• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion on article about enabling Bidirectional Affinity on the ISA Firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion on article about enabling Bidirectional Affinity on the ISA Firewall Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion on article about enabling Bidirectional Affi... - 18.Jan.2005 3:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on the Standard Edition of the Standard Edition of the ISA firewall at http://www.isaserver.org/articles/2004bidirnlb.html

Thanks!
Tom

[ January 18, 2005, 03:58 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion on article about enabling Bidirectional ... - 18.Jan.2005 5:08:00 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Tom,

Nice concise article...thanks to Lex as well for his input.

I would love to enable this more, but most of my customers shy away once you tell them that it is not MS supported, especially the bigger corporates.

I know it is a lot more money, but I still don't think you can beat RainWall for ISA in order to get ISA load balancing and failover. Anyone who is serious about availability should really be looking at RainWall or even ISA Enterprise. The soltuion you have provided is great for those who are happy to accept the limitations...

Cheers

JJ

(in reply to tshinder)
Post #: 2
RE: Discussion on article about enabling Bidirectional ... - 18.Jan.2005 5:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

I completely agree! RainWall really rocks and I'm also very impressed with what I've seen of the ISA EE integrated NLB. So, we've got some very good alternatives.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion on article about enabling Bidirectional ... - 18.Jan.2005 5:45:00 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
Originally posted by tshinder:
Hi Jason,

I completely agree! RainWall really rocks and I'm also very impressed with what I've seen of the ISA EE integrated NLB. So, we've got some very good alternatives.

Thanks!
Tom

We must both be on the beta then [Wink]

Yeah, EE looks very cool...say no more though [Cool]

JJ

[ January 18, 2005, 05:45 PM: Message edited by: Jason Jones ]

(in reply to tshinder)
Post #: 4
RE: Discussion on article about enabling Bidirectional ... - 28.Jan.2005 1:34:00 AM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline
Hi,

I tried CARP and NLB for outbound access but did not work for me.

I read several articles from Microsoft where they say that NLB is not supported on ISA.

I undertstand for inbound VPN NLB is capable to give the redundancy needed but for outbound access is necesary too when you plan for Corporate Networks.

I got a testing version of RainWall but our Corporate will use ISA 2000 until the EE of ISA 2004 become finally available.

Can you point me where to go for information about this subject? I know how CARP works but has a Fault Tolerance limitation and DNS Round Robin has a point of failure too.

I have your books including ISA 2004 and there is not information on this topics together and last week on the ISA webcasts I mentioned this several time and all pointed to Dr. Shinder for an answer.

Thank you.

(in reply to tshinder)
Post #: 5
RE: Discussion on article about enabling Bidirectional ... - 7.Feb.2005 12:17:00 AM   
Rumple

 

Posts: 30
Joined: 5.Dec.2004
Status: offline
Does anyone have any rough idea of when ISA 2004 EE is coming out?

(in reply to tshinder)
Post #: 6
RE: Discussion on article about enabling Bidirectional ... - 7.Feb.2005 3:29:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

Shouldn't be very long at all now!

Tom

(in reply to tshinder)
Post #: 7
RE: Discussion on article about enabling Bidirectional ... - 22.Mar.2005 11:40:00 PM   
Guest
Hi Tom,

Great article - works a treat for companies with limited budget. We are still testing and bi-directional affinity seems to standup to most things we are throwing at it.

With regards to ISA Standard configuration, we have allowed all traffic between the 2 isa servers [Local to unclustered IP addresses of internal and external load balanced server and vice versa]. Just wondering if we could nail down multicast to a few ports / protocols etc. We are still doing tests to see if we can exclude opening up to external unclustered load balanced server and only allow traffic from Local to unclustered internal IP of unclustered load balanced server.

Any help fast tracking this process would be greatly appreciated.

Thanks

(in reply to tshinder)
  Post #: 8
RE: Discussion on article about enabling Bidirectional ... - 13.Jun.2005 11:40:00 AM   
pierburgneuss

 

Posts: 1
Joined: 13.Jun.2005
From: Birkenhead
Status: offline
I am looking at implementing BDA on two ISA 2004 Std Etn servers running Windows 2003 std. Having read this article I have one question. When you setup the bda teaming on the first server, do you use the exact same registry key value for the GUID TeamID setting on the second server or does the teaming on the second server have a different GUID TeamID.

Cheers

(in reply to tshinder)
Post #: 9
RE: Discussion on article about enabling Bidirectional ... - 4.Jul.2005 3:30:00 AM   
Guest
Hi all,

This is maybe off the topic, sorry about that. I just would like to ask whether the Windows Server 2003 NLB will work on
this setup : Server A (ISA 2000) and Server B (ISA 2004) ? The only
redudancy that I want is only on the OS part, not on the ISA, meaning that
if the ISA application on one of the server is down (the redundancy will not
work but its OK for me) but if the server or the OS itself is down, the
reduncay or load balanced will work.

I will be using the cache mode only on ISA 2000 (1 NIC) and the ISA 2004 (2
NICs) will act as a VPN server.

Thank you.

