Installing & Configuring the Configuration Storage Server ISA Server 2004 Enterprise Edition

Installing ISA Server 2004 Enterprise Edition – Part 1 – Installing and Configuring the Configuration Storage Server

With his first article for ISAserver.org, we would like to welcome ISA Server MVP Marc Grote who for the past two years has contributed many excellent articles to our sister site – MSExchange.org. This is the first article of a four part series which will show you how to install and configure ISA Server 2004 Enterprise Edition. In the first part Marc will show you how to install and configure the Configuration Storage Server.

The complete series of articles will contain the following articles:

If you have more ideas about ISA Server 2004 Enterprise articles, please let me know and I will check if your idea could be part of a new article.

Let’s begin

For this article series we have the following configuration:

Name

Role

Configuration

DEN-DC-01 Windows 2003 Domain Controller INTERNAL: 192.168.1.10
DEN-CSS-01 Windows 2003 Member Server with ISA Server 2004 Configuration Storage Server INTERNAL: 192.168.1.20
DEN-ISAEE-01 Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall INTRAARRAY: 192.168.0.1

INTERNAL: 192.168.1.1

EXTERNAL: 172.16.1.1

DEN-ISAEE-02 Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall INTRAARRAY: 192.168.0.2

INTERNAL: 192.168.1.2

EXTERNAL: 172.16.1.2

Before we start installing the Configuration Storage Server on DEN-CSS-01, you need to know some basics about ISA Server 2004 Enterprise features and terminology.

Difference between ISA Server 2004 Standard and Enterprise

ISA Server 2004 Enterprise contains every feature of ISA Server 2004 Standard and the following additional features:

  • ISA Server 2004 Arrays with Configuration Storage Server
  • Enterprise- and Array-Policies
  • Integrated Network Load Balancing
  • Support for Cache Array Routing Protocol
  • Central Logging and Reporting

For this first article you have to know what a Configuration Storage Server is because we will install a Configuration Storage Server (CSS) on DEN-CSS-01.

ISA Server 2004 Enterprise uses Configuration Storage Servers to store the ISA Server Array Firewall Policy. A single Configuration Storage server can store Firewall Policies for multiple ISA Server 2004 Enterprise Edition Arrays, and these Arrays can be located anywhere in the organization. The Configuration Storage Server uses ADAM (Active Directory Application Mode). ADAM is an LDAP compliance directory and runs as a non-operating-system service and it does not require deployment on a domain controller. It is possible to run multiple instances of ADAM on a single server, and each instance can be configured independently.

It is possible to deploy a Configuration Storage Server on a Domain controller, on a Member server, on ISA Server itself or on a Server in a workgroup. Every deployment Method has it Pros and Cons. In this scenario we will deploy the Configuration Storage Server on a Windows Server 2003 Member Server.

CSS Installation

advertisement

Insert the ISA Server 2004 Enterprise CD and follow the installation instructions. You must choose to Install Configuration Storage Server. This will install an ADAM-Instance on this computer which will be used to store the configuration of ISA Server Arrays. ISA Server Array Members will connect to the Configuration Storage Server to receive the configuration.


Figure 1: Installation of a Configuration Storage Server

If you choose Install Configuration Storage Server you can see in Figure 2 that only the ISA Management Option and the Configuration Storage Server will be installed.


Figure 2: Component Selection

On the next page we must select create a new ISA Server enterprise (Figure 3). This configuration option creates a new ISA Server Enterprise during the installation.


Figure 3: Create a new ISA Server Enterprise

Figure 4 shows a warning message that Microsoft recommends only deploying a single Enterprise in your Organization. Multiple Enterprises could be hard to manage. You can deploy multiple Arrays within one ISA Server Enterprise.


Figure 4: Warning message when you install a new ISA Enterprise

The next step (Figure 5) is to name the new ISA Server Enterprise and enter a description for the new Enterprise.


Figure 5: Enter a name and description for the new Enterprise

If you are using ISA Server 2004 Enterprise in a single domain or in domains with trust relationships, you must choose the Setup Option I am deploying in a single domain or in domains with trust relationships. ISA Server will use Windows authentication for authentication purposes. If you are using ISA Servers and Configuration Storage Servers in different domains without trust relationship or in a workgroup deployment, you must use certificates to establish a secure communication channel for authentication purposes.

