Site to Site VPN Load Balancing when NLB is Enabled on an ISA 2006 Firewall Array

A few people have asked me about how the ISA Firewall handles server assignment when you have NLB enabled on an ISA Firewall array that is terminating site to site VPN connections from dozens to thousands of branch office ISA Firewalls.

When a site-to-site connection is established with an array of ISA Firewalls, one array member is the connection owner. The connection owner is the VPN tunnel endpoint for all site to site VPN connections.

When NLB is enabled, the ISA Firewall automatically assigns the connection owner.  The ISA Firewall uses an algorithm to optimize connection owner assignment, creating as balanced a network as possible. After a tunnel has been established, the server assigned as the connection owner does not change, even if other servers are added or removed. If the assigned connection owner becomes disabled, the ISA Firewall automatically moves the connection to another array member. This enables the ISA Firewall to support transparent failover for VPN site-to-site connections.

When NLB is not enabled, you must assign a connection owner for the remote site network. If the connection owner becomes unavailable, there will be no connectivity to the remote site. This is an excellent reason for taking the time to enable NLB on your ISA Firewall arrays that act as site to site VPN gateways.



Thomas W Shinder, M.D.


Email: [email protected]

MVP — ISA Firewalls

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top