Configuring Fault Tolerance and Load Balancing for ISA Firewall/VPN Servers

 

You can configure Windows Server 2003 based ISA firewall/VPN servers for high availability by taking advantage of the Windows Server 2003 Network Load Balancing (NLB) service. The NLB service provides two major features that aid in increasing the availability of VPN connections for your VPN clients:

 

  • Fail over when one of the ISA firewall/VPN servers

 

Fail over allows other members of an ISA firewall/VPN server array to service connection requests from VPN clients when one of the servers becomes unavailable. All VPN servers in the array “listen” for VPN connections on the same IP address. When a VPN session is disconnected after a VPN array members goes offline, the connection is reestablished to another array member using the same IP address. The VPN user does not need to reconfigure the VPN client software to automatically reestablish the connection.

 

  • Load balancing for VPN connections

 

VPN sessions can be processor intensive. Data encryption and decryption can take a significant percentage of the processor cycles available to the ISA firewall/VPN server per unit time. The NLB service can automatically split connections across all array members so that no single member of the array receives a disproportion number of connection requests. NLB attempts to even spread the connection requests across all members of the NLB ISA firewall/VPN server array.

 

*      Note: A detailed description of the NLB protocol and how it works is beyond the scope of this ISA Server 2000 VPN Deployment Kit document. For more information on how NLB works and how to customize the NLB configuration for non-VPN purposes, please refer to the Windows Server 2003 Help file.

 

 

This ISA Server 2000 VPN Deployment Kit document covers the following:

 

·        A description of the example VPN network used in this ISA Server 2000 VPN Deployment Kit document

·        Configuring an NLB array

·        Installing ISA Server 2000 on the Windows Server 2003 NLB array members

·        Running the ISA Server 2000 VPN Wizard on the NLB array members

·        Configuring the ISA Server 2000 packet filters to support connections to the array address

 

The Example VPN Array Network

 

Figure 1 shows the details of our example VPN Array Network. Please keep a copy of this network diagram in front of you as you go through this example. (We don’t expect you to memorize the entire network setup prior to the example.)

 

 

Figure XX (fig1)

 

 

The ISA firewall/VPN servers have only Windows Server 2003 and ISA Server 2000 installed on them. No extraneous Windows services and no third party applications are installed on the VPN servers in the NLB array. All machines are members of the same Windows Server 2003 Active Directory domain.

 

The domain controller on the internal network has the following services installed:

 

*     WINS

WINS is not a required networking service. However, if you wish to allow the VPN clients to browse for servers on the internal network, a WINS server will simplify the process.

 

*     DNS

A DNS server is required on a Active Directory network. VPN clients will be assigned a DNS server address via DHCP.

 

*     DHCP

The DHCP server assigns addresses to internal network hosts and to VPN clients. You can configure the DHCP server to assign custom DHCP options (such as WINS and DNS server addresses and primary domain name) by using a DHCP Relay Agent on the ISA firewall/VPN server. Please see ISA Server 2000 VPN Deployment Kit document XXX for more details on how to configure a DHCP server and a DHCP Relay Agent.

 

*     RADIUS

The RADIUS server can be used to centralize RRAS policy across all the VPN array members. The RADIUS server simplifies the task of creating RRAS policy so that you can create a single policy on the RADIUS server and have that policy apply to all the VPN array members. RADIUS also allows you to use Active Directory domain user accounts without requiring the VPN array members to be part of the same Active Directory domain. Please see ISA Server 2000 VPN Deployment Kit article XXX for more details on how to install and configure RADIUS to support VPN connections.

 

*     Active Directory

Active Directory is required on Windows Server 2003 domain controllers.

 

Configuring the NLB Array

 

Windows Server 2003 Standard, Enterprise and Datacenter editions support the Windows Server 2003 Network Load Balancing service. One of the major improvements to the NLB service included with Windows Server 2003 is the new Network Load Balancing Service Manager. The NLB Manager allows you to create, configure and manage NLB arrays using an intuitive graphical interface.

 

Create the array after you have installed the Windows Server 2003 software onto the machines that will be members of the ISA firewall/VPN server array, but before you enable the Routing and Remote Access service with the ISA Server 2000 VPN wizard.

 

We will perform all array management tasks from LOCALISAVPN1. Perform the following steps to create the Windows Server 2003 NLB arrays:

 

  1. Click Start, point to Administrative Tools, and click on Network Load Balancing Manager (figure XX),

 

Figure xx  (fig101)

 

 

  1. The Network Load Balancing Manager console opens (figure XX). There are no NLB arrays configured by default. You will need to create an NLB array that allows all of the ISA firewall/VPN servers to listen on a single IP address on the external interface.

