Consider the following fun facts regarding Web Farm Load Balancing with ISA 2006 Firewalls:
- Load balancing is not supported for Secure Sockets Layer (SSL) connections tunneled through the ISA Firewall (which is server publishing, not Web publishing). It is only supported in Web publishing, when the HTTPS connection is terminated on at the ISA Firewall, and then forwarded over HTTP or HTTPS to the Web farm (which represents SSL to SSL bridging).
- For SSL bridging scenarios, both IP affinity (source IP-based) and session affinity (cookie-based) are supported.
- In an SSL to SSL bridging scenario, the servers in the Web farm authenticate to the ISA Firewall with a server certificate. You can deploy these certificates as follows:
- Deploy a server certificate on each server in the Web farm. For example, if the server farm consists of Server1.internal.net, Server2.internal.net, and Server3.internal.net, you must acquire a unique certificate for each server, with the name of the farm member as it appears in the server farm object.
- Alternatively, deploy a server certificate for the Web farm object. In this case, you acquire a certificate with the internal name you specified for the Web publishing rule for the farm, and deploy the certificate on each server in the Web farm. In this case, you use the same name for each server certificate installed on the Web farm members. The key is that name is used in the Web Publishing Rule.
For more information about Warm Farm Load Balancing, check out:
http://www.microsoft.com/technet/isa/2006/deployment/wplb.mspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)