locked
NLB and IP address clarification needed RRS feed

  • Question

  • Hi,

    On the 2 Celestix devices, we have the following networks (defined when we got the boxes):

    • DMZ1
    • DMZ2
    • DMZ3
    • DMZ4
    • DMZ5
    • DMZ6
    • LAN
    • WAN

    We also have configured 4 NLB's

    • LAN has an internal IP address

    The rest are as follows (just looking at one of the UAG devices):

    • WAN: 192.x.x.11
    • DMZ1: 192.x.x.21
    • DMZ2: 192.x.x.31
    • DMZ3: 192.x.x.41

    What we also find is that all the NLB Virtual addresses are associated with DMZ1 as follows:

    • 192.x.x.21 (DIP)
    • 192.x.x.10 (VIP)
    • 192.x.x.20 (VIP)
    • 192.x.x.30 (VIP)
    • 192.x.x.30 (VIP)

    Can someone please comment and confirm that this indeed is correct? Why are all the VIPs associated with one physical NIC? should they not be associated with the NIC whose DIPs make up the VIP?

    Thanks

     

    Thursday, May 20, 2010 1:40 PM

Answers

  • While you are at it, can they also clarify the lack of support for NLB on the internal interface when using trunks and not DirectAccess (unless I have missed it).

    Thanks!


    Jason Jones

    This specific limitation is mentioned here: http://technet.microsoft.com/en-us/library/dd903059.aspx#BKMK_Enabling:

     

    Defining virtual IP addresses (VIPs)

    The following procedure describes how to add VIPs to networks. Note that when you set up NLB to load balance traffic to Forefront UAG trunks, you can configure a VIP on the external network only. Configuring VIPs on the internal network is not supported.

    • Marked as answer by Erez Benari Friday, May 28, 2010 8:38 PM
    Wednesday, May 26, 2010 2:48 PM

All replies

  • You need to add VIP addresses for the other NICs/network IDs.

    It looks like you've only created multiple addresses on one NIC/network ID.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, May 20, 2010 2:29 PM
  • I used the UAG NLB wizard, (off the Admin menu on top).

    When I create the VIP, it only allows me to select 'Internal' or 'External'....there is no option for DMZ1...DMZ2...etc....so naturally I selected 'External'....and somehow all the VIPs are being associated with NIC 192.x.x.21 (DIP)

    Thursday, May 20, 2010 2:34 PM
  • I thought UAG was only supported with EXACTLY two NICs?

    You would need dedicated TMG for DMZ as UAG is not meant to be a packet filtering firewall (as per the support boundaries doc).

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 20, 2010 10:17 PM
  • Why would Celestix appliances then ship with 8 NICs plus 1 more for Management then?

    From what I gather 2 NICs is the essential bottom line, but you can have multiple external NICs.

    Based on the documentation, the moment you enable UAG NLB, then "After configuring a network adapter to use NLB, configuring multiple dedicated IP addresses (DIPs) on the adapter is not supported. If multiple DIPs were previously configured, only one will remain after you configure NLB; the rest will be deleted." Hence the need for multiple external NICs.

    I followed http://technet.microsoft.com/en-us/library/dd903059.aspx to setup the NLB on our array. We are load balancing 4 trunks (1 x HTTP, 3 x HTTPS).

    Just wanted someone to verify the IP DIP and VIP distribution - but since we followed the technet article, we will have to assume it is correct?

    Friday, May 21, 2010 4:43 AM
  • Tom (from MSFT) told me it was two NICs only.

    It would be sensible to prepare the hardware for future needs I guess...


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 21, 2010 7:44 AM
  • That is correct. UAG supports two NICs - internal and external.

    I don't know why Celestix includes so many ports on a UAG box.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 24, 2010 6:11 PM
  • You gotta be kidding me?

    So if we NLB the external interfaces on the 2 Celestix devices - we can only use 1 external Public IP address (1 VIP)...as according to Technet, NLB will not allow you to have multiple IP addresses on one physical NIC.

    Our entire solution is based on the 8 NICs Celestix ships with and the Windows NLB. This is not good.

