Configuring Fault Tolerance and Load Balancing for ISA Firewall/VPN Servers

Configuring Fault Tolerance and Load Balancing for ISA Server firewall/VPN Servers

You can configure Windows Server 2003 based ISA Server firewall/VPN servers for high availability by taking advantage of the Windows Server 2003 Network Load Balancing (NLB) service. The NLB service provides two major features that enhance availability for your VPN clients:

Fail over when one of the ISA Server firewall/VPN servers

Fail over allows other members of an ISA Server firewall/VPN server array to service connection requests from VPN clients when one of the servers becomes unavailable. All VPN servers in the array “listen” for VPN connections on the same IP address. When a VPN session is disconnected after a VPN array member goes offline, the connection is reestablished to another array member using the same IP address. The VPN user does not need to reconfigure the VPN client software; the VPN connection is automatically reestablished.

Load balancing for VPN connections

VPN sessions can be processor intensive. Data encryption and decryption can take a significant percentage of the processor cycles available to the ISA Server firewall/VPN server per unit time. The NLB service can automatically distribute connections across all array members so that no single member of the array receives a disproportionate number of connection requests. NLB attempts to evenly spread the connection requests across all members of the NLB ISA Server firewall/VPN server array.

Note:
A detailed description of the NLB protocol and how it works is beyond the scope of this ISA Server 2000 VPN Deployment Kit document. For more information on how NLB works and how to customize the NLB configuration for non-VPN purposes, please refer to the Windows Server 2003 Help file.

This ISA Server 2000 VPN Deployment Kit document discussing the following subjects:

· A description of the example VPN network used in this ISA Server 2000 VPN Deployment Kit document

· Configuring an NLB array

· Installing ISA Server 2000 on the Windows Server 2003 NLB array members

· Running the ISA Server 2000 VPN Wizard on the NLB array members

· Configuring the ISA Server 2000 packet filters to support connections to the array address

The Example VPN Array Network

Figure 1 shows the details of our example VPN Array Network. Please keep a copy of this network diagram in front of you as you go through this example. (We don’t expect you to memorize the entire network)

Figure 1 (fig1)

Only Windows Server 2003 and ISA Server 2000 are installed on the ISA Server firewall/VPN servers. No extraneous Windows services and no third party applications are installed on the VPN servers in the NLB array. All machines are members of the same Windows Server 2003 Active Directory domain.

The domain controller on the internal network has the following services installed:

· WINS

WINS is not a required networking service. However, if you wish to allow the VPN clients to browse for servers on the internal network, a WINS server will simplify the process.

· DNS

A DNS server is required on an Active Directory network. VPN clients are assigned a DNS server address via DHCP.

· DHCP

The DHCP server assigns addresses to internal network hosts and to VPN clients. You can configure the DHCP server to assign custom DHCP options (such as WINS and DNS server addresses and primary domain name) by using a DHCP Relay Agent on the ISA Server firewall/VPN server. Please see ISA Server 2000 VPN Deployment Kit document Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options for more details on how to configure a DHCP server and a DHCP Relay Agent.

· RADIUS

The RADIUS server can be used to centralize RRAS policy across all the VPN array members. The RADIUS server simplifies the task of creating RRAS policy so that you can create a single policy on the RADIUS server and have that policy apply to all the VPN array members. RADIUS also allows you to use Active Directory domain user accounts without requiring the VPN array members to be part of the same Active Directory domain. Please see ISA Server 2000 VPN Deployment Kit article Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options for more details on how to install and configure RADIUS to support VPN connections.

· Active Directory

Active Directory is required on Windows Server 2003 domain controllers.

Configuring the NLB Array

Windows Server 2003 Standard, Enterprise and Datacenter editions include the Windows Server 2003 Network Load Balancing service. One of the major improvements to the NLB service included with Windows Server 2003 is the new Network Load Balancing Manager. The NLB Manager allows you to create, configure and manage NLB arrays using an intuitive graphical interface.

Create the array after installing the Windows Server 2003 software onto the machines that will be members of the ISA Server firewall/VPN server array, but before you enable the Routing and Remote Access service using the ISA Server 2000 VPN wizard.

Note:
Please see the ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for a detailed account of how to run the ISA Server 2000 VPN Wizard

We will perform all array management tasks from LOCALISAVPN1. Perform the following steps to create the Windows Server 2003 NLB arrays:

Click Start, point to Administrative Tools, and click on Network Load Balancing Manager (figure 2),

Figure 2 (fig101)

The Network Load Balancing Manager console opens (figure 3). There are no NLB arrays configured by default. You will need to create an NLB array allowing the ISA Server firewall/VPN servers to listen on a single IP address on the external interface.

Figure 3 (fig102)

Click the Cluster menu and click the New command (figure 4).

