Hi David, I'm glad you brought that article up. But what does it really mean? From that description, can you tell me what the problem is with using L2TP/IPsec with NLB? * Do you think this article implies that with Win2003, you get "stateful" fail over? And if so, how do you define state? * Do you think this article implies that when a member of the NLB array (cluster reminds me of colon polyps, so I never use that term) fails, the TCP state of the connection is completely known to other array members and there is no interruption in service? * Do you think that all array members are aware of the SAs established between the VPN client and VPN server it initially connects to? * Do you think that packets are evening distributed among all array members from a single VPN client? (as this paragraph intimates). * Or, do you think the author of this article http://www.isaserver.org/articles/pptpnbpart1.html provided a hint as to what the problem with L2TP/IPSec was with Win2k in the first paragraph until the sectoin header Details of the Combined ISA/VPN Server Problem , and if he weren't so lazy, he would have given you a link to http://support.microsoft.com/?kbid=248346 which explains the problem with the SAs and L2TP/IPSec :-) And another thing, if I hear one more person mention the term "stateful" I'm going to bust a gut :-) Have a great weekend! Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] Sent: Friday, June 27, 2003 10:46 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA/VPN NLB on Win2003 http://www.ISAserver.org Found my answer for WS03 Migrating from Windows NT Server 4.0 to Windows Server 2003 http://tinyurl.com/ffmi NLB Support for L2TP/IPSec Traffic In Windowsâ2000, Network Load Balancing (NLB) could not manage IPSec security associations (SAs) among multiple servers. If a server in the cluster became unavailable, the SAs managed by that cluster were orphaned and eventually timed out. This meant that you could not cluster L2TP/IPSec VPN servers. You could use DNS round-robin for load distribution across multiple L2TP/IPSec VPN servers, but there was no fault tolerance. In the Windows Serverâ2003 family, NLB has been enhanced to provide clustering support for IPSec SAs. This means that you can create a cluster of L2TP/IPSec VPN servers, and NLB will provide both load balancing and fault tolerance for L2TP/IPSec traffic. This feature is provided only with Windows Serverâ2003, Enterprise Edition, and Windows Serverâ2003, Datacenter Edition. -----Original Message----- From: David V. Dellanno Sent: Friday, June 27, 2003 11:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA/VPN NLB on Win2003 http://www.ISAserver.org So is it possible to puchase ISA Standard edition with Windows 2003 Standard edition to achive this? If so, will this cause certain issue with the firewall using NLB? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, June 27, 2003 11:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] ISA/VPN NLB on Win2003 http://www.ISAserver.org Hey guys, I just had to share my joy. Multiple ISA firewalls running on Win2003 using NLB. PPTP and L2TP/IPSec -- SWEET and it works with WinXP SP1 and allow the other VPN clients that had a problem with the reponses coming from the "wrong" IP address. Next step is to check it out in VPN gateway to gateway mode. Two VPN gateways at the local site, two VPN gateways at the remote site. See if fail over works smoothly. One downside -- I still have to create the arrays the old way, the NLB Manager is a bit "flakey" for want of a better term and leads to more stress and strain then required. Create the NLB arrays the old fashioned way, no problem, and everything works. :-) I'd be happy to hear from anyone who's had a good experience with the Win2003 NLB Manager 'cause its always good to hear from the other side, and maybe I can learn a thing or two! HTH< Tom