    Here's the Celestix UAG appliances: http://www.celestix.com/index.php?option=com_content&view=article&id=63&Itemid=105&lang=en 

    Monday, May 24, 2010 6:41 PM
  • You gotta be kidding me?

    So if we NLB the external interfaces on the 2 Celestix devices - we can only use 1 external Public IP address (1 VIP)...as according to Technet, NLB will not allow you to have multiple IP addresses on one physical NIC.


    It's absolutely fine to have multiple NLB VIPs, while having just one IP address on the NIC. And your trunks can each use a different NLB VIP.
    Monday, May 24, 2010 8:49 PM
  • Ah OK, and what about the comment around 8 NICs on the Celestix devices - of which we are using 4 already, and planning to use another 2 shortly.

    From a throughput perspective, we thought seperate NICs per trunk, with their own IPs...and since we got 2 devices, they have been arrayed and NLB'ed (1 NIC from each device to make up the VIP).

    Monday, May 24, 2010 9:18 PM
  • Nope you can only use two interfaces at this time.

    As Ran said, you can bind multiple NLB VIPs to the external interface to allow for different trunks (one per VIP etc).

    I am also pretty sure that you cannot NLB enable the internal interface unless you plan to use DirectAccess - this seems really silly to me as it prevents the use of NLB enabled internal trunks which could be used for a split-dns environment where you want internal users to access applications via UAG but not be imposed things like 2FA. Tom/Ran - is this true???

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, May 24, 2010 9:29 PM
  • So if we NLB the external interfaces on the 2 Celestix devices - we can only use 1 external Public IP address (1 VIP)...as according to Technet, NLB will not allow you to have multiple IP addresses on one physical NIC.

     

    Once you go NLB, you cannot assign interfaces with more than one DEDICATED IP address, which makes sense as you actually assign multiple VIPs.


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, May 24, 2010 9:32 PM
  • Let me ask my Celestix friend about the NIC density...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, May 24, 2010 9:33 PM
  • ...and the answer is:

    "Our UAG hardware includes additional network interfaces only because we use the same hardware platform for both MSA (TMG) and WSA (UAG).  The cost of the network interfaces was insignificant as compared to the management and administrative overhead for having two SKU’s and separate hardware for each platform."

     

    Monday, May 24, 2010 9:41 PM
  • That seems like reasonable explanation.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 24, 2010 11:06 PM
  • Wow, I must have missed this in the documentation...so now I see why they have a WAN and LAN interface...and the others called DMZ1...DMZ6 is just for show in UAGs case.

    So I will use the card labelled as WAN, which already has the VIP associated with it, and try our scenario again.

    Thank you for your efforts.

    Oh - is there any such statement in the MS documentation? about using only 2 NICs?

    Tuesday, May 25, 2010 4:36 AM
  • So does MS have an official statement about using only 2 NICs for UAG?

    Does Celestix have any official statement about using 2 NICs for UAG - I mean if you look here, they discuss Ethernet Ports as if it was something we could use http://www.celestix.com/index.php?option=com_content&view=article&id=63&Itemid=105&lang=en (IMHO people should be notified of the fact that most of those Ports are useless, as they might take that into account when making purchasing decisions.)

    Tuesday, May 25, 2010 6:53 AM
  • I have been looking for this too, and it should be in the Support Boundaries document really. This is the best I have found (although a little vague as it doesn't say "no more than two") is this:

    "Forefront UAG must be installed on a computer with two network adapters."

    Source: http://technet.microsoft.com/en-us/library/dd903051.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, May 25, 2010 7:44 AM
  • Thanks for your efforts Jason - perhaps we could implore MS to update their documentation ;-)
    Tuesday, May 25, 2010 7:57 AM
  • Tom/Ran - can you suggest some form of documentation clarification on the two network cards issue to the product group? Maybe an addition to the Support Boundaries doc would be best? 
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, May 25, 2010 8:14 AM
  • Hi Jason & SK

    Yes, note taken and we we will take care of it on our side.

    Thank you,

    -Ran

    Tuesday, May 25, 2010 1:15 PM
  • Thanks Ran - maybe you can post back here once complete?
    Tuesday, May 25, 2010 1:29 PM
  • Hi Amigo. If I understand correctly, you want to improve performance using dedicated NICs per trunk. Once we have assumed that is not feasible, you could still gain througput by teaming the adapters. I do not know Celestix boxes, but other vendors offered in IAG's boxes NICs with the software/drivers to team and make port aggegation with switches.

    Hope it helps


    // Raúl - I love this game
    Tuesday, May 25, 2010 1:43 PM
  • Hi Jason & SK

    Yes, note taken and we we will take care of it on our side.

    Thank you,

    -Ran


    While you are at it, can they also clarify the lack of support for NLB on the internal interface when using trunks and not DirectAccess (unless I have missed it).

    Thanks!


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, May 25, 2010 3:11 PM
  • Trouble is, NIC teaming and NLB often dont mix well at all :(
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, May 25, 2010 3:12 PM
  • While you are at it, can they also clarify the lack of support for NLB on the internal interface when using trunks and not DirectAccess (unless I have missed it).

    Thanks!


    Jason Jones

    This specific limitation is mentioned here: http://technet.microsoft.com/en-us/library/dd903059.aspx#BKMK_Enabling:

     

    Defining virtual IP addresses (VIPs)

    The following procedure describes how to add VIPs to networks. Note that when you set up NLB to load balance traffic to Forefront UAG trunks, you can configure a VIP on the external network only. Configuring VIPs on the internal network is not supported.

    • Marked as answer by Erez Benari Friday, May 28, 2010 8:38 PM
    Wednesday, May 26, 2010 2:48 PM
  • Yeah, go on, rub it in! :)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, May 26, 2010 2:59 PM
  • Hi Jason. I agree that in some cases it could be a source of problems (mainly because NLB and teaming software both re-write the MAC addresses of the interface and if they are not aware of the changes of each other you can find yourself in trouble) but with the appropiate software and drivers it could work fine. I am currently deploying an array of two UAG boxes running on Hyper-V. UAG is running NLB (another special situation in the past) and the physycal NICs are teamed to two different switches. And everything is working fine.

    Well, to tell the truth, I was not very optimistic when the customer suggested the architecture, but "the glory is not for the cowards" isn't it ?

    :)

    Best Regards


    // Raúl - I love this game
    Wednesday, May 26, 2010 3:04 PM
  • The issue with NLB and teaming would not exist if UAG is running under a virutalised platform as the NIC teaming is hidden from the UAG OS by the hypervisor.

    If you had physical servers which were running NLB and NIC teaming on the same physcial adapter, I'm sure it wouldn't have gone so well ;)

    Allegedly it should work is you are using Multicast, but I have never seen ISA/TMG apply the NLB configuration when teaming is enabled as it aloways results in a "local configuration problem" error.

    I would love someone to provide a working config walkthrough though ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, May 26, 2010 3:35 PM
  • Hi Jason. I fully agree and though this is not a ISA/TMG forum there is a workaround for making NLB work with teaming in Unicast mode that is to set the MAC address of the teamed NIC to the one used by NLB (the same that had to be done not so long ago with Hyper-V, before the "allow spoofed addresses" setting was introduced in R2).

    From Microsoft Knowledge Base http://support.microsoft.com/kb/278431/en-us

    Many hardware manufacturers have updated drivers to correct this problem. Also, when you use multicast instead of unicast for NLB, NLB can function in a network adapter teaming environment because NLB does not overwrite the physical media access control address. From the perspective of Microsoft Product Support Services (PSS), use of teaming on clustered or dedicated interfaces is acceptable. However, if problems that occur seem to be related to teaming, PSS may require that you disable teaming while the problem is investigated. If this disabling of teaming itself resolves the problem, you must seek assistance from the hardware manufacturer.

    Hope it helps


    // Raúl - I love this game
    Wednesday, May 26, 2010 3:53 PM
  • Yeah, aware of that, but always found issues when using Tier1 hardware like HP, Dell, IBM etc. Maybe I have always been unlucky :(
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, May 26, 2010 8:24 PM