Attention:
Keep in mind that when you deploy ISA Server 2004 Enterprise in a workgroup environment you can use only one Configuration Storage Server. The following links could also find your interest when you deploy ISA Server in a workgroup:

If you are using certificates in a workgroup deployment you must use this tool to update ADAM account settings so that they do not expire.
http://www.microsoft.com/downloads/details.aspx?FamilyID=1cbac3e5-acac-4613-9860-e1b760b9434f&DisplayLang=en
The second tool is ISACertTool.exe that helps you to do the following:
• Install a server certificate on the Configuration Storage server.
• Install a root certificate on each array member to indicate that it trusts the Certification Authority that issued the server certificate
http://www.microsoft.com/downloads/details.aspx?FamilyId=F8F60164-C5A5-4716-9FF4-2D56C86506C3&displaylang=en


Figure 6: Setup the ISA Server 2004 Deployment method

After finishing ISA Server 2004 setup, the setup opens as a last step, a website from the ISA Server 2004 installation directory, which will guide you through additional steps how to secure your Windows / ISA Server installation.
I also recommend reading the following articles from the Microsoft website:

Hardening the Windows Infrastructure on the ISA Server 2004 Computer
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/hardeningwindows.mspx
ISA Server 2004 Security Hardening Guide
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx


Figure 7: Hardening the Windows Server / ISA Server infrastructure

Before we are going to install the ISA Server 2004 Array members, we must create a new ISA Server 2004 Array. To create a new ISA Server Array start the ISA Server 2004 management console on the Configuration Storage Server, navigate to Arrays and create a new ISA Server Array.


Figure 8: Create a new ISA Server Array

We will name the Array MainArray (Figure 9).


Figure 9: Name the ISA Server 2004 Array

The next page (Figure 10) asks you to enter the ISA Server Arrays DNS name. You must enter a DNS conform FQDN (Fully Qualified Domain Name). You must create a corresponding A-record in DNS, so that Firewallclients and Webproxyclients can resolve the Name correctly. If you are using NLB you must enter the VIP (VirtualIP) as the IP address in DNS. I will give you more information about implementing NLB in another article. We will enter the Array’s DNS name MainArray.cohovineyard.com.


Figure 10: ISA Server Array’s DNS name

The next step is to specify which Enterprise Policy to apply to this Array. Because we don’t create another Policy, we must use the Default Policy (Figure 11). It is possible to create new Policies every time and associate this new Policy with an Array after installation. I will show you how to do this in another article on www.isaserver.org.


Figure 11: Select the ISA Server Enterprise Policy for the new Array

In the following picture you can select the types of Array Firewall Policy rules that can be created for this Array (Figure 12). This is a great option to limit the creation of rule type at Array level.


Figure 12: Select the types of Array Firewall Policy rules that can be created for this Array

After reading the summary of the new Array Wizard click Finish. ISA Server now creates the new Array. This task can be time consuming (Figure 13).


Figure 13: Creating the new Array

Click Apply (Figure 14) and you have successfully finished the new Array installation.


Figure 14: Click Apply to save the changes and update the configuration

As you know, ISA Server 2004 uses System Policies which allow some communications between ISA Server, Active Directory Servers, DNS Servers, DHCP and many more. You must modify the System Policy to allow the ISA Server 2004 Array Members to access the Configuration Storage Server. If you want to know more about System Policies, read Tom Shinders article The ISA Firewall’s Default Post Installation System Policy and Configuration” at the following website: http://www.isaserver.org/articles/2004systempolicy.html.

You can find these settings in the System Policy Editor under Configuration Storage ServerLocal Configuration Storage Server Access. Click Enable (Figure 15).


Figure 15: Enable Remote Configuration Storage Server Access

Click From (Figure 15) in the System Policy Editor – select Managed ISA Server Computers and click Add to enter the names and IP-addresses from the two ISA Server 2004 Enterprise Array members.


Figure 16: Enter the name and IP-addresses for the Managed ISA Server Computers

Click Apply to save the configuration changes. We are now ready to install the Firewall services, but this will be part of another article on www.isaserver.org.

Conclusion

This was part one of this four part article and you have seen how easy it is to deploy a Configuration Storage Server in your enterprise. Part two of this article series will show you how to install ISA Server 2004 Array Members with ISA Server 2004 Firewall services.

Installing ISA Server 2004 Enterprise Edition – Part 2 – Installing ISA Server 2004 Firewall on two Servers

This is the second part article of a four part article series which will show you how to install and configuring ISA Server 2004 Enterprise Edition on two ISA Server Firewall members.
Marc Grote photo

  • 1
  • 2
  • 3
  • 4
  • 5
AddThis


Get your copy of the German language “Microsoft ISA Server 2004 – Das Handbuch”

These article series will contain the following articles:

If you have more ideas about ISA Server 2004 Enterprise articles, please let me know and I will check if your idea could be part of a new article.

Let’s begin

For this article series we have the following configuration:

Name

Role

Configuration

DEN-DC-01 Windows 2003 Domain Controller INTERNAL: 192.168.1.10
DEN-CSS-01 Windows 2003 Member Server with ISA Server 2004 Configuration Storage Server INTERNAL: 192.168.1.20
DEN-ISAEE-01 Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall INTRAARRAY: 192.168.0.1

INTERNAL: 192.168.1.1

EXTERNAL: 172.16.1.1

DEN-ISAEE-02 Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall INTRAARRAY: 192.168.0.2

INTERNAL: 192.168.1.2

EXTERNAL: 172.16.1.2

First start the Configuration Storage Server and check the event logs for errors. If everything is fine, insert the ISA Server 2004 CD into the first Windows Server 2003 machine and start the setup process. Select Install ISA Server services (Figure 1).


Figure 1: Install ISA Server services

This setup option installs the ISA Server components and ISA Server Management. If you wish to install additional components select the required features (Figure 2).


Figure 2: Select ISA Server components

In the next installation screen (Figure 3) you must specify the Configuration Storage Server and the credentials for connecting to this server.


Figure 3: Select the Configuration Storage Server

Select Join an existing array. To join an existing array the installation account must have ISA Server Array Administrator privileges. You will learn more about ISA Server permissions and delegation feature in the next article of this article series on www.isaserver.org.


Figure 4: Join an existing Array

Select the Array Name MainArray (Figure 5). You must have Array Administrator rights to install the ISA Server Firewall into the existing Array.

Port requirements for ISA Server communication

ISA Server components require several ports to communicate with other Configuration Storage Servers, ISA Server Firewall members and ISA Server Management computers.

MS Firewall Storage

advertisement

MS Firewall Storage is an inbound LDAP-based protocol. It uses port 2172 for SSL connections and port 2171 for non-SSL connections. Array Members communicate with the Configuration Storage Server using the MS Firewall Storage protocol. Computers running the ISA Server Management console also use the MS Firewall Storage protocol to read and write from the Configuration Storage Server.

MS Firewall Storage Replication

This protocol is an outbound TCP protocol, which is defined on port 2173. MS Firewall Storage Replication is used for configuration replication between Configuration Storage Servers.

MS Firewall Control

This is another outbound TCP protocol and is defined on port 3847. It is used for communications between ISA Server Management and computers running ISA Server services.

Remote Procedure Call (RPC)

To monitor server performance, the ISA Server Management computer requires remote procedure call (RPC) connectivity to the ISA Server computers.


Figure 5: Specify the Array this ISA Server computer will join

Select Windows authentication (Figure 6) because we are deploying ISA Server services and the Configuration Storage Server in the same domain so that the connection will be encrypted (signed and sealed).


Figure 6: Select Windows authentication

Specify the IP address range for the internal network. The internal IP address range will be protected from ISA Server 2004 Enterprise. It is also possible to select Enterprise networks but we haven’t created an Enterprise network in our ISA Server Array and you will learn in an upcoming article what Enterprise networks are.


Figure 7: Specify the internal IP address ranges

During installation, some services running locally on this computer may be restarted or disabled (Figure 8) and some services will be disabled during installation.


Figure 8: Disabled Services and Services to restart

After finishing setup you must restart the Server so that the configuration changes take effect.


Figure 9: Click Yes to restart the Server

Repeat these steps installing ISA Server 2004 Firewall services on the second ISA Server.
After installing the second Server restart this server and after both ISA Server nodes are rebooted, you can start the ISA Server Management console and navigate to ArraysMain ArrayConfigurationServers to see if both servers are operational. If everything is fine you will see a green icon (Figure 10) on every ISA Server object.


