• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Multiple External Interfaces Failover

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Multiple External Interfaces Failover Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Multiple External Interfaces Failover - 22.Apr.2004 10:11:00 AM   
kristan_slack

 

Posts: 3
Joined: 22.Apr.2004
From: Ooty, South India
Status: offline
I manage a small network in a school in the south of India and we have a bunch of unreliable internet options. DSL has just become available, and we currently use ISDN also - both via network interfaces.

I'm looking at using ISA2004 but need to know if I can set up both internet interfaces and have ISA failover from DSL to ISDN when DSL fails?

(I don't need both at once though, although in the future we may end up having two DSL connections and would like to use both - what do we do then?)

So, two questions I guess:

1. With ISA2004 can I setup two external network interfaces with one as the primary and one as the interface to use when the primary fails?

2. In future, is it possible (just using ISA2004 and not rainconnect or any additional software) to make use of two external interfaces connected to DSL lines?
Post #: 1
RE: Multiple External Interfaces Failover - 22.Apr.2004 3:13:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Kristan,

I've heard that this can be scripted, but I have never seen such a script.

You might try putting a box in front of the ISA firewall that has the Sygate Office network in front of it http://smb.sygate.com/products/son/son_ov.htm since it looks like it will pool bandwidth. I'll test this solution in the near future.

thanks!
Tom

(in reply to kristan_slack)
Post #: 2
RE: Multiple External Interfaces Failover - 23.Apr.2004 10:35:00 AM   
paulbaldwin

 

Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline
Hi Kristan,

I have done this with Windows 2000 RRAS, but not with ISA installed. The setup relies on Windows 'dead-gateway detection' so if the dsl connection is on a router (gateway ip is router, not the isp) I don't see it working.

code:
               LAN1----DSL-----\
/ \(x.x.x.x)
LAN---ISA/RRAS ISP---INTERNET
\ /
LAN2---ISDNROUTER
(10.0.0.1)

RRAS Static Routes:
destination netmask gateway interface metric
0.0.0.0 0.0.0.0 x.x.x.x LAN1 2
0.0.0.0 0.0.0.0 10.0.0.1 LAN2 5

I remember it was important to create both static routes: don't use the 'default gateway' configured in TCP/IP (something about the priority given to the different route sources - static, local, static(non demand dial), etc., that sort of thing). My 'LAN2' was actually a demand-dial interface on the RRAS server.

I am sure equalising the metrics wont result in load-balancing.

If no-one corrects me with issues doing this with ISA, then it might be worth trying.

Paul

(in reply to kristan_slack)
Post #: 3
RE: Multiple External Interfaces Failover - 23.Apr.2004 11:06:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Paul,

I've used dead gateway protection in non-ISA setups, but no in an ISA environment. One thing to keep in mind is that while it will do autofailover, it won't fail back when the line comes back up.

Thanks!
Tom

(in reply to kristan_slack)
Post #: 4
RE: Multiple External Interfaces Failover - 23.Apr.2004 5:00:00 PM   
kristan_slack

 

Posts: 3
Joined: 22.Apr.2004
From: Ooty, South India
Status: offline
This is all very well but hasn't truly answered my question.

I'll rewrite it for clarity.

Without 3rd party software, and using ISA2004, is it possible to allow the system to switch from the network card connected to our ISDN modem over to the network card connected to our DSL modem when the ISDN modem fails? And from that could it possibly use dial-up as the third failover option?

IS this possible and how is it possible?

If not, is there a low cost solution I can employ? We are a mission school, albeit an international one, but we don't have loads of cash.

(in reply to kristan_slack)
Post #: 5
RE: Multiple External Interfaces Failover - 23.Apr.2004 6:18:00 PM   
paulbaldwin

 

Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline
Hi Kristan,

But the RRAS technique is a fail-over solution without third-party software. Although perhaps not perfect! Maybe I didn't describe it well?

But neither Tom or I have tried it together with ISA (be it 2000 or 2004). It shouldn't make a difference but we're waiting for:

  1. Someone to say it will definitly work.
  2. Someone to come up with something better.
  3. You to try it, find out, and tell us!
If there was an easy built-in method that avoided all that tricky routing business, I think I'd know about it (and Tom certainly would!).

The question 2 issue (load-balancing) is one that appears alot: Tom will be trying one possible solution. All other suggestions I've seen to this question involved third party products.

(in reply to kristan_slack)
Post #: 6
RE: Multiple External Interfaces Failover - 26.Apr.2004 11:39:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

Its certianly possible. If you're a C++ programmer, you could write a program like RainConnect, Rainfinity did [Smile]

But, there is no simple script based method to provide autofailover and autofailback that I'm aware of. If someone finds one, then they'll be the ISA Server hero of the month [Wink]

Thanks!
Tom

(in reply to kristan_slack)
Post #: 7
RE: Multiple External Interfaces Failover - 26.Apr.2004 12:08:00 PM   
Custler

 

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline
I am ready to send you or post here (but it 125 lines) vb script which I am using now.
But its necessary to comment:
1. this script was written according to specific of our main internet provider:
Tracing route to www.com [63.215.91.200]
over a maximum of 30 hops:

1 192.168.111.1 Isa server with external address 81.211.35.62
2 81.211.35.57
3 10.0.3.17 - this box has 81.211.35.65 also
4 10.0.2.13
5 10.0.2.5
6 x.x.x.x External addr of main provider - doesnt matter for me

2. First our external address 81.211.35.62 - Kovda
Second External address 81.95.36.11 Ultra

3. This script rough draft. Please dont flay me.

(in reply to kristan_slack)
Post #: 8
RE: Multiple External Interfaces Failover - 26.Apr.2004 12:10:00 PM   
Custler

 

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline
code:
  
KovdaBoxEXT = "81.211.35.65" ' &#1095;&#1090;&#1086; &#1087;&#1080;&#1085;&#1075;&#1091;&#1077;&#1084;
KovdaBoxINT = "10.0.2.5"
KovdaIP = "81.211.35.62"
KovdaGateWay = "81.211.35.57" '
UltraIP = "81.95.36.11"
UltraGateWay = UltraIP
UltraName = "Ultra.NET"
KovdaName = "WAN"
strCuptionRoute = "0.0.0.0"
Dim KovdaMAC
Dim UltraMAC
arrKovdaGateways = Array(KovdaGateWay)
arrKovdaMetrics2 = Array(2)
arrKovdaMetrics48 = Array(48)
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
RouteFlag=0
On Error Resume Next
strComputer = "." ' This computer
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
' Choose KOVDA adapter by Name
Set objKovdaAdapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapter where NetConnectionID = '" _
& KovdaName & "'") ',,48)
' Choose ULTRA adapter by Name
Set objUltraAdapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapter where NetConnectionID = '" _
& UltraName & "'") ',,48)

