UAG External Load Balancing and ISATAP
Hi Experts,
I am deploying a UAG Array to be used for Direct Access. The Array will consist of two servers and use an F5 External Load Balancer. In addition and in similarity
to 90% of the other corporate intranets out there, the internal network is IPv4 with no IPv6 transition technologies deployed. The article
http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/17/configuring-an-external-load-balanced-uag-directaccess-array-for-an-ipv4-only-network.aspx
isgreat but to my mind has no information to support ‘Manage Out’ and throws up a number of questions: (Note that I want to enable ‘Manage Out’ capability and as far as I am aware that is achieved by using ISATAP)
The article describes that you have to generate and configure your own IPv6 address for the internal interface when using an external load balancer. Does anyone know why? Why not let UAG assign
the addresses as per the default?
UAG by default configures itself as an ISATAP router when there is no IPv6 infrastructure deployed on the internal network
to facilitate ‘manage out’. This still applies when using Windows NLB. Why does this no longer apply when using an external load balancer? I.e. Why does UAG no longer configure itself as a ISATAP router?
In relation to question 2; you therefore need to move your ISATAP router to a different device (http://technet.microsoft.com/en-us/library/ee690463.aspx),
in doing so how do you configure the ISATAP environment to traverse the UAG servers without some sort of load balancing on the internal interfaces? I’m assuming that you can only tell the ISATAP router to use the one default gateway i.e. either one UAG server
or the other. This means that you would have all your outbound internally initiated traffic going via one server only – not very good for performance or fault tolerance.
In relation to question 3; I thought therefore that NLB could be used on the internal interface to solve the above problem, except that I have read that you can’t mix and match external load
balancing and NLB even though they are on separate networks due to bidirectional affinity. What does this actually mean and why does this not occur when load balancing is mixed in this manor?
Therefore when you wish to use external load balancers, do you:
A) Except the fact that you can’t use UAG as a ISATAP router and you do indeed need two devices
and deploy it as described here (http://technet.microsoft.com/en-us/library/ee690463.aspx)
or
B) Except the fact that that you can’t use UAG as a ISATAP router and any internal outbound
traffic travels via the one UAG server only.
Apologies for the long post, but I wanted to make sure that I get my thoughts down concisely so that it may help others who come up with the same questions
J
Thanks for your time everyone
Gary
I am also facing the same issue. I have UAG1 and UAG2, which are in an array, and externally load balanced. I've configured an external ISATAP router according to:
http://www.windowsnetworking.com/articles_tutorials/Configuring-ISATAP-Router-Windows-Server-2008-R2-Part2.html. However, as mentioned by others, the ISATAP router has to have either UAG1 or UAG2 as the next hop for IP-HTTPS traffic. As
a result, communication between the DirectAccess client and management devices will only work if the client is tunneling through the same UAG server that the ISATAP router has as the next hop for the IP-HTTPS prefix. From what I can tell, my configuration
is supported, but I can't figure out how to have the ISATAP router determine which UAG server a client is tunneling through. I thought about having two separate IP-HTTPS prefixes for each UAG server, but this would get overwritten when activating
the DirectAccess configuration. Maybe some type of internal load balancing?
Similar Messages
-
Understanding DirectAccess and external load balancer
Hi,
I'm trying to understand the concept of DIPs with a external load balancer. We're trying to create a Directaccess cluster with to DA-servers in edge. I'm at the wizard for creating load balancer and choose external. Then it asked me to enter the DIPs. But
why is that? Should it not be sufficient with the current IP-address, since they are configured in the external LB. Or do I need to add a secondary IP-address and enter that in the wizard and enter them has the VIPs inte the external LB. Same goes for the
internal one.Does that mean that i could choose any IP-address in the private range, despite that i have an edge configuration with one public ip-address and one internal address? Or do i need to allocate another public IP-adress?
Edit:
http://blogs.technet.com/b/mspfe/archive/2013/01/24/how-to-configure-directaccess-in-windows-server-2012-to-work-with-an-external-hardware-load-balancer.aspx
When following the guide, I use the current IP-address of the first nods external NIC. And get an warning I can't use that IP. Should I use the VIP that we have for the load balancer? -
Enable External Load Balancing error
Hello,
I'm trying to create a DirectAccess farm with 2 external Load balancers (Step 3.1.1 http://technet.microsoft.com/en-us/library/jj134166.aspx)
The first server is configured (Behind a Edge with 2 NICs) and working but when trying to enable External Load Balancing, I immediately receive this error when applying the settings:
Initializing operations before applying configuration
Backing up GPOs...
