Configuring ISA/VPN Servers to use Network Load Balancing - Part 2
By Thomas W Shinder M.D.
In the first part of this two part article on using ISA/VPN Servers and NLB, I discussed some of the things you need to consider before implementing a Windows 2000 ISA/VPN Server to use NLB on the external interface. The major rate limiting factors are the VPN client type, and the issue of asymmetric routing of outbound requests from internal network clients. Once you’ve handled those issues, you’re in good shape and ready to roll out your ISA/VPN NLB array.
In this article I’ll go over the details of the configuration. These include:
Configure IP Addressing and NLB Parameters
Recall that you can configure NLB to use either unicast or multicast mode. We need the single external interface to be able to support both a unique dedicated address and one or more NLB addresses. We would also want that single interface to be able to communicate with the other NLB interfaces in the array. We’ll have to use multicast mode to meet these requirements. If you have a Cisco router upstream from the array, you should enter the appropriate static ARP table entries in the router; what we don’t want to have to do is install a second external interface to support the dedicated IP address.
Many firewall admins have to work with network managers who balk at making these kinds of changes because of the incumbent "b****ing and moaning" regarding Microsoft products. If you work in one of these environments, you should consider using RainWall instead of the Microsoft NLB service. Rainwall uses different methods to advertise the array address, which obviates the need to change ARP table entries on upstream Cisco device.
In this example we’ll assign each of the two ISA/VPN Server array members a single dedicated IP address and a single NLB address. The dedicated IP address is different on each server and the array address is the same on each machine. Perform the following steps on the first member of the array:
- Right click My Network Places and click the Properties command. In the Network and Dial-up Connections window, right click on the external interface and click the Properties command.
- In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
- The machine already has a unique IP address assigned to it. Now you need to enter the NLB address. Click the Add button in the IP addresses frame. In the TCP/IP Address dialog box, type in the NLB address and subnet mask. Remember that this must be a valid IP address on the network directly attached to the external interface of the ISA Server. Click Add, then click OK. Click OK one more time to complete the IP addressing configuration on the first member of the NLB array.
- If you don’t see any error messages, then you’re ready for the next step. Right click on the external interface and click Properties. Put a checkmark in the Network Load Balancing checkbox and click the Properties button.
- The Cluster Parameters tab is the first one you see. In the Primary IP address text box, type in the IP address you want the entire cluster to use. Note that this is the cluster primary IP address, not the ISA/VPN Server’s primary IP address. Keep in mind the differences between the two, as I went over in the NLB review articles. Type in the appropriate subnet mask in the Subnet mask text box. The Full Internet name must resolve to the DNS entry you have for the Primary IP address you entered in this dialog box. Put a checkmark in the enabled checkbox so that Multicast support is enabled. If you want to remotely manage the cluster, put in a password and confirm the passwords, then put a checkmark in the Remote control checkbox.
- Click on the Host Parameters tab. On the first array member, put a 1 in the Priority (Unique host ID) text box. Each array member must have a different host ID. Put a checkmark in the active checkbox so that the NLB service will start automatically with the server. In the Dedicated IP address text box, type in the dedicated IP address; this is also the ISA/VPN Server’s primary IP address (which is the IP address on the top of the list of IP addresses in the Advanced TCP/IP Properties dialog box). Enter the appropriate subnet mask.
- Click on the Port Rules tab. Microsoft recommends that you use the default Port Rule that has already been created for you. This allows all incoming TCP and UDP connections to be load balanced using single affinity. Single affinity "pins" an external client IP address to a specific ISA/VPN server for the duration of the connection. There are a number of reasons for this; make sure to review the NLB overview articles if you’re not clear on the different affinity modes and what they mean. Set the Load Weight to equal unless there is a big difference in terms of the hardware configurations among the servers. Keep in mind that the NLB algorithm does not take into account CPU or memory utilization, so if you anticipating major differences in these factors between the servers, you should manually assign a Load Weight.
- Click OK and then click OK again. Open the Event Viewer. In the System Log you’ll see two entries for WLBS. These entries confirm that the first member of your ISA/VPN Server array has converged with itself. When we’re done, the second member of the array will converge with the first.
Now perform the following steps on the second member of the ISA/VPN Server Array:
- Right click on My Network Places and click Properties. Right click on your external interface and click Properties. This time we’re going to configure the NLB properties before we add the virtual IP address to the list of addresses. The reason for this is that the server won’t like the duplicate IP address if it doesn’t know in advance that it’s an NLB address. Put a checkmark in the Network Load Balancing checkbox and click the Properties button.
- On the Cluster Parameters tab, enter the exact information that you entered on the Cluster Parameters tab. On the first ISA/VPN array member. Remember that the array will go into convergence if the settings for the cluster are not the same for all members.
- Click on the Host Parameters tab. Assign a new Priority value to this host. Since this is the second member of the array, I’ll assign it a value of 2. Put a checkmark in the Initial cluster state checkbox and enter the primary IP address bound to the external interface of the ISA/VPN server in the Dedicated IP address text box. Enter the appropriate subnet mask in the Subnet mask text box. You don’t need to add any new Port Rules so you can click OK.
- Click on the Internet Protocol (TCP/IP) entry and click the Properties button. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
- On the IP Settings tab, click the Add button. We need to add the virtual IP address. Enter the virtual IP address in the TCP/IP Address dialog box and enter the subnet mask. Click Add. The list of IP addresses should show the ISA/VPN server’s primary IP address on the top of the list, and the virtual IP address under the ISA/VPN server’s primary IP address. Click OK. Click OK again, and click OK one more time.
- You don’t need to make any changes to the Port Rules, so you can click OK. Click OK one more time. Open the Event Viewer and check the status of the array. If everything is working correctly, you should see that members 1 and 2 of the array have converged.
You can confirm that you’re in multicast mode by pinging the dedicated IP address of the other array member. Remember that in unicast mode, you would have to add a second NIC if you want to allow the interfaces to communicate with one another.
Install and Configure ISA Server
There are no special installation requirements when installing the ISA Server. Keep in mind that you do want to install the server in integrated or firewall mode, since the server is likely going to be at the edge of the network. Perform the following steps on each of the ISA Servers:
- Insert the CD-ROM and let it autorun, or double click the ISAAutorun.exe file.
- Double click the Install ISA Server link.
- Click Continue on the Welcome page.
- Enter your CD key on the CD Key page. Click OK.
- Make a note of your product ID on the Product ID page and click OK.
- Click I Agree on the EULA page.
- Pick your installation mode on the installation mode page. In most cases you’ll choose Full Installation. You always have the opportunity to later remove components that you don’t want. Select Full Installation and click Next.
- In this example, the machines are not members of an enterprise array. Click Yes to continue.
- On the mode page, select either Firewall mode or Integrated mode. In this example we’ll use Integrated mode. Click Continue.
- Click OK to acknowledge that IIS services will be stopped. Note that they will start again when you restart the computer.
- On the Cache configuration page, set your cache size and location and click OK.
- On the Construct LAT page, click the Construct Table button. Uncheck the Add following private ranges option and select the Add address ranges based on Windows 2000 Routing Table option. Select your internal interface. Click OK. Click OK again.
- Continue with the Wizard and click OK when its done. Click OK again to confirm that setup was completed successfully.
You’re now ready to enable RRAS.
Enable RRAS for Incoming VPN Connections
I generally recommend that you enable RRAS only after ISA Server is installed, and then allow ISA Server to enable and configure RRAS for you. If you enabled RRAS before you installed ISA Server, you may end up with some service dependency issues that you’d rather not deal with. If you do find that your ISA Server services or RRAS services won’t start, check out http://isatools.org/rras_fix.vbs and run Jim’s script to fix the problem.
Perform the following steps on both of the ISA/VPN Servers:
- Open the ISA Management console, expand your server name and then right click on the Network Configuration node. Click on Allow VPN client connections.
- Click Next on the Welcome to the ISA Virtual Private Network Configuration Wizard page.
- Click Finish on the Completing the ISA VPN Server Configuration Wizard page. Click Yes if asked if you want to start RRAS.
- The Routing and Remote Access service is started and you’re returned to the ISA Management console.
- Restart both of the ISA/VPN Servers. While technically you should not have to do this, you’ll have a better "user experience" if you do
At this point I usually go into the details of how to configure the VPN Server to assign IP addresses. However, I’ve already done that before in my article Configuring ISA Server for Inbound VPN Calls. Definitely give that article a look if you’re not clear on your VPN server configuration details. Note that one of the advantages of using DHCP to assign addresses to VPN clients is that you can assign DCHP options, such as DNS and WINS server addresses, which are different from the settings on the internal interface of the ISA Server.
Testing and Finalizing the Configuration
Now for the moment of truth. Configure your Windows 2000 or Windows XP pre-SP1 computer to establish a PPTP connection to NLB cluster’s virtual IP address. What happens? At this point you should not be able to connect to the array. The reason is that you need to make some small changes to the PPTP packet filters that the ISA Server VPN Wizard created. Perform the following steps on both the ISA Servers:
- Open the ISA Management console, expand your server name and then expand the Access Policy node. Click on the Packet Filters node and then double click on the Allow PPTP protocol packets (server) packet filter.
- In the Allow PPTP protocol packets (server) Properties dialog box, click on the Local Computer tab. The default setting is Default IP address(es) on the external interface(s). We don’t want the default setting. Select the This ISA server’s external IP address and type in the virtual IP address for the array. You want to allow incoming connections to the server on this IP address. Click Apply and then click OK.
- Double click on the Allow PPTP protocol packets (client) packet filter and click on the Local Computer tab. Note that we want to leave the default setting for this packet filter. This packet filter is used for the "established" connection and the source IP address for the established connection is the primary IP address on the ISA/VPN server (the top listed, dedicated IP address).
Now try the PPTP connection again. You’ll find the VPN client has no problems connecting to the VPN server on the virtual IP address. Now bring down the VPN server the client is connected to (you can tell what VPN server the client is connected to by opening up the RRAS console and looking at the client connections node). You’ll see that the client loses it’s connection with the downed VPN server. It you wait about 10-15 seconds, you’ll be able to connect to the virtual IP address again. Now bring the downed VPN server back up. You’ll see that the existing PPTP VPN connection is not disturbed.
In this last part of our two part article on configure ISA/VPN Servers to use NLB, I described how you configure the ISA and VPN server components to allow external PPTP VPN clients to connect to the virtual IP address of the NLB array. If your network environment only needs to support Windows 2000 and Windows XP pre-SP1 VPN clients, you’ll find ISA/VPN NLB arrays a nice way to improve your network uptime. If you need to support a wider array of options, check out RainWall. I’ll do some articles on high availability VPNs using RainWall in an upcoming article.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=007840 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom