Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
ISA 2006 Redundancy Options with 2 ISA 2006 Enterprise Servers With 2 NICs Each?

Answered ISA 2006 Redundancy Options with 2 ISA 2006 Enterprise Servers With 2 NICs Each?

  • Saturday, January 19, 2013 1:15 AM
     
     
    Sign In to Vote
    0
    I have several questions, but they are all intertwined with each other.

    What are the workable options for redundancy when one server goes offline when you have 2 servers with 2 nics each with the edge firewall configuration?

    I see an option under internal network properties that says "If ISA Server is unavailable, use this backup route to connect to the Internet:"

    Direct Access

    Alternative ISA Server.

    So, does this mean that you have some redundancy against loss of Internet access during server reboots even if you do not enable NLB?

    Should you have each ISA point to the other as the backup route or should you have the first point to the second and the second server's backup route be "Direct Access"?

    Do you combine these backup route settings with NLB at the same time?

    If the internal nic is being used for intra-array communication, can you use also use this nic as the nic where the virtual IP for NLB is coming from?

    For instance if the internal nic is 192.168.1.6 and the external nic 192.168.55.6 can you have the virtual IP set to 192.168.1.120 and also load balance the Internal network?

    I read that you cannot load balance the intra-array network, but I don't want to load balance the intra-array network.  I want to load balance the Internal network, but I don't have enough nics for everything to be on a different nic.

    When you enable NLB do you use VIP (192.168.1.120) as the IP address used in configuring browser settings or gateway addresses instead of the internal IP address of the first ISA servers?



    • Edited by MyGposts Saturday, January 19, 2013 1:20 AM
    • Edited by MyGposts Saturday, January 19, 2013 1:20 AM
    • Edited by MyGposts Saturday, January 19, 2013 1:22 AM
    •  
     

All Replies

  • Tuesday, January 22, 2013 7:08 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi,

    Thank you for the post.

    "If ISA Server is unavailable, use this backup route to connect to the Internet:" – This option allow machines configures as web proxy clients to use other means to connect to the internet. Typically, this means that the web proxy client will leverage their secureNAT or firewall client configuration to connect to the internet. If the machine is not configured as a secureNAT and /or firewall client, then no access will be allowed if the web proxy service becomes unavailable.

    NLB can be enabled on both the Internal and External networks. Clients connect to the array using a hostname that resolves to the virtual IP address (VIP) assigned to the Internal network. But pay attention to the difference behavior of the following client types:

    1.SecureNAT client fully support NLB for outbound connections

    2.Web proxy clients can be configured to use a name that maps to a VIP

    3.Firewall clients must be configured to use a specific DIP – you can balance the load using DNS round robin

    Regards,

    Nick Gu - MSFT

     
  • Tuesday, January 22, 2013 7:24 AM
     
     
    Sign In to Vote
    0

    "If ISA Server is unavailable, use this backup route to connect to the Internet:" – This option allow machines configures as web proxy clients to use other means to connect to the internet. Typically, this means that the web proxy client will leverage their secureNAT or firewall client configuration to connect to the internet. If the machine is not configured as a secureNAT and /or firewall client, then no access will be allowed if the web proxy service becomes unavailable.

    That doesn't make sense to me.  Why does the configurations settings ask you to make the choice of alternate ISA server ot "Direct access" then?

    What do you mean "Firewall clients must be configured to use a specific DIP?"  What is a DIP?  I thought the point of the VIP is that it managed load balancing for you so it connects to any available ISA server and automatically forwards to the next ISA server if the first is down?

    So, what if a client is both web proxy client and firewall client (manged domain computers)?

    What if the client is an unmanaged computer (not joined to our domain or not Windows) with no firewall client and users either use securenat or web proxy + securenat combination?

    Different IP addresses in gateway vs IP in web browser proxy settings?




    • Edited by MyGposts Tuesday, January 22, 2013 7:26 AM
    • Edited by MyGposts Tuesday, January 22, 2013 7:28 AM
    • Edited by MyGposts Tuesday, January 22, 2013 7:29 AM
    •  
     
  • Monday, January 28, 2013 6:08 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi,

    Thank you for the update.

    “Why does the configurations settings ask you to make the choice of alternate ISA server ot "Direct access" then?” – please refer to this blog: http://blogs.isaserver.org/shinder/2007/08/09/creating-alternate-web-proxy-filter-routes-for-web-proxy-clients-on-the-isa-firewall/

    What do you mean "Firewall clients must be configured to use a specific DIP?"  What is a DIP? – I mean the Firewall Clients must be configured to communicate directly with the TMG firewall’s dedicated IP address (DIP). You can use DNS round robin to point the clients to the ISA Server array member’s dedicated IP addresses.

    “what if a client is both web proxy client and firewall client (manged domain computers)?” – the web proxy client configuration handles all http/https/ftp download from web proxy client-configured applications. The firewall client handles all other winsock tcp and udp communications.

    Regards,

    Nick Gu - MSFT


     
  • Sunday, February 03, 2013 2:05 AM
     
     
    Sign In to Vote
    0

    DNS round robin is not fault tolerant.  If we use that it looks like it would defeat the entire purpose we are setting up 2 ISA servers.  The expected volume of traffic should be easily handled by a single ISA server as long as it keeps running.  We have 2 ISA servers only because we need Internet access to continue even if any one of the 2 ISA servers were to fail.  DNS round robin would randomly send traffic without regard to the status of the server.

    If one ISA server goes down and DNS server sends random users to it, would reloading their browser automatically send them to the other ISA server or would they be stuck with no Internet access until the unavailable ISA server was fixed or removed from round robin?

     
  • Thursday, February 07, 2013 2:31 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Thank you for the post.

    Yes, as load balancing is not supported with ISA firewall clients, we have to use DNS round robin instead.

    Regards,

    Nick Gu - MSFT