Notes
Slide Show
Outline
1
Issues in ISA Server Fault Tolerance and Load Balancing
  • Thomas W. Shinder, M.D.
  • TACTEAM
  • Dallas
  • www.isaserver.org/shinder
2
About Your Presenter
  • Microsoft ISA Server 2000 MVP
  • Author: “Configuring ISA Server 2000” and “ISA Server and Beyond”
  • Moderator, newsletter editor and leading content provider at ISAServer.org
  • Editor Brainbuzz Network Admin Weekly news
  • Lots of other stuff
3
Today’s Agenda:
High Availability
  • CARP
  • Windows 2000 NLB
  • Windows 2003 NLB
  • Hardware Load Balancers
  • RainWall
  • RainConnect
4
What is High Availability?
  • Server Load Balancing
  • Server Fail Over (fault tolerance)
  • Link Load Balancing
  • Link Fail Over
  • Can have Fail Over without Load Balancing
  • Can have Load Balancing with Fail Over
5
Firewall Load Balancing and Fail Over
6
Cache Array Routing Protocol
  • Inbound and outbound
    • Little use for inbound
  • Provides load balancing for cache
  • Client and server side routing
    • Client side requires autoconfig script
  • Weak fail over capabilities
    • Depends on entries in autoconfig script
    • Autoconfig script has TTL of 50 minutes
7
CARP: Server and Client Side Routing
8
Windows 2000 NLB
  • Can be bound to a single interface
  • Provides fail over and load balancing
  • Each cluster member is configured individually
  • Suffers from asymmetric routing (no bi-directional affinity)
  • Web Publishing Rule friendly
  • Server Publishing Rule tolerant
  • ISA/VPN Server support marginal
  • Multicast and Unicast modes encourage switch flooding
  • Requires Windows 2000 Advanced Server ($$$)
9
NLB Asymmetric Routing
10
Windows 2003 NLB
  • Can be bound to internal and external interfaces
  • Supports fail over and load balancing
  • Support symmetric routing (bi-directional affinity)
  • Web and Server Publishing Friendly
  • Vastly improved ISA/VPN Server support
  • NLB Manager simplifies configuration
  • Must use ISA Server tool – symmetric routing depends on ISA Server being installed
  • Intra-array traffic increases geometrically with additional node
  • Doesn’t detect dead ISA Server or Windows 2000 Services
  • Doesn’t detect bad “connection” (internal and external)
  • Unicast and Multicast modes still encourage switch flooding
    • Multicast mode now includes IGMP Support
    • Almost all versions of Windows 2003
11
Windows 2003 NLB not Service Aware
12
Hardware High Availability
  • RADWARE FireProof
  • F5 Networks BigIP
  • Alteon and Cisco content switches
  • Support symmetric routing
    • Requires multiple internal and external devices
    • “Firewall Sandwich”
  • Cost intensive ($75,000+)
  • Complex unconventional configuration
  • Additional layer of misconfiguration
13
Hardware HA
Fun
14
RainWall
  • Supports multiple interfaces
  • Encourages symmetric routing
  • Array created with easy and intuitive Wizard
    • Simple to add and remove cluster members via MMC
  • Web and Server Publishing Friendly
  • ISA/VPN Server friendly/ISA/VPN Gateway friendly
  • Intra-array traffic increases linearly with additional nodes
  • Switch flooding is never an issue
    • No special support for upstream Cisco devices
    • Full bandwidth available on each switch port (wire speed)
    • All traffic is true unicast – MAC address not changed
  • Does not require Advanced Server or ISA Server
  • RAIN technology automatically synchronizes connection and array state (array configuration)
  • Detects Web Proxy and Firewall Service failures
    • Also supports detecting any other Windows 2000 Service failure
  • Detects bad “connections” (via PING monitoring)
  • Fail over in less than 5 seconds (NLB takes about 15 sec)
15
RainWall Removes Sick Servers
16
RainWall decreases intra-array traffic overhead
17
RainConnect
  • Fault tolerance and Load Balancing for the Internet Link
  • Transparent fail over for inbound and outbound access
  • Not dependent on BGP!
  • Load balancing based on link speeds
    • Applications can be bound to a link
  • Web and Server Publishing across multiple ISPs
    • Allows you to be ISP independent
  • DNS “Agent” dynamically responds to queries
  • RainConnect performs a “double NAT” in concert with ISA Server to support IP addresses from multiple network IDs (from each ISP)
  • Potential for massive cost savings
  • Evolving support for complex protocols
  • Must bind VPN Server/Gateway to single ISP
18
Aggregate and Load Balance bandwidth among ISP Links
19
RainConnect transparently fails over to active ISP
20
Summary
  • CARP provides very limited HA support
  • Windows 2000 NLB works, but with significant limitations
  • Windows 2003 NLB works better, but shares many of the Windows 2000 NLB limitations
  • Hardware solutions best for those who have too much money and time on their hands
  • RainWall solves the problems encountered with the Windows 2000/2003 NLB services
  • RainConnect is the only tightly integrated ISA Server solution that provides Internet link fault tolerance and load balancing
21
For More Information
  • Microsoft Web Site www.microsoft.com/isaserver
  • ISAServer.org www.isaserver.org
  • “ISA Server and Beyond” by Shinder, Shinder and Grasdal
  • See me demo RainWall and RainConnect LIVE at TechMentor in New Orleans

    http://www.techmentorevents.com/neworleans/sessions2.asp?section_id=145
     
    http://tinyurl.com/6244