Figure 4 (fig103)

Fill in the following information in the Cluster Parameters dialog box (figure 5):

IP address

This is the virtual IP address used by all of the members of the NLB array. The NLB Manager will automatically bind this address to the external interface of all the array members

Subnet mask

This is the subnet mask for the virtual IP address

Full Internet name

This is the Fully Qualified Domain Name (FQDN) used to access the cluster IP address for command line remote administration. Enter a name here if you choose to allow command line remote administration. This name must also be entered into the public DNS

Cluster operation mode

The Windows Server 2003 NLB service can operate in either Unicast or Mulicast mode. Choose multicast mode unless you have Cisco routers or switches on the same network segment as the external interface and those routers or switches do not support mapping unicast IP addresses to multicast MAC addresses. Please refer to the Windows Server 2003 Help for more information about NLB, unicast and multicast modes.

Allow remote control

Put a checkmark in this checkbox if you wish to allow command line remote control of the NLB array parameters. We do not wish to allow command line remote control on the external interface array. Do not enable this checkbox.

Remote password

If remote command line administration were available, you would enter a password in this text box.

Confirm password

If remote command line administration were available, you would confirm the password in this text box.

Click Next.

Figure 5 (fig104)

You can add more virtual IP addresses to the array in the Cluster IP Addresses dialog box (figure 6). Click the Add button to add more VIPs. In this example we will not use additional VIPs. Click Next.

Figure 6 (fig105)

A default rule appears in the Port Rules dialog box (figure 7). You can create customized Port Rule that determines how connections are load balanced across all the servers in the array. Click on the default port rule, then click the Edit button.

Figure 7 (fig106)

The details of the default port rule appear in the Add/Edit Port Rule dialog box (figure 8). The default port rule includes the following parameters:

Cluster IP address

This entry determines the IP address this rule applies to. The default port rule applies to all addresses in the NLB array

Port range

This entry determines what inbound ports the rule applies to. The default port rule applies to all inbound ports

Protocols

You can have the rule apply to TCP, UDP or Both. The default port rule applies to both TCP and UDP protocols. Note the Windows Server 2003 NLB port rules can only be applied to TCP and UDP protocols. You cannot apply port rules to other protocols, such as ICMP.

Filtering mode

There are three filtering modes:

Multiple host

Specifies whether multiple hosts in the cluster handle network traffic for the associated port rule. The default port rule applies to all hosts in the array and the Affinity setting is set to Single.

Single host

Specifies that network traffic for the associated port rule be handled by a single host in the cluster according to the specified handling priority. This filtering mode provides port specific fault tolerance for the handling of network traffic.

Disable port range

Specifies whether all network traffic for the associated port rule will be blocked.

Please refer to Windows Server 2003 Help for details on Filtering modes and affinity. Do not make any changes to the default port rule. Click Cancel to prevent any inadvertent changes from being applied. You use the default port rule to support your VPN client connections.

Figure 8 (fig107)

Click Next on the Port Rules page (figure 9)

Figure 9 (fig108)

Type in the name of the machine you are running the NLB Manager application on in the Host text box on the Connect page. In this example, we are running the NLB Manager on LOCALISAVPN1. Click the Connect button (figure 10). You will see a list of interfaces on this machine in the Interfaces available for configuring a new cluster list. Click on the external interface of the ISA Server firewall/VPN array member. In this example, the external interface is named WAN (this is the name appearing in the Network and Dial-up Connections window; we have renamed the interfaces to make them more descriptive). Click Next.

Figure 10 (fig109)

The details of the NLB array member appear on the Host Parameters page (figure 11).

Priority

Specifies a unique ID for each host.

IP address

This is the IP address on the NLB array member’s external interface for traffic not associated with the cluster (for example, Telnet access to a specific host within the cluster). Type the IP address in standard Internet dotted notation (for example, w.x.y.z). This IP address is used to individually address each host in the cluster and hence should be unique for each host.

Subnet mask

This is for the subnet mask for the IP address specified. Type the mask in standard Internet dotted notation (for example, 255.255.255.0).

Default state

Specifies the default host state of the Network Load Balancing cluster when Windows is started. Select the Started option if you want the host to immediately join the cluster when Windows is started. Select the Stopped option if you want this host to start without joining the cluster. Select the Suspended option if you want this host to start without joining the cluster and instead enter a suspended state.

Retain suspended state after computer restarts

Specifies whether the host will remain suspended when Windows is restarted when the host was suspended prior to shutting down.

Click Finish.

Figure 11 (fig110)

You can see the details of the NLB array configuration in the log entry pane in the bottom of the console window (figure 12).

Figure 12 (fig111)

The next step is to add a second machine to the array. Right click the name of the array in the left pane of the Network Load Balancing Manager console and click the Add Host to Cluster command (figure 13).

Figure 13 (fig112)

On the Connect page, type in the name of the computer you want to add to the array in the Host text box. In this example we want to add LOCALISAVPN2 to NLB array (figure 14). Select the external interface of this second array member in the Interface available for configuring the cluster list. Click Next.

Figure 14 (fig113)

The Host Parameters page (figure 15) has the following settings:

Priority

Specifies a unique ID for each host.

