[isapros] Re: Array Member Failover
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sat, 27 May 2006 08:59:32 -0500
Cool. Glad we solved that one :)
Remember to remember this weekend.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Saturday, May 27, 2006 8:56 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Array Member Failover
>
> Client-side CARP should absolutely use the DIP, since using
> the VIP can
> easily increase your intra-array traffic as the ISA caching mechanism
> attempts to correct for mis-directed requests.
>
> Imagine:
> 1. Client gets a request for "www.isatools.org".
> 2. WPAD directs the request to isa3.
> 3. DNS directs the proxy connection for isa3 to the VIP
> 4. NLB directs the connection to isa2
> 5. ISA2 CARPS the request to isa3
>
> Correct; the server that delivers the wpad script is relatively
> immaterial, as long as all array members are in sync. Short of having
> intra-array communications problems, this shouldn't be much
> of an issue.
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Saturday, May 27, 2006 6:45 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Array Member Failover
>
> Hey Jim,
>
> OK, the WPAD script provides the server names, that is to say, the
> actual server names to which the clients should connect after
> resolving
> the FQDN (not the entire URL like it used to) to the appropriate array
> member.
>
> SO, just for the sake of argument, you should enter the server names
> DIPs in the DNS so that client side CARP continues to work correctly.
>
> Just to be clear for the crowd, the clients need to be able to resolve
> two names:
>
> 1. The name of the Server to which the client options the autoconfig
> script.
> 2. The name of the Server that is responsible for the FQDN in the GET
> request
>
> The server from which you get the autoconfig script should be
> immaterial
> since it's the same on all the array members at any point of time
> (ideally). However, you need to use DIPs for the servers
> listed as array
> members in the script, since we want to do client side CARP and not
> server side (for performance reasons).
>
> How do I knock down this straw man?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Friday, May 26, 2006 4:34 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Array Member Failover
> >
> > Such is always the case when the customer wants / needs to
> "go cheap".
> >
> > RR DNS is your best bet, so long as you bear in mind that
> the primary
> > "server" provided by the wpad and wspad scripts are based
> on the array
> > name.
> >
> > The client-side CARP algorithm understands the server names, so you
> > *must not* "DNS" the server names to any NLB DIPs. Doing so is
> > guaranteed to increase your intra-array traffic.
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jason Jones
> > Sent: Friday, May 26, 2006 2:11 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Array Member Failover
> >
> > Thanks Jim...I see your points and appreciate the feedback.
> >
> > Normally I *would* have used NLB if the priority was failover, but
> > couldn't due to other limitations. Kinda hoped the failover
> > charachetristic of the auto config script would help out in
> this case.
> > Guess I was too hopeful :-(
> >
> > So based upon this, is the unofficial best paractice for ISA clients
> > that I see mentioned in public forums still valid?
> >
> > Web Proxy => Autoconfig script (client-side CARP)
> > Firewall Client => RR DNS
> > SecureNAT => NLB
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: 26 May 2006 22:02
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Array Member Failover
> >
> > I disagree with that help entry for two reasons:
> > 1. WPAD is completely dependent on the client to understand
> > and use the
> > script correctly 2. WPAD is client-side CARP; IOW, requests for
> > different destinations
> > *may* be directed to a different server in the array,
> > depending on *if*
> > the client uses the algorithm provided (WinHTTP requests
> > *DON'T*) and if
> > so, *how*.
> >
> > This is entirely the *wrong* place to create a load -balancing or
> > fail-over/back system.
> >
> > We've added some changes to the WPAD so that the client-side CARP
> > "shares" better than it used to, but I strongly recommend
> > that you *not*
> > depend on it for failover.
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jason Jones
> > Sent: Friday, May 26, 2006 1:19 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Array Member Failover
> >
> > Thanks for the reply Jim - I don't want to disagree, as I
> > repsect your
> > input and knowledge, but I thought the autoconfig script was
> > designed to
> > include an element of failvoer in addition to load balacing? Are we
> > saying that this failvoer is just too basic to actually rely upon?
> >
> > When I say autoconfig, I mean client-side CARP and based upon
> > ISA help:
> >
> > ISA Server supports the Cache Array Routing Protocol (CARP). CARP
> > enhances Web performance by providing both load balancing and
> > transparent failover for Web proxy browser connections.
> >
> > As I said, I would love to use NLB, but client limitations with NIC
> > teaming won't let me! Am I really expecting too much from the auto
> > config script in the event of server failure?
> >
> > Cheers
> >
> > JJ
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: 26 May 2006 20:49
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Array Member Failover
> >
> > WPAD is not designed to provide failover/back.
> > As you've noticed, this is not going to work.
> > WPAD is nothing more or less than a "load-spreading" mechanism that
> > allows the client to use a different ISA for different destinations.
> >
> > If you want failover/back, use NLB or another
> > traffic-management system.
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jason Jones
> > Sent: Friday, May 26, 2006 12:42 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Array Member Failover
> >
> > Cheers Tom - unfortunately closing the browser doesn't seem
> to fix the
> > problem...IE still trys to connect to the primary autoconfig defined
> > server first then eventually use the other array members
> (after about
> > 20-30 seconds). This behaviour seems to happen repeatedly on
> > all clients
> > fdor every new URL entered
> >
> > The only way to fix it is to bring the failed server back online :-(
> >
> > ________________________________
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: 26 May 2006 12:18
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Array Member Failover
> >
> >
> > Hi Jason,
> >
> > Not too low brow for me :) This is a common question with a common
> > non-answer in the public realm.
> >
> > What you need to do is close all browser windows and open a new one.
> > Then the client connects to a live server. I've never worked out in
> > detail why this happens, but it's related to the autoconfig script
> > processing [hand waving explanation]
> >
> > Maybe somebody else can chime in with a more detailed explanation.
> > Bottom line is that you're not going to get completely transparent
> > failover for Web proxy clients.
> >
> > Tom
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/>
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA
> > Firewalls
> >
> >
> >
> >
> > ________________________________
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Thursday, May 25, 2006 4:44 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Array Member Failover
> >
> >
> >
> > Hope this question is not too low brow, if so, kick me and I
> > will move it to isaserver.org for the masses to mull over ;-)
> >
> > Anyhow, has anything changed with array member failover behavior
> > in EE with ISA2k4 SP2? I am sure I have never had problems
> with array
> > member failovers in the past...
> >
> > I have recently deployed an SP2 array with several members and
> > while testing I have noticed that if the server listed as the first
> > entry defined within the wpad.dat file is unavailable then
> the browser
> > delays for quite some time before attempting to connect to
> other array
> > members (e.g. working through the server list in the wpad.dat
> > file). It
> > does seem to get there, but we're talking 20 seconds or so
> > per website.
> > Once the website is loaded, performance is fine. When using
> a new URL,
> > the delays appears again.
> >
> > Apart from failover, balancing and distr caching seems to be
> > working well. I know I could be using NLB, but I believe
> the following
> > to be good practice:
> >
> > Web Proxy => Autoconfig script (client side CARP)
> > FW Client => RR DNS
> >
> > I am using a generic name of customerarray.domain.com with RR
> > DNS entries to balance autoconfig requests between array
> members. This
> > is the name used in the autoconfig URL.
> >
> > I know NLB may come to mind as a workaround, but it is hard to
> > implement as the customer is using NIC teaming at the
> hardware driver
> > level to aggregate NICS and provide NIC fault tolerance. NLB and NIC
> > teaming never play well from what I have experienced :-(
> >
> > Can someone please define normal behavior for a client that is
> > using an autoconfig script when array members are
> unavailable? I kinda
> > get the feeling the problem is with the browser and not the
> array, but
> > not totally sure when IE does with the script in terms of
> > processing...
> >
> > I've tried looking at wpad.dat caching and caching of bad
> > proxies, but neither seems to make much difference...
> >
> > Any ideas?
> >
> > JJ
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
>
Other related posts:
