Deb Shinder Blog RSS

All Blogs  »  Deb Shinder Blog  »  ISA Central  »  Blog article: Enabling NLB with Multicast IGMP

Enabling NLB with Multicast IGMP

image When NLB support was first introduced in the Enterprise Edition of the ISA firewall, cries of joy emanated from the entire ISA firewall admin community. While we were able to use a belt and suspenders approach to get NLB to work, there were problems with the ISA firewall services not being aware of the NLB services, which lead to some important disconnects and what turned out to be an overall failure of the solution in a production environment.

That all changed when NLB support was baked into the Enterprise Edition of the ISA firewall. The problem was that only unicast mode was initially supported with integrated NLB. While unicast mode could get the job done, some people needed support for multicast mode (such as those who were using VMware solutions to test or deploy the firewall).

Multicast support was quietly released as a hotfix (http://support.microsoft.com/kb/938550). However, the process for configuring multicast NLB support for integrated ISA NLB is complicated and sometimes frustrating.

You can check out this great article by Jason Jones on how to make it work at:

http://blog.msfirewall.org.uk/2008/08/enabling-nlb...a.html

One problem with multicast mode is that it can introduce issues with switch flooding. One way around this problem is to take advantage of IGMP multicast functionality built into some switches. These switches can be configured so that only certain ports will register with multicast NLB. However, you need to configure the ISA firewall to support IGMP multicast communications.

Do accomplish this, you need to configure the ISA firewall with a new Protocol Definition and Access Rule. Philipp Sand provides you with this information at:

https://blogs.technet.com/isablog/archive/2009/06/...s.aspx

One piece of good news is that the TMG firewall has integrated the choices of unicast or multicast in the configuration interface. Choosing unicast or multicast is as easy as choosing the mode of your choice from the drop down list. Thanks to the TMG firewall team for listening and acting on our requests to make NLB simpler to enabled and configure!

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

image
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

This entry was posted on Sunday, July 5th, 2009 at 8:33 am and is filed under ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Enabling NLB with Multicast IGMP”

  1. Jason Jones Says:

    July 6th, 2009 at 4:40 pm

    Hey Tom,

    Technically you dont *need* to configure an additional firewall rule for a working solution, it just makes the logs look a little less cluttered ;)

    Cheers

    JJ

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Follow TechGenix on Twitter