Network Load Balancing | Microsoft Internet Security and Acceleration (ISA) Server 2004 Administrators Pocket Consultant (Pro-Administrators Pocket Consultant)

Internet connectivity keeps many businesses running. If your company depends on keeping Internet content available to internal or external clients, you'll probably want the redundancy provided by NLB. This technology allows several ISA servers to share a single IP address while maintaining a unique, shared IP address as well. This group of computers is known as a cluster. One important feature of a cluster is that NLB distributes the workload among all participating servers. It also prevents interruption of service by ensuring that, should one server fail, others will seamlessly continue providing service.

Integrated and Nonintegrated Network Load Balancing

ISA Server 2004 offers two modes of NLB:

Integrated NLB You use the ISA Management console to configure and manage NLB.

Integrated NLB is not configured by default. For procedures, see the section "Enabling Network Load Balance Integration" later in this chapter.
Nonintegrated NLB You use the Microsoft Windows operating system to configure and manage NLB.

Note
You have greater flexibility in configuring NLB if you use the integrated mode offered through ISA Server 2004 Enterprise Edition.

Prerequisites

Before you can install NLB and configure your ISA servers as a cluster, make sure you've met the following prerequisites:

Your ISA servers are running Microsoft Windows 2000 Advanced and Datacenter Server or Windows Server 2003, Standard, Enterprise, or Datacenter Edition. Microsoft Windows 2000 Server doesn't support NLB.
You've obtained an IP address for the cluster (also known as the cluster IP address) in addition to an IP address assigned to each member of the cluster (known as dedicated IP addresses).

Installing and Configuring Network Load Balancing

Once you've completed the prerequisites for NLB, you'll need to configure the internal network adapters to support your cluster. By default, the Network Load Balancing Service is available, but not enabled, on a Windows 2000 Advanced server. If for some reason the service isn't available, follow these steps to install the service on Windows 2000 Server (the steps to install on Windows Server 2003 are described later in this chapter):

Open Control Panel and double-click Network And Dial-Up Connections.
Right-click the applicable internal network adapter and then click Properties.
Click Install, click Service, and then click Add.
Select Network Load Balancing and then click OK.

Note
Remember that if the service isn't available, you're probably running Windows 2000 Server, which doesn't support NLB.

To configure NLB, complete the following steps:

Open Control Panel and double-click Network And Dial-Up Connections.
Right-click the applicable internal network adapter and then click Properties.
Select the Network Load Balancing check box and then click Properties.
On the Cluster Parameters tab, you'll need to provide the information about the cluster shown in Table 15-1.
Click the Host Parameters tab. Provide the information about the host shown in Table 15-2.
Click the Port Rules tab. By default, all TCP or UDP traffic directed to the cluster IP address on ports 0 through 65535 is equally load balanced. You can add, edit, or remove port rules by clicking the appropriate buttons.
Click OK twice and then click Close to complete.

Table 15-1: Configuring the Cluster Parameters
Open table as spreadsheet
Cluster Parameters	Explanation
IP Address	This address is the cluster IP address, which must be set identically for all hosts in the cluster. This address is often referred to as the virtual IP address (VIP). This IP address must be configured in the Internet Protocol (TCP/IP) Properties dialog box.
Subnet Mask	This parameter denotes the subnet mask for the cluster IP address.
Full Internet Name	This is the full Internet name that identifies the cluster. This parameter should be the same on all members of the cluster.
Cluster Operation Mode	This parameter specifies whether or not a multicast media access control (MAC) address should be used for cluster operations.
Allow Remote Control	This parameter specifies whether remote control operations are enabled. By default, they're not. If you do enable them, you must also provide a password.

Table 15-2: Configuring the Host Parameters
Open table as spreadsheet
Host Parameters	Explanation
Priority (Unique Host Identifier)	Assign a unique priority to each ISA server in the cluster.
IP Address	This IP address is assigned to the internal network interface of the ISA server to individually address each host in the cluster. This IP address must be configured in the Transmission Control Protocol/Internet Protocol (TCP/IP) Properties dialog box.
Subnet Mask	This parameter denotes the subnet mask for the dedicated IP address.
Default State	This parameter controls the starting of NLB and whether the host immediately joins the cluster when the operating system is started.
Retain Suspended State After Computer Restarts	If this is selected, it configures the host to stay in a suspended state if the computer restarts.

To install the Network Load Balancing Service on a Windows Server 2003, Enterprise Edition server, follow these steps:

Open Control Panel, click Network Connections, right-click the applicable internal network adapter, and then click Properties.
Select the Network Load Balancing check box and then click Properties.

Note
Remember that NLB isn't available on Windows 2000 Server but it is on Windows 2000 Advanced Server and all versions of Windows Server 2003.

The options to configure NLB on a Windows Server 2003 Enterprise Edition server are identical to the Windows 2000 server steps described previously.

Enabling Network Load Balance Integration

NLB integration mode allows ISA Server to load balance traffic on a per-network basis and is configured using the ISA Server Management console. By default, NLB integration is disabled.

To enable NLB integration, perform the following steps:

Open the ISA Server Management console.
In the console tree, expand the Arrays node, expand the applicable array, expand Configuration, and then click Networks.
In the details pane, click the Networks tab, and select the applicable network to have NLB integration enabled.
In the task pane, under Related Tasks, click Enable Network Load Balancing Integration.
On the Welcome To The Network Load Balancing Integration Wizard page, read about the purpose of the wizard, and click Next.
On the Select Load Balanced Networks page, select the networks you want to use NLB. After selecting the check box for one or more networks, click Set Virtual IP, type the IP address and subnet mask, and click OK. Click Next to continue.
On the Completing The Network Load Balancing Integration Wizard page, review the summary of information, and then click Finish.
In the information dialog box, shown in Figure 15-4, read the purpose of the message and then click OK.
Click Apply to save your changes.
On the ISA Server Warning page, review your options, click OK, and then click OK again after your changes have been incorporated.

image from book
Figure 15-4: You will be presented with an informative message that is important to follow to properly configure NLB.

Note

When enabling or disabling NLB integration, all array members must be restarted.

Enabling Network Load Balancing for a Network

After NLB integration mode has been enabled, the next step is to enable NLB for a network. Only configure this for networks directly connected to the array. Additionally, the following networks cannot be configured to support NLB:

All enterprise-level networks
Local Host array-level network
Quarantined VPN clients array-level network
VPN clients array-level network

To enable NLB for a specific network, follow these steps:

Open the ISA Server Management console.
In the console tree, expand the Arrays node, expand the applicable array, expand Configuration, and then click Networks.
In the details pane, click the Networks tab, right-click the network in which you would like to enable NLB, and select Properties.
Click the NLB tab.
Select the Enable Load Balancing On This Network check box.

Note

You should allow 10 minutes for the change to propagate to the array members configured with NLB.

Additional Configuration for ISA Server and Network Load Balancing

To create the most efficient environment for NLB, be sure you've performed the following actions:

Ensure that all SecureNAT clients take advantage of the NLB functionality by setting the default gateway of these clients to the primary (virtual) IP address of the cluster, rather than the dedicated IP address of an individual ISA server.
If your server operates with only one network adapter, configure two separate IP addresses. Set the priority of the dedicated IP address to a value lower than that of the primary (virtual) IP address.
If your server operates with two network adapters, set the priority of the dedicated IP address to a value lower than that of the primary (virtual) IP address; this configuration sets the priority of the dedicated IP address to be higher than that of the primary IP address.

Note

You can configure the priority of IP addresses by opening your network adapter's properties, selecting the NLB service, and clicking Properties. Click the Host Parameters tab, and set the priority.

Stopping Network Load Balancing

You have options when it comes to stopping NLB on an array member. You can stop the service resulting in all connections to the NLB being dropped, or you can drain and stop the service. Drain-and-stop configures the array member to be removed from the NLB algorithm so that new connections cannot be made. Active connections continue to be serviced until those connections are ended.

To drain and stop the NLB configuration, follow these steps:

Open the ISA Server Management console.
In the console tree, expand the Arrays node, expand the applicable array, and then click Monitoring.
In the details pane, click the Services tab, and click the Network Load Balancing service.
In the task pane, under Services Tasks, click Drain And Stop Selected Service.
In the details pane, you will notice the status of the service change from Configuring to Stopped.

Note
If you only want to stop the service, click Stop Selected Service on the task pane.

Server Publishing and Network Load Balancing

When clustering ISA servers, most Web publishing scenarios require that NLB binds only to external network adapters. Server publishing, however, can't support NLB on Windows 2000 Server installations, because server publishing requires NLB to bind to both internal and external network adapters. This creates the potential for traffic sent from published servers to be received by an internal network adapter—the response stalls there.

Tip

If you require NLB and server publishing on Windows 2000, you can either use a hardware-based technology or a software-based solution like Rainfinity's RainWall for ISA Server, which is available at http://www.rainfinity.com/products/rainwall_isa.html.

Windows Server 2003 supports NLB and server publishing through a technology called bidirectional affinity. This feature creates multiple instances of NLB on the server to ensure that the internal and external network adapters send and receive the appropriate traffic.

Using DNS Round Robin

You can also load balance ISA servers by configuring DNS round robin. DNS round robin is just as feasible as NLB, and you can implement it with fewer configurations; however, it's not as efficient as NLB in providing load balancing and fault tolerance. See the Windows Server Help documentation for more information on configuring DNS round robin.