These article series will contain the following articles:
- Installing ISA Server 2004 Enterprise Edition – Part 1 – Installing and Configuring the Configuration Storage Server
- Installing ISA Server 2004 Enterprise Edition – Part 2 – Installing ISA Server 2004 Firewall on two Servers
- Configuring ISA Server 2004 Enterprise Edition – Part 3 – Administering ISA Server 2004 Enterprise Arrays
- Configuring ISA Server 2004 Enterprise Edition – Part 4 – Enabling CARP and NLB in ISA Server 2004 Enterprise
If you have more ideas about ISA Server 2004 Enterprise articles, please let me know and I will check if your idea could be part of a new article.
For this article series we have the following configuration:
Windows 2003 Domain Controller
Windows 2003 Member Server with ISA Server 2004 Configuration Storage Server
Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall
Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall
ISA Server 2004 uses CARP (Cache Array Routing Protocol) to provide maximum scaling and efficiency when using ISA Server computers in an Array. CARP builds one logical cache for all single cache from every ISA Server 2004 Enterprise.
Every Cache request will be balanced through all servers which use CARP. The cache content will be distributed through all CARP servers with a specialized algorithm.
CARP uses hash-based routing to determine the best path through an array to resolve a request. The request resolution path is based on a hash of Array member identities (each Array member gets a unique ID) and URLs. For any URL request, the browser will know exactly where in the array the information will be stored, regardless if it is already cached or it is a first time request from the internet.
- CARP determines the best resolution path for web requests and there is no message exchange between ISA Servers
- CARP has positive scalability. The more Servers you add to the Array the faster CARP will be
- CARP ensure that the load will be balanced through all ISA Servers in the Array depending on the Load factor that Administrators can configure
- CARP uses one single logical cache so there are no redundant cache entries
- CARP automatically uses new hosts in the Array because of the hash-based routing mechanism
- CARP automatically reconfigures if you remove one or more ISA Servers from the Array
CARP has two different implementations: Client-side CARP and Server-side CARP.
The client selects an Array member to serve each individual URL. On the client side, ISA Server 2004 processes the CARP algorithm as follows (printed from the Online Help of ISA Server 2004):
Client browsers select an array to use by means of a script, generated by ISA Server in response to automatic discovery and specific queries (for Wpad.dat and Array.dll?Get.Routing.Script), and retrieved from the array. When a user types a URL into a Web browser, the URL is handed off to the script, which computes a prioritized list of array servers that will serve that page. The browser connects to the first server in the list and requests that it retrieve the page. If the first server does not respond, the next server in the list is contacted, and so on until the object can be retrieved. The script always returns the same server list for a given URL, ensuring each URL is cached on one array server only. The script generated by ISA Server implements the CARP algorithm. The script includes information about the configuration and current status of the array. The script ensures that the URL space is divided evenly and in accordance with configurable load factors between the array members.
Client browsers select ISA Server 2004 Array members in a round robin method. When a request reaches an ISA Array member, the server runs the CARP algorithm with the requested UR, and determines the ISA Array member that can fullfill the request. The request is forwarded to this ISA server. Server-side CARP will be used often as a fallback method if Client-side CARP isn’t enabled or you have configured Client-side CARP incorrectly.
It is possible to exclude specific websites from using CARP (Figure 5) because some websites require alway the same IP address. You can use CARP exceptions to exclude this specific website.
How to enable CARP
To enable CARP start the ISA Server 2004 Management console and navigate to Arrays – MainArray – Configuration – Cache. On the right pane you can see the two ISA Server 2004 Enterprise Firewalls (Figure 1). Right click the server object.
Figure 1: Cache settings in ISA console
Now you can specify a Maximum cache size (MB) (Figure 2). For our example I selected 50 MB for every ISA Server 2004 Enterprise Firewall. Click Set.
Figure 2: Configure Cache size
Click Apply to save the changes (Figure 3).
Figure 3: Save changes and restart the services
Now right click the Cache icon under Configuration and you will see a total cache size of 100 MB (Figure 4) because CARP uses only one logical cache.
Figure 4: Cache size
Now it is time to activate CARP. Navigate to Arrays – MainArray – Configuration – Networks and to right click the internal network (Figure 5).
Figure 5: Enabling CARP
Click Enable CARP on this network (Figure 5).
CARP Load Factor
ISA Server 2004 computers in an array can have different hardware and performance characteristics so you may want to divide the load on every ISA Server differently. It is possible to configure a load factor for any ISA Server in the Array.
The higher the Load Factor, the server must respond to more requests. You can configure the Load Factor in the ISA Server 2004 Management console. Navigate to Arrays – MainArray – Configuration – Servers and click the CARP properties and specify the Load factor (Figure 6).
Figure 6: CARP Load factor
ISA Server integrates Network Load Balancing (NLB) functionality, so that you can balance the load across all the array members on one or more networks. NLB provides high availability by redirecting network traffic to the Cluster hosts. If one cluster hosts goes offline, existing connections to a host are lost, but the services remain available.
If you are using ISA Server 2004 with Windows Server 2003 and no Windows Service Pack, you should use a dedicated network card for IntraArray communication and not enabled NLB on this network. If you are using Windows Server 2003 SP1 you can use NLB on all networks in ISA Server 2004 including the IntraArray network.
You can use ISA Server 2004 to configure and manage the NLB functionality of Microsoft Windows Server 2003 running on ISA Server arrays. If you are using this feature you will be using ISA integrated NLB and that is highly recommended (for NLBhash, NLB heartbeat, VPN failover and BDA).
ISA Server NLB is based on the NLB features of Windows Server 2003
Benefits of Network Load Balancing
NLB provides high availability and scalability of servers using a cluster of up to 31 ISA Server 2004 computers. Clients access the NLB cluster by using the VIP (Virtual IP). The client can not distinguish the NLB cluster from a single ISA Server.
NLB delivers scaled performance by distributing the incoming network traffic among one or more virtual IP addresses (the cluster IP addresses) assigned to the NLB cluster. The hosts in the cluster then concurrently respond to different client requests.
NLB employs a fully distributed algorithm to statistically map incoming clients to the cluster hosts based on their IP addresses. When inspecting an arriving packet, all hosts simultaneously perform this mapping to quickly determine which host should handle the packet. Although the mapping changes when the number of hosts changes, NLB continues to maintain the existing TCP connection.
NLB also maintains existing Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol security (IPsec) tunnel connections. This implies that in virtual private network (VPN) scenarios, even if the mapping changes when the number of hosts changes, NLB will continue to maintain the tunnel.
NLB integration modes
NLB configuration is enabled per ISA Array. Each Array can be configured in one of the following modes:
You will use ISA Server 2004 Management to configure NLB. NLB in this mode has many benefits over non integrated VPN such as VPN failover, NLBhealth, multi networking and many more. NLB configuration is supported for unicast mode and single affinity.
In this mode, you can use the Windows standard NLB tool to configure NLB.
By default, NLB integration is not enabled when you install Microsoft Internet Security and Acceleration (ISA) Server 2004.
ISA Server 2004 performs stateful inspection on all network traffic. For this reason, ISA Server works with Windows NLB to ensure that incoming and outgoing traffic for each session is handled by the same array member.
Don’t forget to have a look at the NLB articles on www.isaserver.org. There are many articles that cover NLB and these articles could help you to get a better understanding about NLB.
To enable NLB in ISA Server 2004, start the ISA Server 2004 Management console, navigate to Arrays – MainArray – Configuration – Networks and select on the right hand side the network for which you want to enable NLB (Figure 7).
Figure 7: Enable Network Load Balancing
Follow the instructions of the NLB wizard (Figure 8).
Figure 8: NLB wizard
Select the network for which you want to enable NLB. In this example we select the Internal network (Figure 9).
Figure 9: Select the network for NLB
Next click Set Virtual IP. The Virtual IP (Figure 10) is the IP that clients use to connect to the ISA Server 2004 Array. NLB in ISA Server 2004 will distribute the load through all ISA Server 2004 Array members.
There are some pitfalls when enabling NLB. It is recommended using a Hub connected to the ISA Server 2004 Array Members. You will find more about NLB pitfalls in the following articles: http://www.isaserver.org/pages/search.asp?query=nlb.
Figure 10: Enter the VIP
Click Finish. Click Apply. Save the changes and restart the services.
Configuration on Client side
After enabling NLB you must reconfigure your internal clients to point to the VIP. If you are using SecureNAT clients configure the Default Gateway to use the VIP. For Webproxy clients use the VIP as the IP Address or if you are using automatic discovery / configuration methods you must ensure that your clients can resolve the ISA Server address to the VIP. You must create an A record in DNS that contains the ISA Server Array DNS name and the VIP. You can find / modify the Array DNS name in the Array properties (Figure 11).
Figure 11: DNS Name for the ISA Server 2004 Array
RemoveAllNLBSettings.cmd is a tool to clear all Network Load Balancing settings from an ISA Server 2004 Array member, including bidirectional affinity settings. This is useful in the following situations:
- There are old NLB settings from an old configuration and enabling NLB fails because of this old configuration. The script clears the old configuration and restarts the Microsoft Firewall service.
- NLB may not function properly after you uninstall ISA Server 2004 or when you change the ISA mode from integrated mode to non integrated mode.
In this article I have shown you how to enable CARP and NLB in your ISA Server 2004 Enterprise Array. This is the last article in my small article series.
Deployment Guidelines for ISA Server 2004 Enterprise Edition
Introduction to Branch Deployment of ISA Server 2004 Enterprise Edition
ISA Server 2004 Enterprise Edition in a Workgroup
Network Load Balancing in ISA Server 2004 Enterprise Edition
Troubleshooting Host IDs in ISA Server 2004 Enterprise Edition
Troubleshooting Network Load Balancing in ISA Server 2004 Enterprise Edition
ISA Server 2004 Enterprise Edition Configuration Guide
Renaming Configuration Storage Servers in ISA Server 2004 Enterprise Edition