Enabling NLB Bi-Directional Affinity (BDI) on ISA Server 2004 Standard Edition Firewalls

by [Published on 18 Jan. 2005 / Last Updated on 20 May 2013]

Want to enable NLB with bidirectional affinity on your Standard Edition ISA firewalls? There are some potential problems, but if you're game, check out this article for details on how to do it.

Enabling NLB Bi-Directional Affinity (BDI)
on ISA Server 2004 Standard Edition Firewalls

By Thomas W Shinder MD, MVP

Got Questions? Go to:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000213 and ask!

I’ve been receiving a lot of requests lately on how to enable bi-directional affinity on the Standard Edition of the ISA firewall. If you’re one of these folks, you are probably aware of the KB article ISA Server 2004 Standard Edition does not support NLB functionality at http://support.microsoft.com/Default.aspx?kbid=884319 This KB article says that the Standard Edition does not support the built-in NLB, although you can use third party network load balancing products.

Get the New Book!

There are some good reasons why Microsoft recommends that you do not enable NLB on a load balanced array of Standard Edition ISA firewalls:

  • The Windows NLB service is not aware of the ISA firewall services. So, if the ISA Firewall service, or if the RRAS service becomes unavailable, the machine is not removed from the array and connections are still balanced to the unavailable ISA firewall
  • Full support for bidirectional affinity doesn’t seem to be supported. Lex Penrose has reported that while he has been able to get bidirectional affinity to work when there is an internal and external interface on the ISA firewall NLB array, if you add a third NIC and try to make BDI work on the third interface, BDI fails.
  • PSS will not be able to help you if you run into ISA firewall problems, since its not a supported configuration
  • However, if you’re willing to accept these limitations, you can enable NLB with BDI on an array of Standard Edition ISA firewalls. There’s a lot of Registry editing involved, and I can’t give my usual step by step details at this time (I’ll follow up in the future on the step by steps with screen shots), but here are the general instructions for those of you motivated to try this configuration.

    The NLB registry settings are located at:

    HKLM\System\CurrentControlSet\Services\WLBS\Parameters\Interface\{GUID}

    Where {GUID} is the GUID of the NIC to which NLB is bound. If you have bound NLB to multiple interfaces (which you should), then you will see multiple GUIDs under "Interface". Use the ClusterIPAddress registry value under each GUID to distinguish them. Under both clusters that you wish to team, add a registry KEY (not value) called BDATeaming. Under that key, on both clusters, add the following registry VALUES (not keys):

    TeamID (REG_SZ)
    Master (REG_DWORD)
    ReverseHash (REG_DWORD)

    The team ID should be a GUID in curly braces; use uuidgen.exe or some such program to generate a GUID for you. Set the Team ID under both clusters to be the SAME - this is what teams them together. Now, choose one CLUSTER (either internal or external) to be the "master" cluster. Typically, you would want this to be the internal, but it doesn't matter.

    On that cluster, set the Master key to 1, and on the other cluster, set the Master key to 0.

    On the external cluster, set ReverseHash to 0 and on the internal cluster, set ReverseHash to 1. Below is a sample:

    External cluster:
    - BDATeaming
    - TeamID = {70b26c0a-1c1c-4242-ba7e-6ff0229509c4}
    - Master = 0
    - ReverseHash = 0

    Internal cluster:
    - BDATeaming
    - TeamID = {70b26c0a-1c1c-4242-ba7e-6ff0229509c4}
    - Master = 1
    - ReverseHash = 1

    Now, go to a command prompt and type wlbs reload. Hopefully, you don't get an error. Now you can type wlbs bdateam {70b26c0a-1c1c-4242-ba7e-6ff0229509c4} and it should show you the configuration of the team. You may see some "errors" in this output if you have other nodes in the cluster that you have not yet added the keys to.

    And, until all hosts are properly setup, your cluster will not converge.

    Check wlbs query output at the command prompt.

    Now, go to the other hosts in you cluster(s) and add the same registry keys in a consistent manner (i.e., all external clusters should have the same settings and all internal clusters should have the same settings).

    Again, use wlbs bdateam at the command prompt to check the configuration. When you're done with all nodes, wlbs query should show that the hosts are happy and converged.

    That’s it! Let me know how it works out for you.

    Get the New Book!

    I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000213 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy

    Advertisement

    Featured Links