 

Figure XX (fig102)

 

 

  1. Click the Cluster menu and click the New command (figure XX).

 

Figure XX (fig103)

 

 

  1. Fill in the following information in the Cluster Parameters dialog box (figure XX):

 

  • IP address

This is the virtual IP address used by all of the members of the NLB array. The NLB Manager will automatically bind this address to the external interface of all the array members

  • Subnet mask

This is the subnet mask for the virtual IP address

  • Full Internet name

This is the Fully Qualified Domain Name used to access the cluster IP address for command line remote administration. Enter a name here if you choose to allow command line remote administration. This name must also be entered into the public DNS

  • Cluster operation mode

The Windows Server 2003 NLB service can operate in either Unicast or Mulicast mode. Choose multicast mode unless you have Cisco routers or switches on the same network segment as the external interface and those routers or switches do not support mapping unicast IP addresses to multicast MAC addresses. Please refer to the Windows Server 2003 Help for more information about NLB, unicast and multicast modes.

  • Allow remote control

Put a checkmark in this checkbox if you wish to allow command line remote control of the NLB array parameters. We do not wish to allow command line remote control on the external interface array. Do not enable this checkbox.

  • Remote password

If remote command line administration were available, you would enter a password in this text box.

  • Confirm password

If remote command line administration were available, you would confirm the password in this text box.

 

Click Next.

 

Figure XX (fig104)

 

 

  1. You can add more virtual IP addresses to the array in the Cluster IP Addresses dialog box (figure XX). Click the Add button to add more VIPs. In this example we will not use additional VIPs. Click Next.

 

Figure XX (fig105)

 

 

  1. A default rule appears in the Port Rules dialog box (figure XX). You can create customized Port Rule that determine how connections are load balanced across all the servers in the array. Click on the default port rule, then click the Edit button.

 

Figure XX (fig106)

 

 

  1. The details of the default port rule appear in the Add/Edit Port Rule dialog box (figure XX). The default port rule includes the following parameters:

 

  • Cluster IP address

This entry determines what IP address this rule applies to. The default port rule applies to all addresses in the NLB array

  • Port range

This entry determines what inbound ports the rule applies to. The default port rule applies to all inbound ports

  • Protocols

You can have the rule apply to TCP, UDP or Both. The default port rule applies to both TCP and UDP protocols. Note that the Windows Server 2003 NLB port rules can only be applied to TCP and UDP protocols. You cannot apply port rules to other protocols such as ICMP.

  • Filtering mode

There are three filtering modes:

Multiple host

Specifies whether multiple hosts in the cluster handle network traffic for the associated port rule. The default port rule applies to all hosts in the array and the Affinity setting is set to Single.

Single host

Specifies that network traffic for the associated port rule be handled by a single host in the cluster according to the specified handling priority. This filtering mode provides port specific fault tolerance for the handling of network traffic.

Disable port range

Specifies whether all network traffic for the associated port rule will be blocked.

 

Please refer to Windows Server 2003 Help for details on Filtering modes and affinity. Do not make any changes to the default port rule. Click Cancel to prevent any inadvertent changes from being applied. You use the default port rule to support your VPN client connections.

 

Figure XX (fig107)

 

 

  1. Click Next on the Port Rules page (figure XX)

 

Figure XX (fig108)

 

 

  1. Type in the name of the machine you are running the NLB Manager application on in the Host text box on the Connect page. In this example, we are running the NLB Manager on LOCALISAVPN1. Click the Connect button (figure XX). You will see a list of interfaces on this machine in the Interface available for configuring a new cluster list. Click on the external interface of the ISA firewall/VPN array member. In this example, the external interface is named WAN (this is the name that appears in the Network and Dial-up Connections window; we have renamed the interfaces to make them more descriptive). Click Next.

 

Figure XX (fig109)

 

 

  1. The details of the NLB array member appear on the Host Parameters page.

 

Priority

Specifies a unique ID for each host.

IP address

This is the IP address on the external interface of the NLB array member for traffic not associated with the cluster (for example, Telnet access to a specific host within the cluster). Type the IP address in standard Internet dotted notation (for example, w.x.y.z). This IP address is used to individually address each host in the cluster and hence should be unique for each host.

Subnet mask

This is for the subnet mask for the IP address specified. Type the mask in standard Internet dotted notation (for example, 255.255.255.0).

Default state

Specifies the default host state of the Network Load Balancing cluster when Windows is started. Select Started option if you want the host to immediately join the cluster when Windows is started. Select the Stopped option if you want this host to start without joining the cluster.  Select the Suspended option if you want this host to start without joining the cluster and instead enter a suspended state.

Retain suspended state after computer restarts

Specifies whether the host will remain suspended when Windows is restarted when the host was suspended prior to shutting down.

 

Click Finish.

 

Figure XX (fig110)

 

 

  1. You can see the details of the NLB array configuration in the log entry pane in the bottom of the console window (figure XXX).

 

Figure XX (fig111)

 

 

  1. The next step is to add a second machine to the array. Right click the name of the array in the left pane of the Network Load Balancing Manager console and click the Add Host to Cluster command (figure XX).

 

Figure XX (fig112)

 

 

  1. On the Connect page, type in the name of the computer you want to add to the array in the Host text box. In this example we want to add LOCALISAVPN2 to NLB array (figure XX). Select the external interface of this second array member in the Interface available for configuring the cluster list. Click Next.

