Unicast vs Multicast Mode for ISA
- From: "Akshay" <akshay.bhatnagar@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Sat, 29 Oct 2005 19:21:44 -0600
At an Exchange deployment, we have 2 ISA servers Enterprise Ed. (Windows
2003 SP1) setup in the DMZ. Windows NLB has been configured to route
traffic between the two hosts.
The IP address of the NLB Cluster Server (Virtual Node ? 192.168.0.3) has
been NATted to the public IP (202.101.101.101). The certificate has been
installed and the web site has been registered for OWA publishing.
Communication from Internal client will be configured to go out to the
Internet and hit ISA instead of accessing the Front-end servers directly.
We tried the following scenarios:
(1) Client in the same subnet (192.168.0.*) as the ISA server: these
clients were able to connect to the website https://owa.corp.com/exchange.
This seems to imply that ISA is correctly routing HTTPS packets between
Front-end servers and the clients.
(2) External/Internal clients: Page takes a long time to load and gives
error ?Could not find host or DNS error?. We have verified that the web
site has already been registered at the ISP.
NLB refuses to work in Unicast mode (clients get a ?Could not find host or
DNS error?). After setting to Multi-cast mode clients are able to connect.
A couple of questions regarding this:
(1) Is Multicast mode (with single affinity) a supported configuration for
NLB? I remember reading in communities that with Multicast mode, static
ARP entries have to be added at some (Cisco) routers. Unicast mode, on the
other hand, is supposed to work seamlessly with all routers. If this is
the case, I cannot explain why the configuration is working in Multicast.
(2) In Multicast mode, ISA servers are in a perpetual converging mode. Is
this an expected behavior? We have 2 OWA servers in the corporate LAN also
configured with NLB (Unicast with single affinity) but which are not
facing any of these issues. The only difference between the two is that
ISA is setup in the DMZ. Hosts in DMZ cannot ping each other even without
NLB enabled.
Other related posts:
