This question comes up often. People want to have some measure of fault tolerance for Web Proxy clients that are configured to use client side CARP. Client side CARP takes place when you configure the Web Proxy clients to use the autoconfiguration script and the ISA Firewall Array is configured to enable CARP on the ISA Firewall Network from which the connections are received.
Theoretically, CARP aware Web Proxy clients should be able to walk the list of online Web Proxy servers given that the list of servers is included in the list. However, the client only checks the autoconfiguration script ever 50 minutes, so this is far from a real-time accounting the state of the array. You might think that NLB would be useful, but not for CARP aware Web Proxy clients, because the entire point of being CARP aware is to send the request directly to the ISA Firewall array member that is responsible for that FQDN in the request.
Here’s the official line on CARP and NLB support:
CARP and NLB
ISA Server provides proxy failover capabilities with the use of CARP and Network Load Balancing (NLB). Consider the following:
- CARP provides load balancing and cache distribution, but does not provide a true failover solution. For example, Microsoft Internet Explorer® caches the configuration script (Wpad.dat or Isa.routing.script) for 50 minutes by default, and new Web browser sessions will first check the cache for the script. If an ISA Server array member specified in the script becomes unavailable, the client may still try to connect to it with the cached script.
- The ISA Server configuration script is client-based, and the CARP implementation depends on the client’s interpretation of the state of a specific server. This is less resilient to error than an NLB server-based solution.
- Implementing NLB and CARP together provides some failover capabilities by ensuring that the automatic configuration script is highly available. If you have NLB configured, you can specify the NLB cluster’s virtual IP address in the location of the automatic configuration script, or by specifying the virtual IP address in the Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP) WPAD entry. NLB will only forward the request for the script to the available members of the array. The client-side CARP algorithm in the script then ensures that the URL request is handled by the most appropriate array member. For true failover capabilities, clients would connect to the array virtual IP address instead of using client-side CARP capabilities in the automatic configuration script.
To use NLB functionality together with the CARP mechanism provided by the routing script, you can do the following:
- Configure the WPAD entry to point to the virtual IP address of the array. NLB uses virtual IP addresses that are shared among all array servers. Each array member can select packets to send to a virtual IP address, according to the NLB algorithm.
- Alternatively, configure the configuration script URL to point to the virtual IP address of the array, or to a DNS record that resolves to the array virtual IP address. Use the following syntax: http://ISA_ArrayName/array.dll?Get.Routing.Script, where ISA_ArrayName is the DNS entry that resolves to the array virtual IP address.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)