Maybe?? I get the same result in my VM too :-\ -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: 27 May 2006 14:48 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Array Member Failover Hi Jason, That's pretty interesting, as the last time I looked (which wasn't recently) there were server names listed as array members. Maybe this is one of the changes in the WPAD algorithm introduced in SP2? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: Friday, May 26, 2006 4:49 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Array Member Failover > > Ah ha...maybe we are getting somewhere and raises another question I > have been asking elsewhere. Looking at the results returned in the > wpad.dat file, the array members are all listed by IP addresses not > FQDN's and are shown individually for each server. The array name is > defined within the array config and this works just fine for the > firewall clients in terms of autodetection, so it is not the case this > this is missing. > > From what you say, the wpad.dat file should contain a single entry > using the array DNS name? This is currently not the case and maybe the > problem... > > Any idea why I would see a different behavior? Prior to installing the > current solution I VM'd the setup and have subsequently checked that > this also lists the server IP's in the wpad.dat file. Kinda thinking > that two installs can't both be horked :-) > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: 26 May 2006 22:34 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Array Member Failover > > Such is always the case when the customer wants / needs to "go cheap". > > RR DNS is your best bet, so long as you bear in mind that the primary > "server" provided by the wpad and wspad scripts are based on the array > name. > > The client-side CARP algorithm understands the server names, so you > *must not* "DNS" the server names to any NLB DIPs. Doing so is > guaranteed to increase your intra-array traffic. > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jason Jones > Sent: Friday, May 26, 2006 2:11 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Array Member Failover > > Thanks Jim...I see your points and appreciate the feedback. > > Normally I *would* have used NLB if the priority was failover, but > couldn't due to other limitations. Kinda hoped the failover > charachetristic of the auto config script would help out in this case. > Guess I was too hopeful :-( > > So based upon this, is the unofficial best paractice for ISA clients > that I see mentioned in public forums still valid? > > Web Proxy => Autoconfig script (client-side CARP) Firewall Client => > RR DNS SecureNAT => NLB > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: 26 May 2006 22:02 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Array Member Failover > > I disagree with that help entry for two reasons: > 1. WPAD is completely dependent on the client to understand and use > the script correctly 2. WPAD is client-side CARP; IOW, requests for > different destinations > *may* be directed to a different server in the array, depending on > *if* the client uses the algorithm provided (WinHTTP requests > *DON'T*) and if > so, *how*. > > This is entirely the *wrong* place to create a load -balancing or > fail-over/back system. > > We've added some changes to the WPAD so that the client-side CARP > "shares" better than it used to, but I strongly recommend that you > *not* depend on it for failover. > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jason Jones > Sent: Friday, May 26, 2006 1:19 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Array Member Failover > > Thanks for the reply Jim - I don't want to disagree, as I repsect > your input and knowledge, but I thought the autoconfig script was > designed to include an element of failvoer in addition to load > balacing? Are we saying that this failvoer is just too basic to > actually rely upon? > > When I say autoconfig, I mean client-side CARP and based upon ISA > help: > > ISA Server supports the Cache Array Routing Protocol (CARP). CARP > enhances Web performance by providing both load balancing and > transparent failover for Web proxy browser connections. > > As I said, I would love to use NLB, but client limitations with NIC > teaming won't let me! Am I really expecting too much from the auto > config script in the event of server failure? > > Cheers > > JJ > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: 26 May 2006 20:49 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Array Member Failover > > WPAD is not designed to provide failover/back. > As you've noticed, this is not going to work. > WPAD is nothing more or less than a "load-spreading" mechanism that > allows the client to use a different ISA for different destinations. > > If you want failover/back, use NLB or another traffic-management > system. > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jason Jones > Sent: Friday, May 26, 2006 12:42 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Array Member Failover > > Cheers Tom - unfortunately closing the browser doesn't seem to fix the > problem...IE still trys to connect to the primary autoconfig defined > server first then eventually use the other array members (after about > 20-30 seconds). This behaviour seems to happen repeatedly on all > clients fdor every new URL entered > > The only way to fix it is to bring the failed server back online :-( > > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: 26 May 2006 12:18 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Array Member Failover > > > Hi Jason, > > Not too low brow for me :) This is a common question with a common > non-answer in the public realm. > > What you need to do is close all browser windows and open a new one. > Then the client connects to a live server. I've never worked out in > detail why this happens, but it's related to the autoconfig script > processing [hand waving explanation] > > Maybe somebody else can chime in with a more detailed explanation. > Bottom line is that you're not going to get completely transparent > failover for Web proxy clients. > > Tom > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA > Firewalls > > > > > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: Thursday, May 25, 2006 4:44 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Array Member Failover > > > > Hope this question is not too low brow, if so, kick me and I will > move it to isaserver.org for the masses to mull over ;-) > > Anyhow, has anything changed with array member failover behavior in > EE with ISA2k4 SP2? I am sure I have never had problems with array > member failovers in the past... > > I have recently deployed an SP2 array with several members and while > testing I have noticed that if the server listed as the first entry > defined within the wpad.dat file is unavailable then the browser > delays for quite some time before attempting to connect to other array > members (e.g. working through the server list in the wpad.dat file). > It does seem to get there, but we're talking 20 seconds or so per > website. > Once the website is loaded, performance is fine. When using a new URL, > the delays appears again. > > Apart from failover, balancing and distr caching seems to be working > well. I know I could be using NLB, but I believe the following to be > good practice: > > Web Proxy => Autoconfig script (client side CARP) > FW Client => RR DNS > > I am using a generic name of customerarray.domain.com with RR DNS > entries to balance autoconfig requests between array members. This is > the name used in the autoconfig URL. > > I know NLB may come to mind as a workaround, but it is hard to > implement as the customer is using NIC teaming at the hardware driver > level to aggregate NICS and provide NIC fault tolerance. NLB and NIC > teaming never play well from what I have experienced :-( > > Can someone please define normal behavior for a client that is using > an autoconfig script when array members are unavailable? I kinda get > the feeling the problem is with the browser and not the array, but not > totally sure when IE does with the script in terms of processing... > > I've tried looking at wpad.dat caching and caching of bad proxies, > but neither seems to make much difference... > > Any ideas? > > JJ > > > All mail to and from this domain is GFI-scanned. > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > >