndex
Next
if strDebug <> 0 then Wscript.Echo "==================================================================="
'
' Choose ISP1 adapter CONFIGURATION by MACAddress
Set CONFobjISP1Adapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapterConfiguration where MACAddress = '" _
& ISP1MAC & "'") ',,48)
' Choose ISP2 adapter CONFIGURATION by MACAddress
Set CONFobjISP2Adapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapterConfiguration where MACAddress = '" _
& ISP2MAC & "'") ',,48)
For Each objItem in CONFobjISP1Adapter
if strDebug <> 0 then Wscript.Echo "Primary ISP Description: " & objItem.Description
ISP1MAC = objItem.MACAddress
Next
For Each objItem in CONFobjISP2Adapter
if strDebug <> 0 then Wscript.Echo "Secondary ISP Description: " & objItem.Description
UltraMAC = objItem.MACAddress
Next
if strDebug <> 0 then Wscript.Echo "==================================================================="
SwitchCount = 0
Do
'
' The loop checks the public IP PING_IP to see if it is reachable. If so, then it is assumed the
' ISP is up. If not, it is assumed the ISP is down. Later a periodic check is done which
' will see if ISP1 is up and switch to it if it is up.
'
Set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}")._
ExecQuery("select * from Win32_PingStatus where address = '" _
& PING_IP & "'")
For Each ISPStatus in objPing
If IsNull(ISPStatus.StatusCode) or ISPStatus.StatusCode<>0 Then
  if RouteFlag = 1 Then
   if strDebug = 2 Then WScript.Echo "Primary ISP Status PING Status Code: " & ISPStatus.StatusCode
   if strDebug = 2 Then WScript.Echo " " & Now() & " ####### Switching to Secondary ISP ##########"
   ' Change the routing table to use ISP2 gateway for default route
   WshShell.Run "route DELETE 0.0.0.0", True
   WshShell.Run "route ADD 0.0.0.0 MASK 0.0.0.0 " & ISP2_Gateway, True
   RouteFlag = 2
   SwitchCount = 0
  ElseIf RouteFlag = 2 Then
   if strDebug = 2 Then WScript.Echo "Secondary ISP Status PING Status Code: " & ISPStatus.StatusCode
   if strDebug = 2 Then WScript.Echo " " & Now() & " ####### Switching to Primary ISP ##########"
   WshShell.Run "route DELETE 0.0.0.0", True
   WshShell.Run "route ADD 0.0.0.0 MASK 0.0.0.0 " & ISP1_Gateway, True
   RouteFlag = 1
  End If
End If
Next
' If switchback is set then increment the counter and see if we should test again
If SwitchBack = 1 And RouteFlag = 2 Then
SwitchCount = SwitchCount + 1
If SwitchCount = SwitchWait Then
  if strDebug = 2 Then WScript.Echo "Checking Primary ISP: " & ISPStatus.StatusCode
  if strDebug = 2 Then WScript.Echo " " & Now() & " ####### Switching to Primary ISP ##########"
  WshShell.Run "route DELETE 0.0.0.0", True
  WshShell.Run "route ADD 0.0.0.0 MASK 0.0.0.0 " & ISP1_Gateway, True
  RouteFlag = 1
  Set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}")._
   ExecQuery("select * from Win32_PingStatus where address = '" _
   & PING_IP & "'")
  For Each ISPStatus in objPing
   If IsNull(ISPStatus.StatusCode) or ISPStatus.StatusCode<>0 Then
    if strDebug = 2 Then WScript.Echo "Primary ISP Status PING Status Code: " & ISPStatus.StatusCode
    if strDebug = 2 Then WScript.Echo " " & Now() & " ####### Switching back to Secondary ISP ##########"
    ' Change the routing table to use ISP2 gateway for default route
    WshShell.Run "route DELETE 0.0.0.0", True
    WshShell.Run "route ADD 0.0.0.0 MASK 0.0.0.0 " & ISP2_Gateway, True
    RouteFlag = 2
    SwitchCount = 0
   Else
    if strDebug = 2 Then WScript.Echo "Primary ISP up, leaving active"
   End If
  Next
End If
End If
WScript.Sleep WaitVal
Loop

(in reply to rkamuni)

Post #: 27

RE: Multiple External Interfaces Failover - 8.Aug.2007 2:51:41 PM

robbosch

Posts: 43
Joined: 21.Sep.2004
From: Denver, CO
Status: offline

I found an error in the script in testing the switchback feature. Replace line 110 with

if strDebug = 2 Then WScript.Echo "Checking Primary ISP Status"

which removes the ispstatus.statuscode reference. This reference is undefined at that point because the ping has not occurred.

Rob

(in reply to robbosch)

Post #: 28

RE: Multiple External Interfaces Failover - 25.Aug.2007 5:44:53 PM

djinks

Posts: 1
Joined: 25.Aug.2007
Status: offline

I ran across this article that explains how to enable load balancing in windows.

http://www.geekswhoknows.com/articles/load-balance-two-internet-connections.htm

How does the script's performance differ from enabling the feature in windows?

(in reply to rberger007)

Post #: 29

RE: Multiple External Interfaces Failover - 25.Aug.2007 9:02:53 PM

robbosch

Posts: 43
Joined: 21.Sep.2004
From: Denver, CO
Status: offline

Based on technet, the randomadapter registry entry only impacts netbios queries over TCP/IP. I don't see how these settings could impact the routing of traffic across two different gateways which is required to do load balancing on the public side. Windows typically only supports a single default route which restricts you to a single internet connection unless you put something in front of the firewall supporting BGP or multihoming load balancing such as a Cisco router. Setting up two default routes on a Windows machine by defining them manually will result in lost traffic...even if the default routes are set to the same metric.

The scripts change the default routes from one to the other and in no way do load balancing. They are developed strictly for failover, not for load balancing. Since the removal of RainConnect from the market place I'm not sure how you can do load balancing with ISA 2004/2006. That is what the bulk of this particular thread discusses.

(in reply to djinks)

Post #: 30

RE: Multiple External Interfaces Failover - 12.Feb.2008 11:29:25 PM

khan_raiderz

Posts: 4
Joined: 19.Apr.2007
Status: offline

Hi,

i have a scenario like this, i have two machines ISA Server enterprise 2006 and configure NLB for the internal network. I have 3 network :

-internal
-external
-Perimeter

but i also had 2 ISP which provided different bandwidth

the 1st ISA have 5 network card and name it by connection :

- To External ISP 1                                                                                           -
- To External ISP 2
- To Internal Load Balancing
- To Heartbeat (ISA array communication)
- To DMZ / perimeter

the 2nd ISA have the 5 network too and basically the same as the 1st ISA.

I want to ask, can isa server configured as the scenario?
by mean to do failover and also have network load balancing at the same?

ISP1      Perimeter network
    \   \        |
      \   \      |
       \    ISA 1 -----------------\
        \ /      | Heartbeat                  >----- Internal Network Load balanced
        /  ISA 2 -----------------/
      /  /
    /   /
ISP 2

thx

(in reply to robbosch)

Post #: 31

RE: Multiple External Interfaces Failover - A different... - 13.Feb.2008 12:57:01 AM

adamwerner

Posts: 1
Joined: 29.Jul.2007
Status: offline

I realize this is not exactly what Kristan was asking for but: Is it at all feasible to consider a low-cost Dual-Wan or Multi-Wan "hardware" stateful packet inspection device to perform the desired failover? I see it as a simpler and possibly faster alternative to a software solution.

Depending on the model you choose, you can also use these devices for bandwidth aggregation, but please keep expections realistic please... Some believe that they will double their upload speed or have some other "Wow" type of expectation. I have tested almost every multi-wan device on the US market I could find for my own network as well as for recomendatons to my clients and I have had some very good results with many of them, including the better known ones and the lesser known ones [and less costly] such as Xincom, Hot Brick and Level One/CP. At under $300USD or even less for a Dual or even Quad wan device with built in non-managed switch, some of these devices are great bargains. Most of these devices support "Drop In/Transparent (Bridge) mode so you do not need to do much in the way of replacing or reconfiguring your exisiting network infrastructure. Perhaps best of all, since you are connecting your broadband devices to the load balancer device and the load balancer device to your ISA server External interface, your multiple load-balanced wan connections are pretty much transparent to ISA. ISA 'sees' the multiple wan/broadband connections as a single external network behind the External NIC card in your ISA Server.

This was just a thought I wanted to throw out there. I have been working with ISA 2000/2004 and 2006 for several years now and I absolutely love the product. I have convinced more than a few hard-core pro "hardware only" firewall folks to impliment ISA 2004/2006 as more than just a web proxy...

P.S.: My apologies if my email was not as clear as it could have been... I have been on overload re-engineering a large enterprise network with a huge Internal global network that is far from well documented or even secure. It's my own fault though; senior management finally listened to my pleas and proposals to impliment a network perimiterized zoned DMZ model for most of their core mission-critical servers and since the overall network was somewhat of a mess before I began the project, I get to help clean it all up as well as support the ISA initiative. As they say, be careful what you wish for. Sorry, I'm off topic now. ...And I think, off to bed as well.