How to enable Intra-Array communication in ISA 2006 Enterprise Edition
I will demonstrate in this article how to enable "Intra-Array communication" in Internet Security and Acceleration Server (ISA) 2006 Enterprise Edition. This is extremely straight forward as long it has been planned correctly.
So let's see how this is possible!
When an array includes multiple members, they communicate with each other for a number of reasons, including:
a) VPN
b) CARP
c) Configuration Storage Server(s) ( if locally installed on the ISA servers)
Tips:
1. I recommend that intra-array communication be done over a dedicated hub, switch or a VLAN. This configuration is intended to physically or logically isolate intra-array traffic from the other networks.
Note: For this lab I have used a cross over cable for this example but you must choose what best fits your requirements, as using a cross over cable might solve some short term solutions but not long term if more array members are added than a cross over cable will not be ideal.
2. Enable the network to listen for Web Proxy client requests. Do not enable the network to listen for Firewall client requests.
I will now enable the NIC’s I had disabled initially before installing ISA server which will be dedicated to intra-array communications. The ip address details have already been covered earlier. To prevent issues related to unicast mode NLB, you need a network adapter dedicated to intra-array communications.
This intra-array communications network is required because we will enable Network Load Balancing (NLB) on both the internal and external adapters of each firewall in the enterprise array once intra-array routing has been configured and working. The reason we should use a dedicated network adapter is because ISA Server 2006 Enterprise Edition integrated NLB uses only unicast mode NLB.
Array members need to communicate with one another using network adapters connected to the dedicated intra-array network. By default, intra-array communications take place on the primary IP address bound on each member of the array. The ISA Server array members consider all addresses that are not part of a defined ISA Server network to be part of the External network. To prevent routing errors, you must create an ISA Server network definition for the intra-array network.
Let’s see how this can be achieved.
Before we go ahead lets enable the NIC & assign the relevant ip address discussed in Part 1
Step 1: In the ISA Server 2006 Enterprise Edition console, click the Networks node located under the Configuration node. Click the Networks tab in the details pane. Click the Tasks tab in the task pane and click the Create a New Network link.
You can also right click Networks as indicated above and start the same wizard.
Step 2: On the Welcome to the New Network Wizard page, enter a name for the new network in the Network name text box. In this example, name the new network “Intra-arrayâ€. Click Next.
Step 3: On the Network Type page, select the “Internal Network†option and click Next.
Step 4: On the Network Addresses page…….You can use the Add Range, Add Adapter, or Add Private buttons to add the address range defining the network. I will use “Add Adapter†option Click OK.
Note: I have selected both the nodes to simply highlight the cards for each server as they are being displayed in the list BUT you don't need to select both cards just select either one.
Step 5: Click Next on the Network Addresses page.
Step 6: Click Finish on the Completing the New Network Wizard page.
Step 7: The new "Intra-Array" network will be listed under the networks tab.
Step 8: Ensure "Firewall Client" is not enabled on this network.
Step 9: Ensure this network is listening for "Web Proxy clients" setting is enabled.
Step 10: Apply the configuration.
Step 11: Status screen displaying it is saving the configuration back to the "Configuration Storage Server"
Configure the Intra-Array Communications IP Address
Step 1: In the ISA Server 2006 Enterprise Edition console, in the scope pane, expand the array name, and then expand the Configuration node. Click the Servers node.
Step 2: In the details pane of the console, right-click the name for the first server "ISA01" in the array and click Properties.
Step 3: In the Array Properties dialog box, click the Communication tab. On the Communication tab, select the IP address of the intra-array network adapter in the "Use this IP address for communication between array members" text box. For this demonstration we will be selecting the 10.10.10.1.
Step 4: Click Apply, and then click OK in the Properties dialog box.
Step 5 : Repeat steps 3 & 4 for the other members in the "Array" for this demonstration we will carry the same task out on "ISA02".
Step 6: Click Apply to save the changes and update the firewall policy.
Step 7: Click OK in the Apply New Configuration dialog box.
Step 8: Restart the first array member firewall computer.
Once the server(s) have rebooted you can go and check the status alerts @ the "ISA Management Dashboard" > Monitoring > Alerts tab.
LinkBack URL
About LinkBacks
