Re: ISA 2004 Standard Edition Redundancy

From: Marlon Brown (marlon_brown_at_hotmail.com)
Date: 09/30/04 

Date: Thu, 30 Sep 2004 11:54:35 -0700

Eric, maybe I missed something here, but isn't the "redundancy" using array
provided only on the ISA 2004 Enterprise Edition (that is not released yet)
?
If I am running Win2003 Ent Server + ISA 2004 Standard Edition, can I take
advantage of NLB for the failover then ? I thought that I couldn't ...
thanks for the clarification.

""Eric Sun [MSFT]"" <v-ericsu@online.microsoft.com> wrote in message
news:QrRFKgphEHA.2936@cpmsftngxa10.phx.gbl...
> In NLB, you can use standard edition ISA server to build standard alone
server as well as using ISA server array. With NLB, when one server
> fails, the others will perform a failover to handle these requests.
>
> To have best availability, I recommend you install the clients using
firewall client. Thus, it will test the connections for you to maintain a
list
> of running servers. Unless all the servers are down, firewall client can
have the requests sent to the server properly.
>
> Web proxy clients use a specific server or a set of server to connect. It
generally use DNS round robin to load balance all the connections
> between servers (different IP addresses). This is why it will have some
chance to fail if the server fails. Once it is using the problematic
> server, it will fail to go outside but a refresh will generally resolve
this problem.
>
> If you use NLB, all the servers are using the same IP addresses so the Web
client is using a specific IP address to connect. Thus, it will not
> experience the problem as it will not connect to the problematic computer.
However, please do not NLB more than one NIC on the computer. If
> this happens, you may receive multiple responses for a single request.
>
> From my point of view, considering the ease of deployment, administration
and functionality, I would recommend you use enterprise array
> and configure all the clients as firewall clients. The clients can be
configured as Web proxy client if they would like to. This is a standard
> deployment scenario in most enterprise environments.
>
> Why I recommend you avoid using NLB on both internal NIC and external NIC
is that sometimes the incoming request is handled by Computer
> A but its response can be handled by B. In some cases, this will cause
inconsistency. Thus, if you would like to provide service to external
> network, you can NLB the external NICs. If you would like to provide
better service to internal network, you can use NLB on the internal
> NICs.
>
> I suggest you install firewall client to the internal clients as this will
provide full ISA functionalities to all the clients. Firewall client will
> maintain connections to the server and update the status. So it can help
you have high availability.
>
> The Bi-directional Affinity functionality does exist in Windows Server
2003 but it is not supported in ISA 2000. It doesn't work as
> expected as this ISA server 2000 is not designed for this feature. ISA is
released with and designed for Windows 2000 :-(.
>
> If you are planning to simply enable NLB on both the internal and external
interfaces and do web publishing then this scenario is widely used
> and you are good to go. If you are enabling NLB on both the internal and
external interfaces and would also like to do server publishing, you
> should use ISA 2000 SP1, and set the registry value
"UseISAAddressInPublishing" to 1 to indicate to ISA to use the ISA server
address
> when sending packets to the published server and thus the returning
traffic will always go through the right ISA server. Otherwise, if the
> response goes through another ISA server, you will encounter problems.
This flag enables you to use NLB on both external and internal side
> along with server publishing. Refer to the following article:
>
> 311777 How to Enable Translating Client Source Address in Server
Publishing
> http://support.microsoft.com/?id=311777
>
> - Personally, I don't recommend using this feature as it will affect some
ISA functionalities as reporting.
>
> There is one additional option that might be acceptable. If you are using
an NLB array for failover purposes and not for pure load balancing
> (i.e.: One machine can handle all the traffic load), then you can set the
NLB array in a failover state which will put one machine in a standby
> mode and it will kick in when the other machine fails. Configure the
internal NIC's affinity to Single Node so all the requests will be handled
> by a certain node. Once this node fails, another will take over all the
requests.
>
> In any case for internal NIC NLB, please apply 822713 to both ISA servers
to sure they are using the correct IP to communicate.
>
> 822713 GetHostByName Function Does Not Return IP Addresses in the Correct
Order
> http://support.microsoft.com/?id=822713
>
> Also, you can also try some third-party ISA high availability applications
to implement high availability. Refer to the following article:
>
> http://www.microsoft.com/isaserver/partners/highavailability.asp.
>
> Best Regards,
>
> Eric Sun,
> MCSE2000 / MSCA / MCDBA
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights
> --------------------
> | From: "Microsoft News Groups" <p_lawrence2001@hotmail.com>
> | Subject: ISA 2004 Standard Edition Redundancy
> | Date: Thu, 19 Aug 2004 09:50:34 +0100
> | Lines: 4
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> | Message-ID: <ONW5YmchEHA.596@TK2MSFTNGP11.phx.gbl>
> | Newsgroups: microsoft.public.isa
> | NNTP-Posting-Host: host81-138-65-213.in-addr.btopenworld.com
81.138.65.213
> | Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA02.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08
.phx.gbl!TK2MSFTNGP11.phx.gbl
> | Xref: cpmsftngxa10.phx.gbl microsoft.public.isa:50356
> | X-Tomcat-NG: microsoft.public.isa
> |
> | Is it possible to have some sort of failover between 2 ISA servers on
the
> | same network so that if one server dies the other can take over?
> |
> |
> |
>
>

Loading