Installing Network Load Balancing Clusters

An NLB cluster can be created easily using the Network Load Balancing Manager utility provided with the Windows Server 2003 Administrative Tools. NLB clusters can also be created using the network interface card property pages or at a command prompt using NLB.exe. To properly configure an NLB cluster, the administrator needs to research the type of network traffic the load-balanced application or service will utilize. For example, to load-balance standard Web traffic, the cluster needs to support TCP port 80, and for Terminal Services, the cluster needs to support TCP port 3389.

NLB Applications and Services

Network load balancing is well equipped to distribute user connections and create fault tolerance for a number of different applications and network services. Because NLB does not replicate data across cluster nodes, using applications that require access to local data that can be changed by the end users is not a good choice. For example, file servers that store user data directories or databases are not a good choice because a user may save a file or change some data within a database while connected to one node and later reconnect to a different node to find his file missing or the changes made to the database are nonexistent.

Applications well suited for NLB clusters are Web sites serving static content or dynamic content built from a back-end database running outside the NLB cluster. Also, Windows Server 2003 Terminal servers, VPN servers, Internet Security and Acceleration servers, and streaming media servers are well suited to be deployed on NLB clusters.

Because the most important part of an NLB deployment is determining what cluster operation mode and port rules need to be used for the load-balanced application to function correctly, the cluster administrator must understand the application thoroughly. It's important to read the vendor's application documentation regarding how the client communicates with the application. For instance, certain applications use cookies or other stateful session information that can be used to identify a client throughout the entire session. As a result, applications configured to prompt users for authentication upon starting a session will fail if the user's future requests are sent to a different cluster node that has not authenticated the user. Knowing these considerations in advance will help determine the required settings that need to be configured using cluster port rules and the filtering mode.

Creating Port Rules

When an NLB cluster is created, one general port rule is also created for this cluster. The port rule or rules define what type of network traffic the cluster will load-balance across the cluster nodes. The Port Rules Filtering option defines how the traffic will be balanced across each individual node. As a best practice, limiting the allowed ports for the clustered IP addresses to only those needed by the cluster load-balanced applications can improve overall cluster performance and security. In an NLB cluster, because each node can answer for the clustered IP address, all inbound traffic is received at each node. When a node receives the request, it either handles the request or drops the packet if another node already has a session with a source client. If a port rule does not define how traffic will be handled for a particular TCP or UPD port, traffic on those ports will be handled by the cluster node with the lowest host priority.

When an administrator creates port rules that allow only specific ports to the clustered IP address and an additional rule blocking all other ports and ranges, the cluster nodes can quickly eliminate and drop packets that do not meet the port rules, thereby improving performance by blindly dropping any packets not allowed by the cluster. The security benefit is that because only a specific port or service is available on the clustered IP address, monitoring that server and maintaining security updates are simpler.

Port Rules Filtering Mode and Affinity

Within a cluster port rule, the NLB administrator must configure the appropriate filtering mode. This allows the administrator to specify whether only one node or multiple nodes in the cluster can respond to requests from a single client throughout a session. There are three filtering modes: Single Host, Disable Port Range, and Multiple Host.

The Single Host Mode

The Single Host filtering mode provides network traffic meeting the port rule criteria to only one node in the cluster. An example is an IIS Web farm in which only one server has a Secure Sockets Layer (SSL) certificate for a secure Web site. In this case, creating a rule to allow port TCP 443 (SSL port) using single host filtering isolates this traffic to the node with the certificate installed.

The Disable Port Range Mode

The Disable Port Range filtering mode tells the cluster which ports not to listen on and to drop these packets without investigation. Administrators should configure port rules and use this filter mode for ports and port ranges that do not need to be load-balanced across the cluster nodes.

The Multiple Host Mode

The Multiple Host filtering mode is probably the most commonly used filtering mode and is also the default. This mode allows traffic to be handled by all the nodes in the cluster. When traffic is balanced across multiple nodes, the application requirements define how the affinity mode should be set.

There are three types of multiple host affinities:

None This affinity type can send a unique client's requests to all the servers in the cluster during the session. This can speed up server response times but is well suited only for serving static data to clients. This affinity type works well for general Web browsing and read-only file and FTP servers.
Class C This affinity type routes traffic from a particular class C address space to a single NLB cluster node. This mode is not used too often but can accommodate client sessions that do require stateful data. This affinity does not work well if all the client requests are proxied through a single firewall.
Single This affinity type is the most widely used. After the initial request is received by the cluster nodes from a particular client, that node will handle every request from that client until the session is completed. This affinity type can accommodate sessions that require stateful data.

Avoiding Switch Port Flooding

Because each node in an NLB cluster answers for incoming traffic, the cluster nodes do not allow a switch to cache their network card MAC address because the cluster nodes want to determine how to route the incoming packets. Because the network switch cannot cache the MAC address associated with the cluster IP addresses, it broadcasts each incoming packet on every port of the switch, which triggers each device connected to respond. When there is heavy traffic going to the cluster, a network switch can become flooded with requests, decreasing performance.

To reduce the risk of switch flooding, the NLB nodes should be connected to an isolated switch or should be configured in a single VLAN if the switch and network support VLANs. For detailed information regarding VLAN configuration and avoiding switch flooding, refer to the network switch documentation.

Using Cluster Operation Mode

There are two cluster operation modes: Unicast and Multicast. Most network traffic is handled through Unicast mode. Clients and servers maintain a one-to-one network connection. Multicast networking allows a server to send out information to one multicast address that is then processed by a number of clients. To receive multicast data, a client joins a multicast group associated with the multicast address. Common applications that use multicast are streaming video Web sites, Internet radio, and Internet training or college courses.

