Enabling NLB with Multicast IGMP

image When NLB support was first introduced in the Enterprise Edition of the ISA firewall, cries of joy emanated from the entire ISA firewall admin community. While we were able to use a belt and suspenders approach to get NLB to work, there were problems with the ISA firewall services not being aware of the NLB services, which lead to some important disconnects and what turned out to be an overall failure of the solution in a production environment.

That all changed when NLB support was baked into the Enterprise Edition of the ISA firewall. The problem was that only unicast mode was initially supported with integrated NLB. While unicast mode could get the job done, some people needed support for multicast mode (such as those who were using VMware solutions to test or deploy the firewall).

Multicast support was quietly released as a hotfix (http://support.microsoft.com/kb/938550). However, the process for configuring multicast NLB support for integrated ISA NLB is complicated and sometimes frustrating.

You can check out this great article by Jason Jones on how to make it work at:

http://blog.msfirewall.org.uk/2008/08/enabling-nlb-multicast-mode-on-isa.html

One problem with multicast mode is that it can introduce issues with switch flooding. One way around this problem is to take advantage of IGMP multicast functionality built into some switches. These switches can be configured so that only certain ports will register with multicast NLB. However, you need to configure the ISA firewall to support IGMP multicast communications.

Do accomplish this, you need to configure the ISA firewall with a new Protocol Definition and Access Rule. Philipp Sand provides you with this information at:

https://blogs.technet.com/isablog/archive/2009/06/22/isa-integrated-nlb-multicast-with-igmp-isa-blocks-igmp-packets.aspx

One piece of good news is that the TMG firewall has integrated the choices of unicast or multicast in the configuration interface. Choosing unicast or multicast is as easy as choosing the mode of your choice from the drop down list. Thanks to the TMG firewall team for listening and acting on our requests to make NLB simpler to enabled and configure!

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

image
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top