RE: ISA/VPN NLB on Win2003

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 27 Jun 2003 12:35:55 -0500

Hi David,
 
I'm glad you brought that article up. But what does it really mean? From that 
description, can you tell me what the problem is with using L2TP/IPsec with 
NLB? 

*       Do you think this article implies that with Win2003, you get "stateful" 
fail over? And if so, how do you define state? 
*       Do you think this article implies that when a member of the NLB array 
(cluster reminds me of colon polyps, so I never use that term) fails, the TCP 
state of the connection is completely known to other array members and there is 
no interruption in service? 
*       Do you think that all array members are aware of the SAs established 
between the VPN client and VPN server it initially connects to? 
*       Do you think that packets are evening distributed among all array 
members from a single VPN client? (as this paragraph intimates). 
*       Or, do you think the author of this article 
http://www.isaserver.org/articles/pptpnbpart1.html provided a hint as to what 
the problem with L2TP/IPSec was with Win2k in the first paragraph until the 
sectoin header Details of the Combined ISA/VPN Server Problem , and if he 
weren't so lazy, he would have given you a link to 
http://support.microsoft.com/?kbid=248346 which explains the problem with the 
SAs and L2TP/IPSec :-)

And another thing, if I hear one more person mention the term "stateful" I'm 
going to bust a gut :-)
 
Have a great weekend!
 
Tom
 
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>  
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> 

 

        -----Original Message-----
        From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] 
        Sent: Friday, June 27, 2003 10:46 AM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RE: ISA/VPN NLB on Win2003
        
        
        http://www.ISAserver.org
        
        
        Found my answer for WS03
         
        Migrating from Windows NT Server 4.0 to Windows Server 2003
         
        http://tinyurl.com/ffmi
         
            NLB Support for L2TP/IPSec Traffic

        In Windowsâ2000, Network Load Balancing (NLB) could not manage IPSec 
security associations (SAs) among multiple servers. If a server in the cluster 
became unavailable, the SAs managed by that cluster were orphaned and 
eventually timed out. This meant that you could not cluster L2TP/IPSec VPN 
servers. You could use DNS round-robin for load distribution across multiple 
L2TP/IPSec VPN servers, but there was no fault tolerance.

        In the Windows Serverâ2003 family, NLB has been enhanced to provide 
clustering support for IPSec SAs. This means that you can create a cluster of 
L2TP/IPSec VPN servers, and NLB will provide both load balancing and fault 
tolerance for L2TP/IPSec traffic.

        This feature is provided only with Windows Serverâ2003, Enterprise 
Edition, and Windows Serverâ2003, Datacenter Edition.

                -----Original Message-----
                From: David V. Dellanno 
                Sent: Friday, June 27, 2003 11:25 AM
                To: [ISAserver.org Discussion List]
                Subject: [isalist] RE: ISA/VPN NLB on Win2003
                
                
                http://www.ISAserver.org
                
                
                So is it possible to puchase ISA Standard edition with Windows 
2003 Standard edition to achive this?  If so, will this cause certain issue 
with the firewall using NLB?

                        -----Original Message-----
                        From: Thomas W Shinder 
[mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
                        Sent: Friday, June 27, 2003 11:22 AM
                        To: [ISAserver.org Discussion List]
                        Subject: [isalist] ISA/VPN NLB on Win2003
                        
                        
                        http://www.ISAserver.org
                        
                        
                        Hey guys,
                         
                        I just had to share my joy. Multiple ISA firewalls 
running on Win2003 using NLB. PPTP and L2TP/IPSec -- SWEET and it works with 
WinXP SP1 and allow the other VPN clients that had a problem with the reponses 
coming from the "wrong" IP address. 
                         
                        Next step is to check it out in VPN gateway to gateway 
mode. Two VPN gateways at the local site, two VPN gateways at the remote site. 
See if fail over works smoothly.
                         
                        One downside -- I still have to create the arrays the 
old way, the NLB Manager is a bit "flakey" for want of a better term and leads 
to more stress and strain then required. Create the NLB arrays the old 
fashioned way, no problem, and everything works. :-)  I'd be happy to hear from 
anyone who's had a good experience with the Win2003 NLB Manager 'cause its 
always good to hear from the other side, and maybe I can learn a thing or two!
                         
                        HTH<
                        Tom

Other related posts:

• » ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003
• » RE: ISA/VPN NLB on Win2003

1. Home
2. isalist
3. Archive
4. 06-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---