Configuring Network Cards for NLB

Configuring the network cards on the NLB cluster nodes is the first step in building the cluster. Although these steps can be performed during cluster creation using the NLB Manager, the same result can be achieved by editing the TCP/IP properties of each of the cluster node's network cards.

Because many cluster installations utilize Unicast operation mode, this causes some limitations and network overhead on the cluster nodes. When a single network card is used in Unicast mode, the NLB Manager does not run from the local console, requiring the administrator to configure and manage the cluster from a non-cluster node or use the network card's TCP/IP and network load balancing property pages or the command-line tool NLB.exe. Also, due to the configuration, the network adapter's dedicated IP MAC address is replaced with the cluster IP MAC address, causing additional network traffic for all nodes in the cluster when communication is requested for the dedicated IP address.

Best practice for NLB cluster nodes running in Unicast mode is to have two network cards to allow host communication to occur on one NIC while cluster communication is isolated on the cluster NIC. Multiple NICS can also add greater flexibility when it comes to controlling traffic and managing network security.

Using the Network Load Balancing Manager to Create a Cluster

Using the Network Load Balancing Manager is the simplest method of creating a cluster. If the NLB Manager is used, all additional cluster and dedicated IP addresses will be added to the respective cluster node when it joins the cluster. Adding additional nodes to the cluster is also simplified; the administrator needs to know only the cluster name or IP address to add the node to the cluster. Network Load Balancing Manager works well configuring clusters on remote servers but if the cluster is local, NLB Manager will only function correctly if the server has multiple network cards.

To create a cluster, follow these steps:

1.	Log on to the local console of a cluster node using an account with Local Administrator privileges.
2.	Click Start, All Programs, Administrative Tools, Network Load Balancing Manager.
3.	Choose Cluster, New.
4.	Enter the cluster IP address and subnet mask of the new cluster.
5.	Enter the fully qualified domain name for the cluster in the Full Internet Name text box.
6.	Enter the mode of operation (Unicast will meet most of your NLB application deployments).
7.	Configure a remote control password if you will be using the command-line utility NLB.exe to remotely manage the NLB cluster and click Next to continue.
8.	Enter any additional IP addresses that will be load-balanced and click Next to continue.
9.	Configure the appropriate port rules for each IP address in the cluster, being careful to set the correct affinity for the load-balanced applications.
10.	After creating all the allowed port rules, you should create disabled port rules to reduce network overhead for the cluster nodes. Be sure to have a port rule for every possible port and click Next on the Port Rules page after all port rules have been created. Figure 31.20 shows a best practice port rule for an NLB Terminal server implementation. Figure 31.20. Port rule settings for NLB configuration.

11.	On the Connect page, type the name of the server you want to add to the cluster in the Host text box and click Connect.
12.	In the Interface Available window, select the NIC that will host the cluster IP address and click Next to continue.
13.	On the Host Parameters page, set the cluster node priority. Each node requires a unique host priority, and because this is the first node in the cluster, leave the default of 1.
14.	If the node will perform non-clusterrelated network tasks in the same NIC, enter the dedicated IP address and subnet mask. The default is the IP address already bound on the network card.
15.	For nodes that will join the cluster immediately following the cluster creation and after startup, leave the initial host state to Started. When maintenance is necessary, you can change the default state of a particular cluster node to Stopped or Suspended to keep the server from joining the cluster following a reboot.
16.	After you enter all the information on the Host Parameters page, click Finish to create the cluster.
17.	When you're ready to release to the production environment, add the HOST or A record of the new cluster to the DNS domain table. Contact your DNS administrator for information on how to complete this task.

Adding Additional Nodes to an Existing NLB Cluster

When a cluster already exists, administrators can add nodes to it from any server or workstation by using network connectivity, Cluster Administrator permissions, and the Network Load Balancing Manager.

To add nodes to an existing cluster, perform the following steps:

1.	Log on to a workstation or server that has the Windows Server 2003 Administrative Tools installed.
2.	Click Start, All Programs, Administrative Tools and right-click Network Load Balancing Manager.
3.	Choose the Run-as option and specify an account that has Administrative permissions on the cluster.
4.	Choose Cluster, Connect to Existing.
5.	In the Host text box, type the IP address or name of the cluster and click Connect.
6.	From the Clusters window, select the cluster you want to connect to and click Finish to connect.

7.	In the right pane, right-click the cluster name and choose Add Host to Cluster, as shown in Figure 31.21. Figure 31.21. Choosing to add a host to the cluster.
8.	On the Connect page, type the name of the server you want to add to the cluster in the Host text box and click Connect.
9.	In the Interface Available window, select the NIC that will host the cluster IP address and click Next to continue.
10.	On the Host Parameters page, set the cluster node priority. Each node requires a unique host priority, and because this is the first node in the cluster, leave the default of 1.
11.	If the node will perform non-clusterrelated network tasks in the same NIC, enter the dedicated IP address and subnet mask. The default is the IP address already bound on the network card.
12.	For nodes that will join the cluster immediately following the cluster creation and after startup, leave the initial host state to Started. When maintenance is necessary, you can change the default state of a particular cluster node to Stopped or Suspended to keep the server from joining the cluster following a reboot.
13.	After you enter all the information in the Host Parameters page, click Finish to add the node to the cluster.