For ISA Enterprise Edition firewall admins, a question that’s always haunted them is whether they should use NLB and CARP together and if so, what are the effects of one over the other?
First, what are NLB and CARP? NLB is network load balancing which provides real time failover and fault tolerance for machines participating in an NLB array (or cluster). Machines are dynamically added and removed from the array as machines are added and removed from the array. ISA 2004 and 2006 Enterprise Edition support fully integrated NLB, complete with Firewall Service awareness.
CARP is the Cache Array Routing Protocol. CARP enables ISA EE enterprise arrays to load balance Web connections moving through the ISA firewall Web proxy and caching array. The advantage of using a CARP array is that you can load balance connections among the array members and present a very large, single logical cache for forward and reverse proxy scenarios. CARP can provide a measure of fault tolerance for downed servers, but it really wasn’t designed as a fault tolerance or high availability mechanism.
There are two types of CARP:
- Client side (hierarchical) CARP, where clients are configured to use the autoconfiguration script to determine in advance which array member is responsible for servicing a FQDN
- Server side (distributed) CARP, where clients are not aware of the Web proxy and the requests are received by any array member. With server-side CARP, the array members determine which server in the array is responsible for the FQDN and forwards the requests to that server
So, when does NLB provide value to CARP arrays?
- When server side CARP is used, clients are automatically directed to an online server
- When client-side CARP is used, clients send requests to the server responsible for the FQDN. If the server responsible for a particular FQDN is downed, and that server list hasn’t yet been updated in the client’s autoconfiguration script, when the request will fail until the client receives a new list.
Now here’s the rub: client-side CARP provides much higher performance compared to server-side CARP where the clients are SecureNAT clients. Web proxy clients always perform much better than SecureNAT clients when the Web proxy filter is enabled.
I’ll do an article in the near future showing you the details, as well as describing in more detail how CARP works.
Thomas W Shinder, M.D.
MVP — ISA Firewalls