IP address

This is the IP address on the external interface of the NLB array member for traffic not associated with the cluster (for example, Telnet access to a specific host within the cluster). Type the IP address in standard Internet dotted notation (for example, w.x.y.z). This IP address is used to individually address each host in the cluster and hence should be unique for each host.

Subnet mask

This is for the subnet mask for the IP address specified. Type the mask in standard Internet dotted notation (for example, 255.255.255.0).

Default state

Specifies the default host state of the Network Load Balancing cluster when Windows is started. Select Started option if you want the host to immediately join the cluster when Windows is started. Select the Stopped option if you want this host to start without joining the cluster. Select the Suspended option if you want this host to start without joining the cluster and instead enter a suspended state.

Retain suspended state after computer restarts

Specifies whether the host will remain suspended when Windows is restarted when the host was suspended prior to shutting down.

Click Finish.

Figure 15 (fig114)

You can see the details of the array configuration in the log entry pane at the bottom of the console (figure 16). Double click on the log entry with the description Update 2 succeeded [double click for details…].

Figure 16 (fig115)

The log entry provides verbose details associated with that entry (figure 17). Click OK and close the Network Load Balancing Manager console.

Figure 17 (fig116)

Installing ISA Server 2000 on the Windows Server 2003 NLB Array Members

Install ISA Server 2000 on each member of the ISA Server firewall/VPN array. There are array specific configuration requirements. Please refer to ISA Server 2000 VPN Deployment Kit document Installing and Configuring ISA Server 2000 on Windows Server 2003 for detailed instructions on how to install ISA Server on Windows Server 2003.

Running the ISA Server VPN Wizard on the Windows Server 2003 NLB Array Members

ISA Server 2000 includes a VPN server Wizard that enables the Routing and Remote Access Service and configures ISA Server packet filters that allow access to both PPTP and L2TP/IPSec VPN clients. The ISA Server 2000 VPN server wizard performs most of the required tasks. However, you should customize the settings made by the VPN wizard to meet the requirements of your own network.

Please see ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for detailed instructions on how to run the ISA Server 2000 VPN wizard and how to customize the RRAS settings to meet the specific requirements of your organization.

Configuring the ISA Server 2000 Packet Filters to Support the NLB Array Address

The ISA Server 2000 VPN Wizard automatically configures packet filters allowing PPTP and L2TP/IPSec VPN clients to connect to your ISA Server firewall/VPN server. However, these packet filters allow inbound VPN client access to the primary IP address bound to the external interface of each ISA Server firewall/VPN server array member. The VIP (virtual IP address) used by the Windows Server 2003 NLB service is not the primary IP address and these default VPN packet filters will not allow incoming PPTP and L2TP/IPSec VPN client and VPN gateway connections.

You need to change these packet filters so that they support connections to the NLB VIP address. Perform the following steps on each member of the ISA Server firewall/VPN array:

1. Open the ISA Management console. Expand the Servers and Arrays node, then expand your server name. Expand the Access Policy node and click on the IP Packet Filters node (figure 18). Notice in the right pane of the console that the ISA Server 2000 VPN server Wizard has created four VPN related packet filters. These packet filters are:

· Allow L2TP protocol IKE packets

· Allow L2TP protocol packets

· Allow PPTP protocol packets (client)

· Allow PPTP protocol packets (server)

Double click on the Allow PPTP protocol packets (server) packet filter.

Figure 18 (fig117)

2. Click on the Local Computer tab in the Allow PPTP protocol packets (server) Properties dialog box (figure 19). Select the This ISA server’s external IP address option and type in the IP address of the VIP in the text box. Click Apply and then click OK.

Figure 19 (fig118)

3. Click on the Local Computer tab in the Allow PPTP protocol packets (client) Properties dialog box (figure 20). Select the This ISA server’s external IP address option and type in the IP address of the VIP in the text box. Click Apply and then click OK.

Figure 20 (fig120)

4. Click on the Local Computer tab in the Allow L2TP protocol packets Properties dialog box (figure 21). Select the This ISA server’s external IP address option and type in the IP address of the VIP in the text box. Click Apply and then click OK.

Figure 21 (fig121)

5. Click on the Local Computer tab in the Allow L2TP protocol IKE packets Properties dialog box (figure 22). Select the This ISA server’s external IP address option and type in the IP address of the VIP in the text box. Click Apply and then click OK.

Figure 22 (fig122)

The packet filters will take effect in a few moments. You do not need to restart any ISA Server service or the server itself. It may take longer if the server is very busy. You can make the packet filters take effect immediately if you restart the firewall service.

The ISA Server firewall/VPN server array is now ready to accept incoming PPTP and L2TP/IPSec VPN client connections. Incoming requests will be distributed evenly between all members of the NLB array. If an array member goes offline while a VPN client is connected, the user running the VPN will see the connection fail. When the user reconnects (or when the VPN client software automatically redials), a new VPN connection is established to another member of the array on the same VIP.