 

Figure XX (fig113)

 

 

  1. The Host Parameters page has the following settings:

 

Priority

Specifies a unique ID for each host.

IP address

This is the IP address on the external interface of the NLB array member for traffic not associated with the cluster (for example, Telnet access to a specific host within the cluster). Type the IP address in standard Internet dotted notation (for example, w.x.y.z). This IP address is used to individually address each host in the cluster and hence should be unique for each host.

Subnet mask

This is for the subnet mask for the IP address specified. Type the mask in standard Internet dotted notation (for example, 255.255.255.0).

Default state

Specifies the default host state of the Network Load Balancing cluster when Windows is started. Select Started option if you want the host to immediately join the cluster when Windows is started. Select the Stopped option if you want this host to start without joining the cluster.  Select the Suspended option if you want this host to start without joining the cluster and instead enter a suspended state.

Retain suspended state after computer restarts

Specifies whether the host will remain suspended when Windows is restarted when the host was suspended prior to shutting down.

 

Click Finish.

 

Figure XX (fig114)

 

  1. You can see the details of the array configuration in the log entry pane at the bottom of the console (figure XX). Double click on the log entry with the description Update 2 succeeded [double click for details…].

 

Figure XX (fig115)

 

  1. The log entry provides verbose details associated with that entry (figure XX). Click OK and close the Network Load Balancing Manager console.

 

Figure XX (fig116)

 

 

Installing ISA Server 2000 on the Windows Server 2003 NLB Array Members

 

ISA Server 2000 must be installed on each member of the ISA firewall/VPN array. There are array specific configuration requirements. Please refer to ISA Server 2000 VPN Deployment Kit document XXX for detailed instructions on how to install ISA Server on Windows Server 2003.

 

Running the ISA Server VPN Wizard on the Windows Server 2003 NLB Array Members

 

ISA Server 2000 includes a VPN server Wizard that enables the Routing and Remote Access Service and configures ISA Server packet filters that allow access to both PPTP and L2TP/IPSec VPN clients. The ISA Server 2000 VPN server wizard performs most of the required tasks. However, you should customize the settings made by the VPN wizard to meet the requirements of your own network.

 

Please see ISA Server 2000 VPN Deployment Kit document XXX for detailed instructions on how to run the ISA Server 2000 VPN wizard and how to customize the RRAS settings to meet the specific requirements of your organization.

 

Configuring the ISA Server 2000 Packet Filters to Support the NLB Array Address

 

The ISA Server 2000 VPN Wizard automatically configures packet filters that allow PPTP and L2TP/IPSec VPN clients to connected to your ISA firewall/VPN server. However, these packet filters allow inbound VPN client access to the primary IP address bound to the external interfaces on the ISA firewall/VPN server array members. The VIP (virtual IP address) used by the Windows Server 2003 NLB service is not configured as the primary IP address and these default VPN packet filters will fail.

 

You will need to change these packet filters so that they support connections to the NLB VIP IP address. Perform the following steps on each member of the ISA firewall/VPN array:

 

1.      Open the ISA Management console. Expand the Servers and Arrays node, then expand your server name. Expand the Access Policy node and click on the IP Packet Filters node (figure XX). Notice in the right pane of the console that the ISA Server 2000 VPN server Wizard has created four VPN related packet filters. Double click on the Allow PPTP protocol packets (server) packet filter.

 

Figure XX (fig117)

 

2.      Click on the Local Computer tab in the Allow PPTP protocol packets (server) Properties dialog box (figure XX). Select the This ISA server’s external IP address option and type in the IP address of the VIP in the text box. Click Apply and then click OK.

 

Figure XX (fig118)

 

 

3.      Click on the Local Computer tab in the Allow PPTP protocol packets (client) Properties dialog box (figure XX). Select the This ISA server’s external IP address option and type in the IP address of the VIP in the text box. Click Apply and then click OK.

 

(fig120)

 

 

4.      Click on the Local Computer tab in the Allow L2TP protocol packets Properties dialog box (figure XX). Select the This ISA server’s external IP address option and type in the IP address of the VIP in the text box. Click Apply and then click OK.

 

(fig121)

 

5.      Click on the Local Computer tab in the Allow L2TP protocol IKE packets Properties dialog box (figure XX). Select the This ISA server’s external IP address option and type in the IP address of the VIP in the text box. Click Apply and then click OK.

 

Figure XX (fig122)

 

 

The packet filters will take effect in a few moments. You do not need to restart any ISA Server service or the server itself. This may take longer if the server is very busy. You can make the packet filters take place immediately if you restart the firewall service.

 

The ISA firewall/VPN server array is now ready to accept incoming PPTP and L2TP/IPSec VPN client connections. Incoming requests will be split evenly between all members of the NLB array. If an array member goes offline while a VPN client is connected, the user running the VPN will see the connection fail. When the user reconnects (or when the VPN client software automatically redials), a new VPN connection is established to another member of the array on the same VIP.