locked
2012 DA NLB and NAT Clarification RRS feed

  • Question

  • Hello

    I am just looking for clarification to a DA 2012 question.  The scenario is:

    2x 2012 DA servers in an NLB array.

    Placed behind a firewall using NAT.

    DA1 External interface = 192.168.0.55

    DA2 - External Interface = 192.168.0.56

    External IP's 4.4.4.4 and 4.4.4.5 

    Now what do I configure for the VIP - I know I would use 192.168.0.53 but then what does 4.4.4.5 get natted to?.  Do I just add a second VIP address on the cluster,say 192.168.0.54 and nat 4.4.4.5 to this?

    Thanks

    Monday, March 11, 2013 4:37 PM

All replies

  • Hi,

    If your DA setup is behind NAT your setup will only use IPHTTPS and therefore you only need/use one external IPv4 address.

    The requirement for two consecutive IPv4 addresses is for Teredo when it tries to determine what type of NAT your client is behind
    Ie, in your setup you have no need to NAT 4.4.4.5 since you can only use IPHTTPS in your setup and that will point to your first IPv4 address.


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Proposed as answer by Jonas Blom Monday, March 11, 2013 7:57 PM
    Monday, March 11, 2013 7:57 PM
  • Just my own input on this since it seems like I am talking to people about it all the time lately. Clarkeyi, I recognize your name on here so I think you have been using DA for a while (since UAG?) and if that is correctly, you probably have public IPs available to give to your DA servers so that you don't have to sit behind a NAT. In my eyes, the reason Microsoft added "behind a NAT capability" was for smaller customers who don't have access to public IPs. As you know, sitting behind a NAT limits you to only using IP-HTTPS. While at surface level this doesn't matter because everyone can just connect over IP-HTTPS, it has a couple of disadvantages.

    I have seen numerous cases where something happened at the server level (routing, certificate expiry, etc) that broke just one of the 3 transition technologies. For example, when the certificate for IP-HTTPS expires, in an environment where you have used public IPs and have Teredo available, you may not even notice that IP-HTTPS is down right away because the majority of your connections will be able to use 6to4 and Teredo. You would have a minimal percentage of users down. In a NAT install, you are hard down - everyone. So having all 3 transition technologies is a big benefit in my eyes.

    Also, IP-HTTPS is less efficient than Teredo. This means the connections are slower, and that the server has to work harder to service all of those connections. I know what you are thinking - "Microsoft changed IP-HTTPS so that it's now NULL encryption and so the double-encryption is now gone, resulting in IP-HTTPS being almost on-par with Teredo" - this is true, only for Windows 8 client machines. I haven't talked to a single company yet that is all-in for Win8. So your Windows 7 clients (and your server) will still be at a disadvantage if you stick with IP-HTTPS only.

    Wednesday, March 13, 2013 2:21 PM