Updating cluster settings
Retrieving server GPO details...
Opening the server GPO...
Error: The configuration data for this product is corrupt. Contact your support personnel.
Finishing operations after applying configuration
Information: Attempting to roll back the configuration...
The DirectAccess dashboard shows that all services are fine, the DC is available and no errors are logged in the Event Viewer.
I can't find any explanation about a possible corrupted configuration.Ok... Found the problem... You can't mix Internet IP and LAN IP to create the VIP...
-
External Load Balancing OAM11g Servers
With OAM 11g, DB 11.2.0.1, RHEL5.6, and WLS 10.3.5... we have clustered the managed servers and all that displays, starts, stops as expected -- hosts are H1 and H2. We also have an external load balancer (haproxy). By "external", I mean that the host (PRHost) where the protected resource (PR) resides is outside the LB and all of the OAM infrastructure is inside the LB. We actually have 2 layers of LB because we are also trying to create a disaster recovery site, but for now we'll concentrate on the just the webgate and the LB.
We have installed WLS 10.3.5, OHS 11.1.1.2, and have deployed a PR on the PRHost. We then installed the 11g webgate on PRHost and instantiated the webgate within the OAM Server on H1 and moved the artifacts to the PRHost.
The question is fairly simple -- at least from my perspective -- the webgate gets its connection information from the ObAccessClient.xml artifact created when the webgate was added to the OAM Server. The only connection the webgate understands is the listing of the primary/secondary OAM Servers within that artifact.
QUESTION:+ When we access the protected resource, how will it know to go through the external LB if the only connection information it has is the OAM Server? We realize that there is LB information within the OAM Server setup, but this means that in order to determine where the LB is, we need to first access the OAM Server setup. We require the PR to first go through the LB to find an available OAM server, but there appears to be nothing on the PR webgate to inform it how to find the LB.Luis,
you need the command 'portmap disable' available in 5.01 and 5.03
gilles. -
Portal Drive not working with external load balancer
Hi,
We have a portal cluster and we are using external Load balancer from
Juniper for load balancing the portal cluster. When given the direct
portal URL (Central instance URL or Dialog instance URL), Portal Drive
is able to connect to portal and shows the KM documents properly. But
when given the Load balancer URL, it gives error saying "Can
not connect to host using WebDAV protocol". Load balancer URL works
fine from the browser without any problems. Any help is highly appreciated.
Helpful points will be rewarded.
Regards,
ChandraHi Steve,
For Portal Drive, Windows integrated authentication, client certificates,basic authentication and Kerberos is supported.
(in the default delivery of com.sap.km.cm.docs iview the authentication Scheme is set to basicauthentication - switching that to form based authenticationis not being supportedbywebdav clients).
ALso now Integrated Windows Authentication (NTLM) has been made available with latest patch.
Also read through SAP NOTE 1084683 for further clarifications.
Regards,
Shailesh -
Cisco Load balancer and Web Dispatcher to the same portal
Hello Experts,
We have implemented intranet portal with Cisco as the load balancer. Now we need to expose this intranet to the outside world as an extranet portal. So the same portal will be accessed from both intranet and from outside. We are thinking of installing a web dispatcher in the DMZ so that outside users can access the Web Dispatcher URL to access the intranet portal. In effect intranet users will use load balancer and extranet users will use Web Dispatcher to access the same portal. Now my question is if we configure Load Balancer and Web Dispatcher to the same portal, will the portal be able to load balance properly? Is this the right approach?
Thank You,
mansooralip1Dear Andrew,
We need to provide access to our intranet to some outside companies for them to also use some of our portal applications. As per your answer, I understand that I can configure Web Disptacher to talk to the Cisco Load Balancer of our portal. In this case Web Dispatcher will work just as a reverse proxy. But when I discussed this with one of our basis resource, he told me that when we install and configure Web Dispatcher, it always ask for the Message Server URL and Port number, even if I just want to use Web Dispatcher as a Reverse Proxy. If his concerns are valid, I do not think I will be able to configure Web Dispatcher to access the cisco Load Balancer because I cannot put Cisco load banacer URL and port instead of the Message Server URL and Post Number. Can you kindly share your comment on the same?
Now the second part of my question, if Web Dispatcher cannot be configured to talk to Load Balancer(as mentioned by our basis resource), I will have to use two load balancers. One web Dispatcher in DMZ as a Load Balancer *** Reverse Proxy for the external users. Second the internal Cisco Load Balancer for the intranet users. So the same portal will be accessed by two load balancers. My question here is, in this set up, can the portal work efficieintly here by distributing equal loads two both the server instances?
Thank You,
mansooralip1 -
VPN load balancing and ASA !!!
Hi netpros,
I have a couple of questions about this and hope you might be able to assist me.
1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
Your comments are much appreciatedHi Gilbert ..
1.- Thanks I wanted to make sure.
2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
ASA1: Public 20.20.20.20
Private 192.168.1.1
ASA2: Public 20.20.20.21
Private 192.168.1.2
Cluster virutal IP: 20.20.20.10
Default gateway for segment 192.168.1.0 is 192.168.1.1
Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
3.- Any idea about this one ..?
Cheers, -
Load balancing and rfc metadata repository in reciever rfc communication ch
hi.
i want to know the purpose of load balancing and rfc meta data repository in RFC communication channel.
and can u send me any examples on this load balancing.
waiting for your response.
bye.
regards.
seeta ram.Hi Seeta Ram,
Load distribution is handled by the message server (there is one message server in an SAP System). When a user logs on, the message server assigns him or her to the application server that currently has the <b>smallest load</b>.
Well now you can understand that we use load balancing for better performance by distributing the work to different processes to balance or maintain the work load in SAP system.
For more information refer to this link
http://help.sap.com/saphelp_nw04/helpdata/en/28/75153a1a5b4c2de10000000a114084/content.htm
Regards
Sumit Bhutani -
Advantages of using a webserver inbetween a load balancer and application servers
I am building out a new weblogic domain.
I am wondering which one of these configuration to go with:
1. Load balancer > weblogic servers
2. Load balancer > web server > weblogic servers
Could someone tell me what are the specific advantages of having web servers inbetween a load balancer and application servers (besides caching static data content and acting as a proxy)?
Thanks in advance
SriniOther than hosting the static content, nothing much really. We have our load balancer go straight to WL for applications without static content and route to web server if there is static content. Easy enough to do it both ways, best of both worlds.
-
For a true load balancing and high-availability OHS, OPMN, and mod_oc4j
i have read this link of Enabling Clustering on oc4j9.0.4 standalone app server
http://www.oracle.com/technology/docs/tech/java/oc4j/htdocs/getstart.htm#1015479
To test the clustering, start up the load balancer by executing "java -jar loadbalancer.jar".
C:\OC4J_EXTENDED\j2ee\home>java -jar loadbalancer.jar
In a future release of Oracle Application Server, loadbalancer.jar will be
desupported. Because of this, we strongly suggest that you discontinue your use
of loadbalancer.jar in this release. Under high loads, loadbalancer.jar may not
function properly. For a true load balancing and high-availability solution,
please move to use OHS, OPMN, and mod_OC4J. For more information, please see
http://otn.oracle.com/products/ias/ohs/content.html
Balancer initialized...
what load balancer should i use for web clustering
<frontend host="balancer-host" port="balancer-port" />
balancer-host=localhost
balancer-port=80
for all nodes i mentioned same host and port in http-web-site.xml.Is it correct?
i completed all the steps and run http://localhost:6666/session/SessionServlet
i hit 3 times
in the different browser http://localhost:7777/session/SessionServlet
instead of coming 4 it starting from 1 only.can i use this loadbalancer.jar or not?
how to mod_oc4j in standalone app server -
Load balancing and High Availability topology
Our Forms 6i client-server application currently runs on Citrix farm of 20 Windows 2000 boxes (IBM Blade Servers 2 CPU and 2 Gig Memory).
Application supports 2000 users.
We are moving to AS 10g r2, forms 10g and the goal is to use same hardware, 20 Windows boxes (or less), for intranet web deployment.
What will be our best choices for application Load balancing and High Availability?
Hardware load balancer, Web Cache, mod-oc4j? Combinations?
Any suggestions, best practices, your experience?Gerd, I understand, that you are running 10g web forms through the browser, but using Citrix for deployment. This means that in addition to Application Server and Forms runtime sessions, it will be separate browser session opened for each user. What the advantage of this configuration?
Michael, we are aware, that Citrix is not supported by Oracle as a deployment platform. That only means that prior contacting Oracle Support we have to reproduce the problem in standard environment. It was never been a problem to reproduce problem :) We were using Citrix as a deployment platform for Forms 6i client/server for 4 years, but now we are forced to upgrade to 10g.