Figure 10: Congratulations. You have successfully installed your first ISA Server 2004 Enterprise Array with two ISA Array Members.

Conclusion

As you have seen in this article, it is not so hard to install ISA Server 2004 Firewall Array members. The third article will deal with the administration of ISA Server 2004 Array members and ISA Server 2004 Arrays.

For this article series we have the following configuration:

Name

Role

Configuration

DEN-DC-01 Windows 2003 Domain Controller INTERNAL: 192.168.1.10
DEN-CSS-01 Windows 2003 Member Server with ISA Server 2004 Configuration Storage Server INTERNAL: 192.168.1.20
DEN-ISAEE-01 Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall INTRAARRAY: 192.168.0.1
INTERNAL: 192.168.1.1
EXTERNAL: 172.16.1.1
DEN-ISAEE-02 Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall INTRAARRAY: 192.168.0.2
INTERNAL: 192.168.1.2
EXTERNAL: 172.16.1.2

Role assignment at the Enterprise Level

With ISA Server 2004 Standard and Enterprise it is possible to assign different roles for delegation of administrative tasks to users or groups of users. This functionality has been enhanced in ISA Server 2004 Enterprise to delegate roles on Enterprise and Array Level (Figure 1). You can delegate the following roles at the Enterprise Level:

  • ISA Server Enterprise Administrator
  • ISA Server Enterprise Auditor


Figure 1: Delegation of roles at Enterprise Level

Click Browse to add a Group or User (Figure 2) and select the role for this user or group. The ISA Server Enterprise Administrator has all privileges to manage the Enterprise and all Arrays. The ISA Server Enterprise Auditor rule allows a user to display the whole ISA Server Enterprise and Array Level configuration without the right to make any configuration changes.


Figure 2: Select a User or Group for Role based Access

Role assignment at the Array Level

advertisement

Like in ISA Server 2004 Standard it is possible to assign roles at the Array Level in ISA Server 2004 Enterprise. To assign a role right click the Array Properties and select Assign Roles and add the required Users or Group (Figure 3).


Figure 3: Assign Roles at Array Level

You can assign the following roles at the Array Level:

  • ISA Server Array Monitoring Auditor
  • ISA Server Array Auditor
  • ISA Server Array Administrator


Figure 4: Select a User or Group for Role based Access at Array Level

ISA Server Array Monitoring Auditor
Users and groups assigned this role can monitor the ISA computer and network activity, but cannot configure specific monitoring functionality.

ISA Server Array Auditor
Users and groups assigned this role can perform all monitoring tasks.

ISA Server Array Administrator
Users and groups assigned this role can perform all ISA Server Management tasks.

Enterprise Policies

One of the new features of ISA Server 2004 Enterprise is the ability to create Enterprise Policies for the whole ISA Enterprise. The Enterprise Policy enhances centralized management introduced by arrays, allowing you to implement and apply policy to the arrays in your corporate network. The Enterprise Policy contains an ordered set of policy rules.

You can create one or more Enterprise Policies and a single set of Enterprise-Level rule elements. An ISA Enterprise Administrator can define several Enterprise Policies, such as an Enterprise Policy that allows the HTTP protocol for all protected networks.

Each rule in the Policy can be defined before or after the Array Policy.

There is one default Enterprise Policy created during the installation of the first Configuration Storage Server. This Policy is named Default and denies all Traffic (Figure 5). The default enterprise policy cannot be modified or deleted.

When configuring an Enterprise Policy, you can order the Enterprise Rules, moving them so that they are processed before the Array Rules or after the Array Rules. Only the default rule cannot be reordered. It is always processed last.


Figure 5: Default Enterprise Policy

To create a new Enterprise Policy right click Enterprise PoliciesNewEnterprise Policy. In our example we will name the new policy ISAServerORG.


Figure 6: New Enterprise Policy

It is possible to order Enterprise Policies before or after Array Policies. The Order of Policies is important. To know more about the importance of Rule ordering, read the following article from Stefaan Pouseele: http://www.isaserver.org/articles/ISA2004_AccessRules.html.

After changing the rule order click Apply (Figure 7) to save the changes.


Figure 7: Click Apply to save changes

After creating a new Enterprise Policy you can assign any Enterprise Policy at the Array Level. To change the Enterprise Policy at the Array Level, navigate to the Array and right click the Array and click Policy Settings and choose the new Enterprise Policy (Figure 8).


