Announcement

Collapse
No announcement yet.

Multiple ISA server failover question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple ISA server failover question

    We have three Internet access sites, each running ISA2004. What we are looking to do is figure out some ideas. We want to see if there is a way to get IE7 to failover to another proxy server if the office's assigned proxy server fails or traffic cannot get out through that ISA server. I know it is hard if the ISA server is still active, but if traffic cannot go out can something like this be accomplished?

  • #2
    Re: Multiple ISA server failover question

    Hmmm, I think you should be able to do that using Windows Proxy Auto Discovery over DNS. If your clients have DNS records for each of the ISA servers they should use the first one that is resolvable as a proxy. I've never set WPAD up in a production environment though, perhaps Dumber or elmajdal have though?
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Multiple ISA server failover question

      Do you not use WPAD for a reason? The 3 ISA servers are seen in the DNS, so they can be resolved at the client level. Not sure if the ISA Client is a good option or not. I have not seen this redirect any internet traffic if one site loses internet connection. The issue is more along the line of if the internet access there is lost (service outage or ISA has an issue.)

      Comment


      • #4
        Re: Multiple ISA server failover question

        We've thought about it for laptop users going to different offices, never had a need for any of our customers though. We generally assign the proxy via GPO for simplicity and security - using WPAD via DHCP requires that the users be local administrators on their machines.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: Multiple ISA server failover question

          I contacted the mod to move this thread to General Security where it belongs

          Anyhow back ontopic;

          Originally posted by cruachan View Post
          We've thought about it for laptop users going to different offices, never had a need for any of our customers though. We generally assign the proxy via GPO for simplicity and security - using WPAD via DHCP requires that the users be local administrators on their machines.
          Actually IMHO you are better off using DHCP instead of DNS.
          For DHCP you need the users don't need to be a member of the local admin group. Pre-Windows XP SP2 already can stand with the Power Users group and for XP SP2 the user only needs to be member of the Network Configuration Operators group.
          The reason for this is that the user needs the possibility to send out DHCPINFORM packages.
          The disadvantage of DNS entries is that you are going to use round robin solution. You have no control of which location uses which ISA server.
          With DHCP you have.

          However, when you are going to create a custom WPAD/PAC file you have a lot more power and then DNS can work fine either.
          Check this out for example:
          http://techblog.mirabito.net.au/?p=21
          http://nscsysop.hypermart.net/proxypac.html
          http://homepages.tesco.net/J.deBoyne...iguration.html

          More about the auto detection concepts:
          http://technet.microsoft.com/en-us/l.../bb794779.aspx
          Also you might read this: http://technet.microsoft.com/en-us/l.../cc713344.aspx
          http://technet.microsoft.com/en-us/l...DHCPWPADIssues
          Non-Administrator Users Cannot Connect
          Problem:

          A WPAD entry is configured in DHCP, but only users logged on as local administrators can successfully detect settings.
          Cause:

          This is a known issue. In Microsoft Windows® 2000 Server, automatic discovery functionality using a WPAD entry in DHCP is only supported for users who are members of the Administrators or Power Users group. In Windows XP with Service Pack 2 (SP2), the Network Configuration Operators group also has permission to issue DHCP queries.
          Solution:

          For hotfix details for computers running Windows 2000 Server, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions."

          For Windows XP, the issue was fixed in Service Pack 2. For more information, see the Microsoft Knowledge Base article 811113, "List of fixes included in Windows XP Service Pack 2."
          As for the High Availability there are 2 options
          1 CARP
          2 NLB
          http://blogs.isaserver.org/shinder/2...y-not-so-much/

          However CARP is not meant for this so actually your only option is to use a NLB.
          Still though you can read more about it in the fourth URL I posted.
          Actually I think this is the best article you have to read first.

          You can create stretched VLAN's across the multiple offices and setup a NLB cluster.
          However, when using a stretched VLAN you have to make sure that everything belongs to the same subnet (eg internal, intra-array) and you have to upgrade to ISA EE
          However, due to delays in the between the nodes it's recommended to use a NLB Multicast array. More info about NLB
          http://www.isaserver.org/articles/basicnlbpart2.html
          However, setting up multicast NLB requires some work on the switches and routing devices.

          Btw, I almost forgot to ask, but how are the offices linked to eachother?
          Last edited by Dumber; 18th April 2009, 16:23.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Multiple ISA server failover question

            That's why I wanted your input Dumber.

            Most of my (limited) knowledge about WPAD comes from studying for 70-351, and the ISA Server 2006 Unleashed book also states users must be local admins for DHCP/WPAD. It's dependent on setup anyway, I always try to avoid users having more rights than necessary but some orgs prefer to have the users as local admins for whatever reason.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: Multiple ISA server failover question

              Well Tarek (elmajdal) is far more knowledgeable about ISA then what I am.
              I also love least privilege permissions but sometimes you have to choose.
              Security or making it hard for a user.

              But like I said, a custom WPAD/PAC file can help you out either.
              Place it on a webserver, add a DNS entry to that file and your done.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment

              Working...
              X