Announcement

Collapse
No announcement yet.

NLB web farm behind NATing firewall - advice?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NLB web farm behind NATing firewall - advice?

    I am designing a IIS 6.0 web farm utilising NLB. This farm will sit behind a Checkpoint firewall and have connections from public IPs NATed through to it. All the sites on this farm will be accessed via SSL and wildcard certs.

    I am trying to determine the BEST affinity model to use.

    MS recommend SINGLE mode for SSL sessions but I'm concerned that the NLB service will see all incoming traffic (NATed thought the firewall) as hainv a single source IP and therefore will alwyas use the default host and not balance the load.

    My other options are (I belive) Class C or no affinity.

    Can anyone recommend the best model and affintiy to use in this setup?

    Perhaps I'm misunderstanding how the firewall works when NATing traffic?

  • #2
    Re: NLB web farm behind NATing firewall - advice?

    Single affinity should be used for applications (web sites) that require session state data to be maintained, so in your case it would seem that Single affinity is the right choice. As far as the NAT'ing is concerned, the firewall is NAT'ing the "to" address, not the "from" address. As the traffic passes the router and firewall the source ip address should remain the same while the MAC address is substitued from one hop to the next. The router and firewall substitute their MAC addresses as the source address as the traffic passes through them.

    Comment


    • #3
      Re: NLB web farm behind NATing firewall - advice?

      Thanks Joeqwerty - I just took a break, had a chat to some colleagues and came to the same conclusion concerning the NAT and source IPs.

      Sometimes you just have to walk away to clear the deadlock....

      Comment


      • #4
        Re: NLB web farm behind NATing firewall - advice?

        Glad you got it sorted.

        Comment

        Working...
        X