Regards,
Zul

(in reply to tshinder)
  Post #: 10
RE: Discussion on article about enabling Bidirectional ... - 4.Jul.2005 5:27:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by <Zul J>:
Hi all,

This is maybe off the topic, sorry about that. I just would like to ask whether the Windows Server 2003 NLB will work on
this setup : Server A (ISA 2000) and Server B (ISA 2004) ? The only
redudancy that I want is only on the OS part, not on the ISA, meaning that
if the ISA application on one of the server is down (the redundancy will not
work but its OK for me) but if the server or the OS itself is down, the
reduncay or load balanced will work.

I will be using the cache mode only on ISA 2000 (1 NIC) and the ISA 2004 (2
NICs) will act as a VPN server.

Thank you.

Regards,
Zul

Hi Zul,
I can't say 100%, but I'm pretty confident that this will not work.

HTH,
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion on article about enabling Bidirectional ... - 4.Jul.2005 7:06:00 AM   
Guest
Hi Tom,

When you said that "this will not work", which one are you referring to ?

1) The NLB can't load balance the ISA Standard Edition ? or
2) The NLB can't load balance the OS ?

Rgrds,
Zul

(in reply to tshinder)
  Post #: 12
RE: Discussion on article about enabling Bidirectional ... - 15.Jul.2005 4:42:00 PM   
adenhaan

 

Posts: 36
Joined: 15.Jul.2005
Status: offline
Has Anyone been succesfull doing this with ISA 2004 SP1 ?

I am suspecting Microsoft somehow made NLB impossible to implement with ISA 2004 SP1 Standard Edition.

Here is what I got: 2 fresh machines with 2003 SE SP1 and ISA 2004 SP1. Once I try to add the second machine as a host to the NLB cluster, I get the message "Could not locate NLB on the specified computer" (In fact you get this response if you just load NLB manager on ANY machine, and use Cluster | Connect to existing Cluster with the IP of one of the ISA servers, where you would normally get the response "machine is not part of a cluster")

Carefull inspection of the security event log on the target ISA server shows the following message twice:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 7/15/2005
Time: 10:06:01 PM
User: NT AUTHORITY\SYSTEM
Computer: ISA2
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: Administrator
Domain: Domainname
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00002EE
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

That C00002EE statuscode essentially means that the returncode of the failure is not any of the known / documented reasons.

Any comments / workarounds appreciated !

Thanks !

[ July 15, 2005, 04:45 PM: Message edited by: adenhaan ]

(in reply to tshinder)
Post #: 13
RE: Discussion on article about enabling Bidirectional ... - 19.Jul.2005 2:06:00 PM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
I am using ISA 2004 standard SP1 with Windows 2003 standard SP1. I plan to do Windows NLB on but I only have one server available so far. I setup network load balance in this box and everything works. Then, I decided to team two Broadcom Gb interface first and then do the MS NLB. The configuration works fine but my ISA starts to drop all the packets. If I take out teaming and just do the NLB, then it works fine. Any ideas??

btw, I am using ISA as the filter server only, behide my FW in DMZ. I only use ISA for OWA and RPC over HTTPS for my Exchange server. Thanks.

(in reply to tshinder)
Post #: 14
RE: Discussion on article about enabling Bidirectional ... - 9.Feb.2006 3:49:44 PM   
scotte76

 

Posts: 16
Joined: 13.Jan.2006
Status: offline
Hi,

I am trying to amend the registry manually on 3 isa servers.

When I look in the resgitry key I see 4 GUID keys.

My servers have 2 network cards each which are teamed.

Do I create a BDATeaming key under each GUID key ?

If so which GUID is the master as I am unable to differentiate between them.
I notice that 3 of the GUIDS are showing up as TEAM which I assume are the 2
NICS + TEAM then there is another one which I assume is the NLB.

How do I set the values

- BDATeaming
- TeamID =
- Master = 0
- ReverseHash = 0


As I am not using an Internal and external configuration, all traffic is going through one interface
for caching only ??

Any help appreciated.

Rgds

Scott
 

< Message edited by scotte76 -- 9.Feb.2006 5:33:07 PM >

(in reply to tshinder)
Post #: 15
RE: Discussion on article about enabling Bidirectional ... - 9.Feb.2006 5:36:07 PM   
scotte76

 

Posts: 16
Joined: 13.Jan.2006
Status: offline
I have configured the reg edits and notice that my second server
has only 1 GUID in the interface key apposed to 4 GUID's which are visible on the
other 2 servers.

My second server is the only one that seems to be provided web access to clients.

If I shut the second server down the clients do not fail over to the other 2 ??

I have followed the article and reloaded the wlbs succesfully showing that there are 3 hosts.

They are all set to =1 for the Master & ReverseHash.

Any ideas please ?

Rgds

Scott

(in reply to tshinder)
Post #: 16
RE: Discussion on article about enabling Bidirectional ... - 13.Feb.2007 8:41:54 AM   
billysboots

 

Posts: 8
Joined: 20.Dec.2004
Status: offline
Hi

I have just come across this as I try to add some resilience to my existing installation, I have configured my 2 ISA 2004 SE SP2 servers as described and they both appear to work ok, if I wlbs stop one server then the other picks up the traffic with problem.

However when I stop the firewall service it does not remove itself from the cluster, I understood that the BDATeam would effect this removal.

Am I wrong or do I have some configuration wrong?

Thanks for any help recieved.

(in reply to scotte76)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion on article about enabling Bidirectional Affinity on the ISA Firewall Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts