Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Info on NLB "workaround" for ISA 2004 SE
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Info on NLB "workaround" for ISA 2004 SE - 29.Jul.2004 2:23:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Paul Baldwin:
To answer one of Justin's questions that appeared to get lost: Using the UseISAAddressInPublishing=1 trick (Tom: do we need that now it can be selectively enabled in 2004?) you will have trouble with logging (the ISA server IPs always appears) and SMTP servers never see who sent the email (again, it always thinks its the ISA Server which will screw up headers, filtering and reverse-DNS options). To use NLB effectively with ISA Server you must use Win2k3's bidirectional affinity (the long-winded method).
But:
It appears bi-directional affinity doesn't appear to work with ISA 2004 (this thread isn't the first time I've heard this). I've not tried, but had it running with ISA 2000 for over a year with no trouble (well... okay on load-balancing, a bit naff on fault-tolerance unless the whole server goes down!). Much trumpeted when Windows 2003 came out its funny why MS are so cagey about the details of using it.
Hi Paul,
The reverse DNS thing doesn't bother me, 'cause its not a very useful way to control spam. I've learned that the IMF looks at the last header, which is sort of dumb, since most organizations are going to use inbound SMTP relays, so that last machine to handle the message isn't going to be the source SMTP server.
You're right about the registry entry -- you don't need it anymore because you can configure that in the rule.
I agree re: the BDA support. It should have been completely supported in SE. It will work, but it doesn't have service awareness. I expect they'll do something about that in the enterprise edition. Cross your fingers.
However, there is a hack to get BDA to work in SE. I'll post it as a FAQ today.
Thanks!
Tom
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 29.Jul.2004 2:26:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Lex Penrose:
haha paul ,
happy it saved you some time. We've been testing NLB with ISA 2004 since the very first beta version because it's an essential need for our network ( 5000 users ). We have now so far tested around 3 or 4 different products including stonesoft , rainfinity , NLB microsoft and a last one that was based on Java can't even remember the name but only rainfinity came close to working without problems.
We are anxiously waiting for enterprise version of ISA 2004.
This is a reaction from Microsoft on our NLB questions :
---------------------------------------
[MSFT]
In general, by itself NLB on Windows 2003 does not support load balancing in all directions in Routing mode (as opposed to NAT mode). This means that if you use Windows 2003 as a Router (e.g. using RRAS) and without ISA, it is still not possible to use NLB for load-balancing/fault-tolerance of 2 such Windows machines.
ISA 2004 Standard Edition has no specific support for NLB so the same limitation applies. ISA 2004 Enterprise Edition (not shipped yet) will most likely provide additional NLB support that will make this scenario work.
---------------------------------------
Kind regards,
Lex P
Hi Lex,
So, the BDATteaming registry entry will work if you only have two networks connected to each ISA firewall?
Thanks!
Tom
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 2.Aug.2004 1:07:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Lex,
Good enough. Thanks!
Tom
|
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 12.Aug.2004 11:52:00 AM
|
|
|
jopperdepop
Posts: 7
Joined: 10.Aug.2004
Status: offline
|
Hi all,
What axactly is BDA teaming supposed to do?
I know what I would like it to do: I' d like it to make sure that if an interface on one side of a pair of ISA servers failes and the other ISA takes over, that on the other side of the pair, the ISA server with the fails interface does not receive any traffic any more as well.
Will anyone please confirm this or tell what BDA teaming is supposed to do if I'm wrong?
Cheers,
Jop
|
|
|
|
RE: Info on NLB "workaround" for ISA 2004 SE - 14.Aug.2004 10:10:00 PM
|
|
|
paulbaldwin
Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline
|
The scenario you just outlined is unfortunately one of those things BDA wont do!
BDA means you have one common ip on both sides of the array of firewalls. This is great from the internal network point of view, there is only one default gateway so replies to incoming requests always goes out though the firewall that processed the incoming.
Good for load-balancing (its pretty dumb when it gives a firewall at 100% a job when one down the line is at 3%).
The big problem is an entire server has to explode for a fail-over to occur. I found disabling an internal interface didn't stop the external from taking hits: I had to disable both to get a firewall offline.
Still worth having, the limitations may get a makeover one day.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