Figure 8: Assign Enterprise Polices to Arrays

Enterprise Networks

ISA Server 2004 Enterprise Networks represents all the IP addresses in your organization’s network. An ISA Administrator can create Enterprise Networks which include IP address ranges from your Network Topology and use these Networks at Enterprise- or Array Level.

Using Enterprise Networks at the Enterprise level

You use Enterprise Networks to create Access rules at the Enterprise level. If you use these Networks in Firewall Policies, you can deploy these settings to multiple Arrays which use this Enterprise Policy. It is not possible to configure more settings in an Enterprise network like Webproxy, CARP and NLB settings. These settings are only possible at Array networks.

Using Enterprise Networks at the Array level

You can use Enterprise Networks at the Array level, by using them to define address ranges of Array-level networks. An Example: An Array Administrator can define an Array-level network called DMZ, and include the IP address range of the Enterprise Network Enterprise-DMZ in it.

Predefined Enterprise Networks

ISA Server 2004 includes predefined Enterprise Networks that act as placeholder objects for Array-level Networks with the same name. You cannot explicitly use Enterprise Networks in Array-level Firewall Policy rules. Instead, they are typically used in the enterprise policy. Any rule applied by the Enterprise Administrator to the predefined Enterprise Network will be applied to the Array-level network of the same name. ISA Server 2004 uses the following predefined Enterprise Networks (Figure 9):

  • External
  • Local Host
  • Quarantined VPN Clients
  • VPN Clients


Figure 9: Enterprise networks

Choose Configuration Storage Servers

Right click the ISA Server Array click Configuration Storage and you will see the configured Configuration Storage Server. If you have more than one Configuration Storage Server you can enter the Alternate Configuration Storage Server name (Figure 10) into the field Alternate Configuration Storage server (optional).


Figure 10: Choose the Configuration Storage Server

Copy Array Rule Elements

It is possible to copy selected Array Level Rule elements to the Enterprise Level. To do this, navigate to ArraysMainArray – and right click Copy Array Rule Elements (Figure 11).


Figure 11: Copy Array Rule Wizard

Please note that it is only possible to copy user defined rule elements and not predefined objects.

Select the Array Rule Elements (Figure 12) that you would like to copy to the Enterprise Level.


Figure 12: Select the Array Rule elements that should be copied

Click Finish.

ISACertTool

As you know, ISA Server 2004 Enterprise Edition uses a Configuration Storage Server (CSS) as storage for Enterprise and Array settings. When you use ISA Server in a workgroup scenario or in an environment with domains without trust relationships, you can use certificates to sign and seal the communication between ISA components. ISACertTool (Figure 13) is a handy tool if you want to change configuration settings after installation. ISACertTool helps you do the following:

  • Install a Server Certificate on the Configuration Storage Server.
  • Install a Root Certificate on each ISA Array Member


Figure 13: ISACertTool

ADAMSites

ADAM uses the site concept like Windows Server 2003 Active Directory. When you deploy a Configuration Storage Server in your Organization, the ADAM instance will be created in Default First Site. If you deploy multiple Configuration Storage Servers, you can move Configuration Storage Servers to different sites or create SiteLinks and SiteLink costs (Figure 14) with the help of ADAMSites.


Figure 14: ADAMSites

Conclusion

In this article I have show you some aspects of ISA Server Enterprise configuration.  The fourth article will show you how to implement ISA Server 2004 NLB and CARP within your enterprise.

For this article series we have the following configuration:

Name

Role

Configuration

DEN-DC-01 Windows 2003 Domain Controller INTERNAL: 192.168.1.10
DEN-CSS-01 Windows 2003 Member Server with ISA Server 2004 Configuration Storage Server INTERNAL: 192.168.1.20
DEN-ISAEE-01 Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall INTRAARRAY: 192.168.0.1
INTERNAL: 192.168.1.1
EXTERNAL: 172.16.1.1
DEN-ISAEE-02 Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall INTRAARRAY: 192.168.0.2
INTERNAL: 192.168.1.2
EXTERNAL: 172.16.1.2

CARP

ISA Server 2004 uses CARP (Cache Array Routing Protocol) to provide maximum scaling and efficiency when using ISA Server computers in an Array. CARP builds one logical cache for all single cache from every ISA Server 2004 Enterprise.