We are familiar with various Load balancing options available. The question is which option is the most "workable" in our case. -
2 ISP load balancing and redundancy
Hello!!
Our small company has about 40 branches spreaded within city. Branches are connected by optic wire supplied by our ISP. So in ISP our branches are located in one VLAN. From every branch we created VPN tunnel to our server room in central office. Central office is like a cetner point. If optic wire fails to central office, there would no VPN tunnels and no network to all branches. Moreover, all the traffice goes through central office.
Now we decided to pave one more optic line to our central office. And that will increase bandwidth and redundancy.
Private network topology: There are no default gateways and ip-addresses. For examle, at first branch I will plug computer directly into media converter and at the second branch plug another computer to the media converter. After that this two computers became in one network. And can assign any ip addresses to them.
What I have: our firewall do enough work, don't want to overload it. But we have some free ports in our new cisco 3750. The question is how to do load balancing and redundanccy? Can it do load balancing according to traffic? And how load balance incoming traffic? For example, connection was established from branche's router, how this router will choose through which line make connection? By the way, at all branches we use noisy cisco
3700 series routers.Sorry for upping 1 year old threat.
We talked to our Network Provider. They said "these two cables are coming from two different places, so there is no way to use etherchannel. You must use active-standby solution."
Relying on STP we just put two cables into 3750 stack. But with default STP settings, connection was very unstable, many packet losses and disconnections. So we found easy solution with "flex links", making one interface backup of the other. And only now I recognized that this is not a failover solution. Because, if network beyond media converter will down, link from media converter to switch would still up.
What could I do to make our L2 WAN redundant? Are there any additional STP settings. -
Hello,
We are wondering how load-balancing and failover of tpcall() work with
WTC:
The scenario:
We have one WLS Domain and two Tuxedo Domains. The Tuxedo Domains offer
the same set of services.
In the bdmconfig.xml, we specify connection_policy as 'ON_STARTUP' for
both Remote Tuxedo Domains. We also Import (T_DM_IMPORT) the same
Tuxedo Service from both Tuxedo Domains.
Questions:
1. Is there any load-balancing of the tpcall between the two Domains? If
so, is it round-robin? If round-robin, what determines the order?
2. If it is ONLY Failover, what determines the order of the tpcall? And,
is the Failover automatic? Or do we need to code for retry on failure?
3. ON_DEMAND vs ON_STARTUP: Does ON_DEMAND drop the connection to the
remote domain upon tpterm? And does ON_STARTUP use a pool of
TuxedoConnection objects?
4. Are there any configuration parameters for
'max_number-of_connections? What determines how many simultaneous
connections can be made?
Thanks,
Suresh Mohan.Hi Suresh,
The following are my answers to your questions.
Suresh Mohan wrote:
Hello,
We are wondering how load-balancing and failover of tpcall() work with
WTC:
The scenario:
We have one WLS Domain and two Tuxedo Domains. The Tuxedo Domains offer
the same set of services.
In the bdmconfig.xml, we specify connection_policy as 'ON_STARTUP' for
both Remote Tuxedo Domains. We also Import (T_DM_IMPORT) the same
Tuxedo Service from both Tuxedo Domains.
Questions:
1. Is there any load-balancing of the tpcall between the two Domains? If
so, is it round-robin? If round-robin, what determines the order?Yes there is a load balancing between two remote Tuxedo TDomain Gateways.
The algorithm is random, not RR. Over time this should give equal
opportunities to both remote TDomain.
>
2. If it is ONLY Failover, what determines the order of the tpcall? And,
is the Failover automatic? Or do we need to code for retry on failure?The load balancing is always there. The failover is automatic. When a
connection to a remote TDomain encountered a problem (ie network) the remote
domain will be put on retry open connection (in ON_STARTUP) and the load
balancing will not select it until the connection re-established.
However, the tpcall() that encountered the error will not be retried to send
to different destination. It is up to the application to decide whether it
want to resend. Any requests called after the error will not select the
failed Remote TDomain.
>
3. ON_DEMAND vs ON_STARTUP: Does ON_DEMAND drop the connection to the
remote domain upon tpterm? And does ON_STARTUP use a pool of
TuxedoConnection objects?TPTERM() only terminate your application session to WTC. WTC still maintain
a secured T-session to remote Tuxedo TDomain. WTC does not use a pool of
TuxedoConnection Objects, the object stored in the JNDI refers to WTC.
>
4. Are there any configuration parameters for
'max_number-of_connections? What determines how many simultaneous
connections can be made?No. As described in #3, there is no need to use connection pool in WTC. WTC
uses session and virtual circuit design concept as Tuxedo TDOMAIN, the
logical pool is created/destroyed dynamically. That is the reason why you
can have a lot of TPACALL() outstanding at the same time. (The limitation is
the availability system resource.)
>
>
Thanks,
Suresh Mohan.Regards,
Hong-Hsi :-) -
Discussion on load-balance and load-sharing
Hi, I found a article, which discuss the difference between load-balance and load-sharing. I think the explanation is pretty good, please see below. But I still have a question: how can we decide to choose one the both balance in the production environment ? Thank you
"In short, load balancing tries to distribute traffic evenly over multiple paths, whereas, load sharing intends to do it (for the lack of a better term) equally. True load balancing is difficult to achieve. For example, let's say there were two links (100 mbps and 300 mpbs) and a router needed to send out 600 mbps of traffic. Load balancing would distribute the traffic evenly, sending 300 mbps on each link. On the contrary, load sharing would divide the traffic equally based on the available resources, sending 200 mbps on the slower link and 400 mbps on the faster one. "Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
That's not how Cisco uses the terms, and generically they are often used almost interchangeably.
Cisco uses load balancing as the catch all for how a single L3 device routes across multiple paths to the same destination. Equal metrics or equal actual load distribution are not required. Most often, load balancing will be discussed with ECMP, but unequal path loading balancing will include Cisco's proprietary IGPs, such as EIGRP.
Cisco uses load sharing when using multiple paths when a single L3 devices doesn't normally route across multiple paths or multiple L3 devices are involved. Cisco load sharing discussions usually revolve around BGP.
Generically, I would say load balancing has more of a dynamic aspect to it, i.e. something is trying to actively balance traffic across multiple paths, while load sharing might mean multiple paths are utilized but not actively dynamically balanced.
I'm unsure what's your question with a production environment. -
Load Balancing and Failover with 10G Standard Edition
Hi,
I am new to Oracle Replication and need some help setting up replication for load balancing and failover. Is this possible using Oracle 10G Standard Edition? I plan on having all updates done on the master site and both databases will be for reads. In case of failure of the master site, I would need to be able to failover to the other database.
Also, if anyone knows of any documention for Basic Replication in 10G, please let me know.
Thanks.Simple nnapshot replication of data would require significant manual effort to configure to load balance or failover. One the load balancing side, you would generally be limited to to static load balancing-- assigning half the users to one machine and the other half of the users to the other machine, regardless of who is actively using the machine. Failover would be a significant manual effort, particularly to bring the failed machine back into the cluster. You would be implementing the guts of multi-master replication.
Frankly, if you actually have a system which is valuable enough to need load balancing and disaster recovery, I'm going to wager that it will be far cheaper even in the short run to buy more boxes and/or enterprise edition licenses than to try to implement this sort of thing yourself. In the long run, it will be far cheaper, since it will be far easier to maintain. Building all this yourself would probably be penny wise and pound foolish.
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC
Maybe you are looking for
-
I installed 10.8.2 and now I cannot access, mail, safari, app store etc. HELP !
I installed the update for Mountain Lion. And now I cannot use most of my stuff. Including Mail, APP Store ( where I would go to get any downloads and updates) Safari etc..... Please help!
-
Itunes not syncing ipod in Windows 7
Recently upgraded to windows 7 and all was well until i opened up my itunes. I had added a few albums to my collection before i upgraded, and thought id sync them to my ipod. Itunes syncs around 100 songs and then freezes and the only way to unfreeze
-
hi friends, 1.in ALE/IDOC wat are the methods and when do we use that methods like1. standalone 2. mesage cntrol 3.function module 2.when we extend basic idoc [add few fields ] how to trigger that segment if u have any learning material withexample
-
Problem with installation of new WRT160N
I am trying to install my new wireless router using the Linksys CD. When I get to the step that requires me to unplug the network cable from the computer and plug it into the router, my computer announces the cable is unplugged and I can't restore th
-
Please help. My gmail app on my iPad 2, has been frozen since a power outage that occurred last week.I am a verizon fios customer. I tried to correct this problem through settings without success. Thanks for any info you can share.