Wscript.Echo "==================================================================="
For Each objItem in objKovdaAdapter
Wscript.Echo "Kovda MACAddress: " & objItem.MACAddress
KovdaMAC = objItem.MACAddress
Next
For Each objItem in objUltraAdapter
Wscript.Echo "Ultra MACAddress: " & objItem.MACAddress
UltraMAC = objItem.MACAddress
UltraInterfaceIndex = Hex(objItem.InterfaceIndex)
Wscript.Echo "Ultra InterfaceIndex: " & UltraInterfaceIndex
Next
Wscript.Echo "==================================================================="
' Choose KOVDA adapter CONFIGURATION by MACAddress
Set CONFobjKovdaAdapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapterConfiguration where MACAddress = '" _
& KovdaMAC & "'") ',,48)
' Choose ULTRA adapter CONFIGURATION by MACAddress
Set CONFobjUltraAdapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapterConfiguration where MACAddress = '" _
& UltraMAC & "'") ',,48)
For Each objItem in CONFobjKovdaAdapter
Wscript.Echo "Kovda Description: " & objItem.Description
KovdaMAC = objItem.MACAddress
Next
For Each objItem in CONFobjUltraAdapter
Wscript.Echo "Ultra Description: " & objItem.Description
UltraMAC = objItem.MACAddress
Next
Wscript.Echo "==================================================================="
Do
'################## 0 = 0 Then '
' Ping - Kovda alive? - 10.0.2.5
Set objPingINT = GetObject("winmgmts:{impersonationLevel=impersonate}")._
ExecQuery("select * from Win32_PingStatus where address = '" _
& KovdaBoxINT & "'")
For Each KovdaStatusInternal in objPingINT
If IsNull(KovdaStatusInternal.StatusCode) or KovdaStatusInternal.StatusCode<>0 Then ' Kovda &#1080;&#1079;&#1076;&#1086;&#1093; - 10.0.2.5
WScript.Echo "KovdaStatusInternal " & KovdaBoxINT & " PING Status Code: " & KovdaStatusInternal.StatusCode
If RouteFlag = 1 Then
WScript.Echo " " & Now() & " ####### We goes through ULTRA ##########"
For Each objItem in CONFobjKovdaAdapter
ReturnCode = objItem.SetGateways(arrKovdaGateways, arrKovdaMetrics48)
ReturnCode = objItem.SetIPConnectionMetric(arrKovdaMetrics48(0))
Next
' route CHANGE 0.0.0.0 MASK 0.0.0.0 172.16.2.52 METRIC 48 IF 0x60006")
Set oExec = WshShell.Exec("route CHANGE 0.0.0.0 MASK 0.0.0.0 " & _
UltraGateWay & " METRIC " & arrKovdaMetrics2(0) & " IF 0x" & UltraInterfaceIndex)
Do While oExec.Status = 0
WScript.Sleep 100
Loop
RouteFlag=2
End If
Set objPingEXT = GetObject("winmgmts:{impersonationLevel=impersonate}")._
ExecQuery("select StatusCode from Win32_PingStatus where address = '"_
& KovdaBoxEXT & "'")
For Each KovdaStatusExternal in objPingEXT
WScript.Echo "KovdaStatusExternal " & KovdaBoxEXT & " PING Status Code: " & KovdaStatusExternal.StatusCode
If (Not IsNull(KovdaStatusExternal.StatusCode) and KovdaStatusExternal.StatusCode=0 and RouteFlag=2) or RouteFlag=0 Then ' Kovda 65 &#1091;&#1089;&#1087;&#1077;&#1096;&#1085;&#1086; &#1087;&#1080;&#1085;&#1075;&#1091;&#1077;&#1090;&#1089;&#1103;
' route CHANGE 0.0.0.0 MASK 0.0.0.0 81.211.35.57 METRIC 2 IF 2")
For Each objItem in CONFobjKovdaAdapter
ReturnCode = objItem.SetGateways(arrKovdaGateways, arrKovdaMetrics2)
WScript.Echo " " & Now() & " We goes to KOVDA! -- "
ReturnCode = objItem.SetIPConnectionMetric(arrKovdaMetrics2(0))
Next
' route CHANGE 0.0.0.0 MASK 0.0.0.0 172.16.2.52 METRIC 48 IF 0x60006")
Set oExec = WshShell.Exec("route CHANGE 0.0.0.0 MASK 0.0.0.0 " & _
UltraGateWay & " METRIC " & arrKovdaMetrics48(0) & " IF 0x" & UltraInterfaceIndex)
Do While oExec.Status = 0
WScript.Sleep 100
Loop
RouteFlag = 1
End If
Next
'++++++++++++ Print Route +++++
Set objKovdaRoute = objWMIService._
ExecQuery("Select * from Win32_IP4RouteTable where Caption = '" _
& strCuptionRoute _
& "' and NextHop = '" & KovdaGateWay & "'") ',,48)
' Default Route string to UltraNET
Set objUltraRoute = objWMIService._
ExecQuery("Select * from Win32_IP4RouteTable where Caption = '" _
& strCuptionRoute _
& "' and NextHop = '" & UltraGateWay & "'") ',,48)
For Each objItem in objKovdaRoute
WScript.Echo "KovdaRoute.Metric: " & objItem.Metric1
Next
For Each objItem in objUltraRoute
WScript.Echo "UltraRoute.Metric: " & objItem.Metric1
Next
'++++++++++++++++++++++++++++++++
Wscript.Echo "==================================================================="
End If
Next
WScript.Sleep 60000
loop


(in reply to kristan_slack)
Post #: 9
RE: Multiple External Interfaces Failover - 26.Apr.2004 12:33:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Custler,

Thanks! Does this script fail-back too?

Tom

(in reply to kristan_slack)
Post #: 10
RE: Multiple External Interfaces Failover - 26.Apr.2004 1:43:00 PM   
Custler

 

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline
Yes, the draft algorithm of it is follow:
1. Set routing table(RT) to route to main provider (Kovda).
2. Ping 10.0.2.5 if success do nothing and sleep for 60 secs.
3. In case RT route to Kovda and ping in (2) fails switch to backup provider (Ultra)
4. If RT route to Ultra do ping 81.211.35.65 (nearest from us real IP inside Kovda trace)
If it success return to main provider.
This algorithm was choose because 99% of network fails occur inside the provider network due to a few hops in trace (shown above) are 802.11.
Of course, its possible to include in the script a few protections from false switching and many more
But it works two weeks already and I havent time to work on it.

(in reply to kristan_slack)
Post #: 11
RE: Multiple External Interfaces Failover - 26.Apr.2004 1:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Custler,

Very good! We'll try it out and see how it goes.

Thanks!