Every Cache request will be balanced through all servers which use CARP. The cache content will be distributed through all CARP servers with a specialized algorithm.

CARP uses hash-based routing to determine the best path through an array to resolve a request. The request resolution path is based on a hash of Array member identities (each Array member gets a unique ID) and URLs. For any URL request, the browser will know exactly where in the array the information will be stored, regardless if it is already cached or it is a first time request from the internet.

CARP features:

  • CARP determines the best resolution path for web requests and there is no message exchange between ISA Servers
  • CARP has positive scalability. The more Servers you add to the Array the faster CARP will be
  • CARP ensure that the load will be balanced through all ISA Servers in the Array depending on the Load factor that Administrators can configure
  • CARP uses one single logical cache so there are no redundant cache entries
  • CARP automatically uses new hosts in the Array because of the hash-based routing mechanism
  • CARP automatically reconfigures if you remove one or more ISA Servers from the Array

CARP has two different implementations: Client-side CARP and Server-side CARP.

Client-side CARP

The client selects an Array member to serve each individual URL. On the client side, ISA Server 2004 processes the CARP algorithm as follows (printed from the Online Help of ISA Server 2004):

Client browsers select an array to use by means of a script, generated by ISA Server in response to automatic discovery and specific queries (for Wpad.dat and Array.dll?Get.Routing.Script), and retrieved from the array. When a user types a URL into a Web browser, the URL is handed off to the script, which computes a prioritized list of array servers that will serve that page. The browser connects to the first server in the list and requests that it retrieve the page. If the first server does not respond, the next server in the list is contacted, and so on until the object can be retrieved. The script always returns the same server list for a given URL, ensuring each URL is cached on one array server only. The script generated by ISA Server implements the CARP algorithm. The script includes information about the configuration and current status of the array. The script ensures that the URL space is divided evenly and in accordance with configurable load factors between the array members.

Server-side CARP

Client browsers select ISA Server 2004 Array members in a round robin method. When a request reaches an ISA Array member, the server runs the CARP algorithm with the requested UR, and determines the ISA Array member that can fullfill the request. The request is forwarded to this ISA server. Server-side CARP will be used often as a fallback method if Client-side CARP isn’t enabled or you have configured Client-side CARP incorrectly.

CARP exceptions

It is possible to exclude specific websites from using CARP (Figure 5) because some websites require alway the same IP address. You can use CARP exceptions to exclude this specific website.

How to enable CARP

advertisement

To enable CARP start the ISA Server 2004 Management console and navigate to ArraysMainArrayConfigurationCache. On the right pane you can see the two ISA Server 2004 Enterprise Firewalls (Figure 1). Right click the server object.


Figure 1: Cache settings in ISA console

Now you can specify a Maximum cache size (MB) (Figure 2). For our example I selected 50 MB for every ISA Server 2004 Enterprise Firewall. Click Set.


Figure 2: Configure Cache size

Click Apply to save the changes (Figure 3).


Figure 3: Save changes and restart the services

Now right click the Cache icon under Configuration and you will see a total cache size of 100 MB (Figure 4) because CARP uses only one logical cache.


Figure 4: Cache size

Now it is time to activate CARP. Navigate to ArraysMainArrayConfigurationNetworks and to right click the internal network (Figure 5).


Figure 5: Enabling CARP

Click Enable CARP on this network (Figure 5).

CARP Load Factor

ISA Server 2004 computers in an array can have different hardware and performance characteristics so you may want to divide the load on every ISA Server differently. It is possible to configure a load factor for any ISA Server in the Array.

The higher the Load Factor, the server must respond to more requests. You can configure the Load Factor in the ISA Server 2004 Management console. Navigate to ArraysMainArrayConfigurationServers and click the CARP properties and specify the Load factor (Figure 6).


Figure 6: CARP Load factor

NLB

ISA Server integrates Network Load Balancing (NLB) functionality, so that you can balance the load across all the array members on one or more networks. NLB provides high availability by redirecting network traffic to the Cluster hosts. If one cluster hosts goes offline, existing connections to a host are lost, but the services remain available.

Note:
If you are using ISA Server 2004 with Windows Server 2003 and no Windows Service Pack, you should use a dedicated network card for IntraArray communication and not enabled NLB on this network. If you are using Windows Server 2003 SP1 you can use NLB on all networks in ISA Server 2004 including the IntraArray network.

You can use ISA Server 2004 to configure and manage the NLB functionality of Microsoft Windows Server 2003 running on ISA Server arrays. If you are using this feature you will be using ISA integrated NLB and that is highly recommended (for NLBhash, NLB heartbeat, VPN failover and BDA).

ISA Server NLB is based on the NLB features of Windows Server 2003

Benefits of Network Load Balancing

NLB provides high availability and scalability of servers using a cluster of up to 31 ISA Server 2004 computers. Clients access the NLB cluster by using the VIP (Virtual IP). The client can not distinguish the NLB cluster from a single ISA Server.

NLB delivers scaled performance by distributing the incoming network traffic among one or more virtual IP addresses (the cluster IP addresses) assigned to the NLB cluster. The hosts in the cluster then concurrently respond to different client requests.

NLB employs a fully distributed algorithm to statistically map incoming clients to the cluster hosts based on their IP addresses. When inspecting an arriving packet, all hosts simultaneously perform this mapping to quickly determine which host should handle the packet. Although the mapping changes when the number of hosts changes, NLB continues to maintain the existing TCP connection.

NLB also maintains existing Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol security (IPsec) tunnel connections. This implies that in virtual private network (VPN) scenarios, even if the mapping changes when the number of hosts changes, NLB will continue to maintain the tunnel.

NLB integration modes

NLB configuration is enabled per ISA Array. Each Array can be configured in one of the following modes:

Integrated NLB

You will use ISA Server 2004 Management to configure NLB. NLB in this mode has many benefits over non integrated VPN such as VPN failover, NLBhealth, multi networking and many more. NLB configuration is supported for unicast mode and single affinity.

Non-integrated NLB

In this mode, you can use the Windows standard NLB tool to configure NLB.

By default, NLB integration is not enabled when you install Microsoft Internet Security and Acceleration (ISA) Server 2004.

ISA Server 2004 performs stateful inspection on all network traffic. For this reason, ISA Server works with Windows NLB to ensure that incoming and outgoing traffic for each session is handled by the same array member.

Don’t forget to have a look at the NLB articles on www.isaserver.org. There are many articles that cover NLB and these articles could help you to get a better understanding about NLB.

Enabling NLB

To enable NLB in ISA Server 2004, start the ISA Server 2004 Management console, navigate to ArraysMainArrayConfigurationNetworks and select on the right hand side the network for which you want to enable NLB (Figure 7).


Figure 7: Enable Network Load Balancing

Follow the instructions of the NLB wizard (Figure 8).


Figure 8: NLB wizard

Select the network for which you want to enable NLB. In this example we select the Internal network (Figure 9).


Figure 9: Select the network for NLB

Next click Set Virtual IP. The Virtual IP (Figure 10) is the IP that clients use to connect to the ISA Server 2004 Array. NLB in ISA Server 2004 will distribute the load through all ISA Server 2004 Array members.

There are some pitfalls when enabling NLB. It is recommended using a Hub connected to the ISA Server 2004 Array Members. You will find more about NLB pitfalls in the following articles: http://www.isaserver.org/pages/search.asp?query=nlb.


Figure 10: Enter the VIP

Click Finish. Click Apply. Save the changes and restart the services.

Configuration on Client side

After enabling NLB you must reconfigure your internal clients to point to the VIP. If you are using SecureNAT clients configure the Default Gateway to use the VIP. For Webproxy clients use the VIP as the IP Address or if you are using automatic discovery / configuration methods you must ensure that your clients can resolve the ISA Server address to the VIP. You must create an A record in DNS that contains the ISA Server Array DNS name and the VIP. You can find / modify the Array DNS name in the Array properties (Figure 11).


Figure 11: DNS Name for the ISA Server 2004 Array

NLBClear

RemoveAllNLBSettings.cmd is a tool to clear all Network Load Balancing settings from an ISA Server 2004 Array member, including bidirectional affinity settings. This is useful in the following situations:

  • There are old NLB settings from an old configuration and enabling NLB fails because of this old configuration. The script clears the old configuration and restarts the Microsoft Firewall service.
  • NLB may not function properly after you uninstall ISA Server 2004 or when you change the ISA mode from integrated mode to non integrated mode.


Figure 12

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: