Implementation of ISA firewall Network Load Balancing failover

Source: Internet
Author: User
Tags failover firewall

In a network with Network Load Balancing (NLB) deployed, when a customer initiates a connection request against an NLB virtual address, NLB determines the NLB node for the customer service through some NLB algorithm, usually determined by the client source address at which the request originated. Before the NLB node changes, for a customer, it will always be serviced by a corresponding NLB node. Integrated NLB in the Enterprise Edition of ISA Firewall relies on the NLB service of the Windows Server system and is processed in the same way for customer-initiated requests.

For example, for an ISA firewall NLB array with three NLB nodes (ISA1, ISA2, ISA3), When a client (10.1.1.1) initiates a connection request, NLB determines by the NLB algorithm that this customer service is ISA1 for this account, and when another client (10.1.1.2) initiates a connection, NLB determines that the customer service is ISA2 for this purpose through the NLB algorithm. When the NLB node is not changed, the client 10.1.1.1 connection request will always be processed through the NLB node ISA1, and the client 10.1.1.2 connection request will always be processed through the NLB node ISA2.

When an NLB node fails, NLB is pooled on all nodes, and the NLB algorithm is again determined to identify the NLB node that serves the customer. For example, if the ISA1 node fails and the NLB service is no longer available, NLB will be pooled again, and if the customer 10.1.1.1 to initiate a connection request, it will be ISA2 or ISA3 to service it.

When NLB nodes fail, NLB can allow other NLB nodes to service the customer. However, what happens if the NLB service for the NLB node is not invalidated but the other services provided fail?

As the following illustration shows, two Isa firewalls belong to the same NLB array, connect to the Internet through different external links, and provide NLB services to the internal network. Two ISA firewalls allow users in the internal network to access the external network by themselves and are serving different customers; what happens if the external link on the ISA1 is suddenly disconnected?

At this point, NLB will assume that ISA1 is still a valid NLB node because the NLB service on the ISA1 does not fail, and also assign the customer to it. However, because the external link is disconnected, the customer that the ISA1 serves is no longer connected to the Internet. This, of course, can not effectively realize the fault-tolerant performance in Network Load Balancing.

So, what happens when this happens?

The answer is simple, when this happens, stop the NLB service on the ISA1 so that NLB considers the NLB service on the ISA1 to be defunct, will converge NLB, and reassign the customer. Thus, customers who originally belonged to ISA1 could access the external network by still running a normal ISA2.

To implement the failover of ISA firewall NLB is simpler, Microsoft has taken it into account. You can configure the ISA Firewall's connectivity verification tool to perform related operations when an external link fails, but stopping NLB services on the ISA firewall is not an easy task. Because NLB services on the ISA firewall are integrated with the ISA Firewall service, you cannot stop NLB services on the ISA firewall through the Windows NLB Stop command, and Microsoft has no instructions on how to stop NLB services on the ISA firewall. In this case, you can stop the NLB service on the ISA firewall only by stopping the ISA Firewall service.

However, after stopping the ISA Firewall service, it is not possible to rely on the ISA firewall itself to start the ISA Firewall service, which poses a challenge to the process of recovery. When the external link is restored, it is still necessary for you to manually start the ISA Firewall service to add this ISA firewall to the NLB array, creating an additional administrative burden. However, you can implement NLB failover and automatic recovery via third-party link monitoring software, such as Ks-soft Advanced Host Monitor or GFI Network Server Monitor. You can configure them to stop the ISA Firewall service when there is a problem with the external link and start the ISA firewall when the external link is restored.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.