Tom

(in reply to kristan_slack)
Post #: 12
RE: Multiple External Interfaces Failover - 26.Apr.2004 2:20:00 PM   
Custler

 

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline
One more notice:
run this script in CScript, not in WScript due to output to console.
On W2003 server CScript alredy registered as default.
On XP computer it's necessary to execute "CScript /H:CScript" to register CScript as default.

P.S. A sent you the script as attached file to hotmail.

(in reply to kristan_slack)
Post #: 13
RE: Multiple External Interfaces Failover - 26.Apr.2004 3:09:00 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
Nicely done, but this script only works on Win2k3; Win2K will choke the script on "NetConenctionID" and "Win32_PingStatus".

I have some alternate methods for those mechanisms if you're interested...

(in reply to kristan_slack)
Post #: 14
RE: Multiple External Interfaces Failover - 26.Apr.2004 3:31:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jim,

Let us have it!

This is all great info.

Thanks!
Tom

(in reply to kristan_slack)
Post #: 15
RE: Multiple External Interfaces Failover - 26.Apr.2004 3:38:00 PM   
Custler

 

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline
We haven't W2K Servers already...
But As I saw in MSDN for Win32_PingStatus, ExecQuery, etc. Requirements are:
===== citation on =====
Windows NT/2000/XP: Requires Windows NT 4.0 SP4 or later
Namespace: Included in \root\cimv2
MOF: Declared in Ping_desc.mof
===== citation off =====
But I don't test it on W2K, and you may know better.

Anyway, alternate methods are very interesting for me.

(in reply to kristan_slack)
Post #: 16
RE: Multiple External Interfaces Failover - 9.Jun.2004 8:50:00 PM   
JohnBullinger

 

Posts: 53
Joined: 25.Apr.2003
From: Texas
Status: offline
Has anyone tried this script out? Does it work? Will it do a failover to a 2nd ISP on a ISA 2000 Server running on Windows 2003?

How should the 2nd External NIC be configured?

ANy help appreciated.. Been looking for a failover solution for a while

Thanks

John

(in reply to kristan_slack)
Post #: 17
RE: Multiple External Interfaces Failover - 10.Jun.2004 6:59:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

I haven't tested it, but it should work. It just doesn't provide the functionality I think people are expecting when they have multiple external interfaces. However, if all you expect is a hotfail "spare" then it should work.

Try it in your test lab first.

HTH,
Tom

(in reply to kristan_slack)
Post #: 18
RE: Multiple External Interfaces Failover - 10.Jun.2004 11:13:00 AM   
Custler

 

Posts: 23
Joined: 24.Feb.2004
From: Moscow, Russia
Status: offline
=> 1) Does this work on a Windows 2003 Machine with ISA Server 2000?

I have not tried the script with ISA2K. And I can't say that it will work,
bat due to the script change only route metric in Windows routing table, I suppose it will work.

=> 2) Is this script made to failover (change the Default
=> Gateway and whatever) to a 2nd ISP if the 1st goes down?

Yes. This script is made for failover. But it uses our specific network config with one of our ISP:

ISA 2004 Computer
| |
DG ISP1 DG ISP2
| |
x1 ...
|
x2
|
x3

Mainly we use ISP1 because we have close relations with him.
ISP2 we use as back up.
In 99% cases connection problem appear between x1 x2 x3, because it is radiochannels between these machines. Each DG-x1-x3 has 2 IP at least (local 10.0 and public 81.211). DG ISP1 stays in our office near ISA computer.
So, idea of the script is:
1. We are pinging Local IP of x3 through DG ISP1.
2. If ping fail we change metric of this route to 48 and change route metric through DG ISP2 to 2. After that traffic goes through DG ISP2
3. Now we pinging public IP of x1 through DG ISP2 until ping is success.
4. Change route metrics vice versa and goes to step 1.

=> 3) Is there anything special that needs to be done on the
=> 2nd External NIC Card? I.e. how did you configure it, with
=> or without a Default gateway?

Yes, you have to configure Default gateways on both external NICs, and
set interface metrics on its to: 1 on main ISP and 50 on backup ISP.
In this case your traffic will goes through main ISP after reboot without running the script.
Also you can change traffic direction manually. For example:

Rem SET ROUTE TO MAIN ISP
route CHANGE 0.0.0.0 MASK 0.0.0.0 81.211.35.57 METRIC 1 IF 2
route CHANGE 0.0.0.0 MASK 0.0.0.0 81.95.36.11 METRIC 50 IF 0x40006
pause

(in reply to kristan_slack)
Post #: 19
RE: Multiple External Interfaces Failover - 10.Jun.2004 3:42:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Custler,

Thanks! As always, you provide some great information!

Tom

(in reply to kristan_slack)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Multiple External Interfaces Failover Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts