[isalist] Re: ISA Intra Array Authentification

  • From: "Lists" <lists@xxxxxxxxxxxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 12 Feb 2007 13:12:40 -0800

Many of us do but how many will admit it?

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, February 12, 2007 12:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification


What's sad is that I actually know that song ;)

t


On 2/12/07 11:36 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:



        ..and dey swam and dey swam all over de dam..."
         
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
        Sent: Monday, February 12, 2007 10:23 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        Zinged right by ya ;)
        
        t
        
        
        On 2/12/07 8:36 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to
all:
        As a rule, it's not a problem unless you have one of several web
content filters that were never tested in this scenario.
        Unfortunately, that's a common problem.
         
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
        Sent: Monday, February 12, 2007 7:34 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        I always thought there was something fishy about Server-side
CARP.
        
        t
        
        
        On 2/12/07 6:12 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to
all:
        No.
        You still haven't answered this question: "Are these servers in
a workgroup or domain environment?"
        If you send anything, send ISAInfo; not screen captures.
        
        There are three cases where this error might occur:
        1.      Intra-array traffic, where each server queries the
others for their interpretation of the array membership (uses machine
account by default)
        
        2.      Server-side CARP (uses machine account by default)
        
        3.      Web Chaining (uses the account specified in the rule)
        
        
        Quit playing with hardware settings - they have nothing to do
with this.
         
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin
        Sent: Sunday, February 11, 2007 10:29 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        I have an idea:
        The security setup on the D:\URLCACHE is the following:
         
        Administrators - full
        Network Service - full
        System - full
         
        Does this have something to do with the Authentication error?
         
         
        
        Yours sincerely,
         
        
        Bogdan Florin
           

        
________________________________


        
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Monday, February 12, 2007 2:39 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        Good - that's been answered.
        Are these servers in a workgroup or domain environment?
        Are you chaining between ISA servers?
        Have you configured any web chaining rules?
         
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin
        Sent: Sunday, February 11, 2007 2:28 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        I'm sorry to see you upset.
         
        Array properties / IntraArray credentials ... is setup
"Authenticate using the computer account of the Array member"
         
         
        It is normal to be the same because this proporites are
auotmaticaly sincronized by the array himself as far as I know.
         
         
        Do you have any other ideea ?
         
         
         
        
        Yours sincerely,
         
        
        Bogdan Florin
         
        

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Sunday, February 11, 2007 11:38 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        Stop
        Playing
        With
        Your
        Network
        Configuration
         
        Stop
        Playing
        With
        NLB
        Settings
         
        Check the intra-array authentication settings for each server in
the array.
        Make sure that they are *THE SAME* for each server.
         
        What; I donn tawk Engrish gud?!?
         
         
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin
        Sent: Sunday, February 11, 2007 1:17 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        ISA1, original ip: xxx.xxx.xxx.187
        ISA2, original ip: xxx.xxx.xxx.189
         
        I follow the documentation enabling NLB on Internal networks and
I specify the virtual ip as: xxx.xxx.xxx.190 (same subnet)
         
        The intra array authentification show problems !
         
        Than I add a second interface on both servers  (192.168.254.1
and 192.168.254.2) and I specify that this new one should be for intra
array, I also disabled the firewall as described in documentation:
        
http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee
.mspx
         
        result > same problems !
         
         
        I notice that in Networks I receive this message: You have
changed the network topology. The network diagram does not reflect these
changes. All networks in the network topology are listed in the networks
tab.
        And I change topology to Edge Firewall with FULL FULL acces >
same result  > intra array problems !
         
        I really have no ideea what can be done.
         
        And after every change ..... I wait peacefully till a corect
total and complete sincronization.
         
         
        Any ideea is very warm welcome.
         
         
         
        
        Yours sincerely,
         
        
        Bogdan Florin
         
        

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Sunday, February 11, 2007 5:23 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        It's only a "best practice" if you operate NLB on Windows prior
to 2003 SP1.
        There is no valid "traffic" or "functionality" requirement to
have a separate intra-array NIC if you're running non-NLB or Windows
2003 SP1 or later.
         
        The fact is; changing your network or NLB configuration will not
affect the authentication used to communicate between array members.
        Check the authentication selection & IP address defined for each
member in the array - they *MUST AGREE*.
        
         
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
        Sent: Sunday, February 11, 2007 7:05 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        Well, technically, not exactly, although it is a best practice.
         
        There are two ways to work around this. These are:
         
        1.     Run NLB in Multicast mode - not something I consider a
good idea because you will most likely end up having to hard code a
bunch of network devices' ARP tables.
        
        2.     Use the UnicastInterHostCommSupport Registry key
(assuming Windows 2003 SP1).
        
        
        The link for 2., above is
http://support.microsoft.com/kb/898867.
         
        
        Cordially yours,
        Jerry G. Young II
        Application Engineer, Platform Engineering and Architecture
        NTT America, an NTT Communications Company
         
        22451 Shaw Rd.
        Sterling, VA 20166
         
        Office: 571-434-1319
        Fax: 703-333-6749
        Email: g.young@xxxxxxxx
         
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
        Sent: Sunday, February 11, 2007 6:50 AM
        To: ISA Mailing List
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        Intra-Array Communication
        When you use ISA Server integrated NLB, each computer running
ISA Server services requires an additional network adapter, for
intra-array communication. We recommend that these network adapters be
physically connected to each other (for example, through a single
switch), and not to other network segments, to ensure that they receive
only intra-array communication. You should then configure intra-array
communication to use the IP address of the new adapter on each server.
The configuration procedures are described in the topic Configuring and
Securing Intra-Array Communication in this document.
        
        Therefore it needs at least 2 nics
         
        S
         
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin
        Sent: Sunday, February 11, 2007 3:00 AM
        To: ISA Mailing List
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        I did this and I found interesting documentation.
         
        
http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee
.mspx
         
        please be kind and confirm if my understanding was right:
         
        -       to have ISA with one Ethernet card only working in ARRAY
there is also required to configure Network Load Balancing.
         
        Or ... TWO Ethernet will be a MUST ?
         
        Thank you.
         
         
        PS: on Isa 2000 it was simple creating the array, joust add
second server, same settings and work but in 2004 it seems they change
something more.
         
         
        
        Yours sincerely,
         
        
        Bogdan Florin
        CEO
        InterNetCon - Satellite Internet Services
        www.internetcon.ro <http://www.internetcon.ro>
<http://www.internetcon.ro>   www.powersat.ro <http://www.powersat.ro>
<http://www.powersat.ro>  
        Phone: +40-264-452383
        Cell: +40-740-074031
        Cell: +40-788-074031
        Fax: +40-264-452207
         
        

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Saturday, February 10, 2007 10:21 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: ISA Intra Array Authentification
        
        Search the help for "intra-array account".
        Make sure that it's set the same for al servers in the array.
         
        
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin
        Sent: Monday, February 05, 2007 11:30 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] ISA Intra Array Authentification
        
        Dear Colleagues,
         
        I come to you with a simple question and I trough that you can
help me faster than any other documentation.
         
        We have an ISA Server 2004 connected to our main domain, with
only one interface and used purely for caching. The settings are all ok,
everything works all right. In this enviroments we add another server
with intentions to have 2 servers in array. We would like to make a fail
over at DNS level with same record and two IP.
         
        After this array created successfully, there is one error on
each ISA machine:
        Description: ISA Server cannot connect to xxx.xxx.xxx.xxx proxy
server because the server requires authentication, either when chaining
or for intra-array communication. However authentication failed because
the specified credentials were incorrect. Check authentication
credentials and try again.
        
        While XXX.XXX.XXX.XXX is the address of OTHER server. In this
spirit I reach the conclusion that there is a problem in INTRA ARRAY
communication.
         
        The second server it have CARP Load factor to 1 and the old
server have CARP Load factor to 100. In this enviroments .... When an
end user connects to the second server it got the following error:
         
        ?      Error Code: 502 Proxy Error. Logon failure: unknown user
name or bad password. (1326) 
        ?      IP Address: server isa old
        ?      Date: 2/6/2007 7:18:37 AM 
        ?      Server: server isa new
        ?      Source: proxy 
        
        I can only conclude that Intra-Array authentification is the
problem.
         
        If you can provide me a fast advice I would appreciate very
much.
         
         
         
        
        Yours sincerely,
         
        
        Bogdan Florin
        CEO
        InterNetCon - Satellite Internet Services
        www.internetcon.ro <http://www.internetcon.ro>
<http://www.internetcon.ro>   www.powersat.ro <http://www.powersat.ro>
<http://www.powersat.ro>  
        Phone: +40-264-452383
        Cell: +40-740-074031
        Cell: +40-788-074031
        Fax: +40-264-452207 
        

        All mail to and from this domain is GFI-scanned. 

        All mail to and from this domain is GFI-scanned. 

        All mail to and from this domain is GFI-scanned. 

        All mail to and from this domain is GFI-scanned. 

        All mail to and from this domain is GFI-scanned. 

        All mail to and from this domain is GFI-scanned. 

        
        
         
        
          
        

        All mail to and from this domain is GFI-scanned. 

        
         
        
          

        All mail to and from this domain is GFI-scanned. 

        
        



Other related posts: