ISA1, original ip: xxx.xxx.xxx.187 ISA2, original ip: xxx.xxx.xxx.189 I follow the documentation enabling NLB on Internal networks and I specify the virtual ip as: xxx.xxx.xxx.190 (same subnet) The intra array authentification show problems ! Than I add a second interface on both servers (192.168.254.1 and 192.168.254.2) and I specify that this new one should be for intra array, I also disabled the firewall as described in documentation: http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee .mspx result > same problems ! I notice that in Networks I receive this message: You have changed the network topology. The network diagram does not reflect these changes. All networks in the network topology are listed in the networks tab. And I change topology to Edge Firewall with FULL FULL acces > same result > intra array problems ! I really have no ideea what can be done. And after every change ..... I wait peacefully till a corect total and complete sincronization. Any ideea is very warm welcome. Yours sincerely, Bogdan Florin ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Sunday, February 11, 2007 5:23 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification It's only a "best practice" if you operate NLB on Windows prior to 2003 SP1. There is no valid "traffic" or "functionality" requirement to have a separate intra-array NIC if you're running non-NLB or Windows 2003 SP1 or later. The fact is; changing your network or NLB configuration will not affect the authentication used to communicate between array members. Check the authentication selection & IP address defined for each member in the array - they *MUST AGREE*. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Sunday, February 11, 2007 7:05 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification Well, technically, not exactly, although it is a best practice. There are two ways to work around this. These are: 1. Run NLB in Multicast mode - not something I consider a good idea because you will most likely end up having to hard code a bunch of network devices' ARP tables. 2. Use the UnicastInterHostCommSupport Registry key (assuming Windows 2003 SP1). The link for 2., above is http://support.microsoft.com/kb/898867. Cordially yours, Jerry G. Young II Application Engineer, Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Sunday, February 11, 2007 6:50 AM To: ISA Mailing List Subject: [isalist] Re: ISA Intra Array Authentification Intra-Array Communication When you use ISA Server integrated NLB, each computer running ISA Server services requires an additional network adapter, for intra-array communication. We recommend that these network adapters be physically connected to each other (for example, through a single switch), and not to other network segments, to ensure that they receive only intra-array communication. You should then configure intra-array communication to use the IP address of the new adapter on each server. The configuration procedures are described in the topic Configuring and Securing Intra-Array Communication in this document. Therefore it needs at least 2 nics S From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin Sent: Sunday, February 11, 2007 3:00 AM To: ISA Mailing List Subject: [isalist] Re: ISA Intra Array Authentification I did this and I found interesting documentation. http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee .mspx please be kind and confirm if my understanding was right: - to have ISA with one Ethernet card only working in ARRAY there is also required to configure Network Load Balancing. Or ... TWO Ethernet will be a MUST ? Thank you. PS: on Isa 2000 it was simple creating the array, joust add second server, same settings and work but in 2004 it seems they change something more. Yours sincerely, Bogdan Florin CEO InterNetCon - Satellite Internet Services www.internetcon.ro www.powersat.ro Phone: +40-264-452383 Cell: +40-740-074031 Cell: +40-788-074031 Fax: +40-264-452207 ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Saturday, February 10, 2007 10:21 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification Search the help for "intra-array account". Make sure that it's set the same for al servers in the array. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin Sent: Monday, February 05, 2007 11:30 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] ISA Intra Array Authentification Dear Colleagues, I come to you with a simple question and I trough that you can help me faster than any other documentation. We have an ISA Server 2004 connected to our main domain, with only one interface and used purely for caching. The settings are all ok, everything works all right. In this enviroments we add another server with intentions to have 2 servers in array. We would like to make a fail over at DNS level with same record and two IP. After this array created successfully, there is one error on each ISA machine: Description: ISA Server cannot connect to xxx.xxx.xxx.xxx proxy server because the server requires authentication, either when chaining or for intra-array communication. However authentication failed because the specified credentials were incorrect. Check authentication credentials and try again. While XXX.XXX.XXX.XXX is the address of OTHER server. In this spirit I reach the conclusion that there is a problem in INTRA ARRAY communication. The second server it have CARP Load factor to 1 and the old server have CARP Load factor to 100. In this enviroments .... When an end user connects to the second server it got the following error: ? Error Code: 502 Proxy Error. Logon failure: unknown user name or bad password. (1326) ? IP Address: server isa old ? Date: 2/6/2007 7:18:37 AM ? Server: server isa new ? Source: proxy I can only conclude that Intra-Array authentification is the problem. If you can provide me a fast advice I would appreciate very much. Yours sincerely, Bogdan Florin CEO InterNetCon - Satellite Internet Services www.internetcon.ro <http://www.internetcon.ro> www.powersat.ro <http://www.powersat.ro> Phone: +40-264-452383 Cell: +40-740-074031 Cell: +40-788-074031 Fax: +40-264-452207 All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.