Using alternate port for FTP in a NLB cluster
I have two servers participating in an NLB cluster, both running Windows Server 2008 Standard. The cluster is designed to support both Web and FTP. The Web portion works great, my question is with the FTP. Let me also say that I do not control the router/Firewall that these servers sit behind (it is a hosted solution), but I am an administrator on both machines. Both machines use multiple private nics that are NAT'd by the firewall to public addresses. For the NLB, they both share a common address of (internally) 192.168.100.186 (the NLB address), and as earlier stated, it works great for Web.
I have a very specific need to route all FTP traffic through the NLB address (for purposes of monitoring all bandwidth for the given client and charging them accordingly). I also need to be able to have the client upload, first to one server, then to the other. Eventually the data needs to be synchronized, but I have yet to find a solid way to do this without using an external script/program, or using DFS and FRS, which I have found to be occasionally uncooperative.
Both servers FTP (in IIS) is assigned to the shared NLB address and the servers are configured to listen on their respective ports (Server 1=21(default), and Server 2=24). The NLB is configured to allow two ports, 21 and 24, and then route them according to the following rules
Server 1 = Port 21 100% load, Port 24 0% load.
Server 2 = Port 21 0% load, Port 24 100% load.
Which should always send port 21 traffic to Server 1, and port 24 traffic to Server 2. The port 21 traffic always works, no problems, always routes to Server 1, and FTP works great (woohoo). Port 24, on the other hand, connects to the server, handshakes, allows authentication (neither of these servers allow anonymous) and then hangs when the data channel trys to establish (so the LIST command breaks, and I never get a directory listing). I have tested the FTP operation on the alternate port by assigning FTP to one of the hardwired NIC addresses (instead of the NLB address) and everything works great, it's only when I use the NLB that everything goes awry, and only when using the non-standard port (24).
Any help would be appreciated.
Thanks,
Jay
I have a very specific need to route all FTP traffic through the NLB address (for purposes of monitoring all bandwidth for the given client and charging them accordingly). I also need to be able to have the client upload, first to one server, then to the other. Eventually the data needs to be synchronized, but I have yet to find a solid way to do this without using an external script/program, or using DFS and FRS, which I have found to be occasionally uncooperative.
Both servers FTP (in IIS) is assigned to the shared NLB address and the servers are configured to listen on their respective ports (Server 1=21(default), and Server 2=24). The NLB is configured to allow two ports, 21 and 24, and then route them according to the following rules
Server 1 = Port 21 100% load, Port 24 0% load.
Server 2 = Port 21 0% load, Port 24 100% load.
Which should always send port 21 traffic to Server 1, and port 24 traffic to Server 2. The port 21 traffic always works, no problems, always routes to Server 1, and FTP works great (woohoo). Port 24, on the other hand, connects to the server, handshakes, allows authentication (neither of these servers allow anonymous) and then hangs when the data channel trys to establish (so the LIST command breaks, and I never get a directory listing). I have tested the FTP operation on the alternate port by assigning FTP to one of the hardwired NIC addresses (instead of the NLB address) and everything works great, it's only when I use the NLB that everything goes awry, and only when using the non-standard port (24).
Any help would be appreciated.
Thanks,
Jay
LegendZM
Could you post screen shots please of the different configuration pages within your NLB manager.
ASKER
I real;ize one Node is down, but that is due to testing. I assure you that the both nodes were up and converged when I tested and it failed.
nlb-pic-1.jpg
nlb-pic-2.jpg
nlb-pic-3.jpg
nlb-pic-4.jpg
nlb-pic-1.jpg
nlb-pic-2.jpg
nlb-pic-3.jpg
nlb-pic-4.jpg
ASKER
And Web-01 is set to load weight of 0%
nlb-pic-5.jpg
nlb-pic-5.jpg
I don't see the picture specifying where the load / priority is confiured for ports 21 or port 24 to associate it with the appropriate server.
The way it appears to be setup currently.
Someone connects to 192.168.1.186 -> it will balance between WEB-01 and WEB-02
if they connect on port 21, and by luck of the draw get sent to server WEB 02 which is listening on port 24, it won't work.
I don't see any load weight settings.
It almost sounds like you're trying to NAT to 2 different servers based on port rules.
why can't you have both FTP servers on the same port?
The way it appears to be setup currently.
Someone connects to 192.168.1.186 -> it will balance between WEB-01 and WEB-02
if they connect on port 21, and by luck of the draw get sent to server WEB 02 which is listening on port 24, it won't work.
I don't see any load weight settings.
It almost sounds like you're trying to NAT to 2 different servers based on port rules.
why can't you have both FTP servers on the same port?
ASKER
Not sure if I got it in after you commented, but the Port 24 rule for Server 2 is above. and the rule for Server 1 is is the polar opposite (100% for port 21, and 0% for Port 24). The problemn with two FTP servers running conncurrently is that I'd have to keep the data on both sync'd (You FTP a file to Server 1, and it would have to automcattically sync on 2) but FRS in MS Server has always been a little "hinky" and I'm a little concerned using it on a production server.
I would recommend using DFS, it's near flawless as long as both computers are in the same physical location. It does get a little weird if replicating over a wan link.
Is there a reason why you don't want to run both FTP servers on the same port?
Is there a reason why you don't want to run both FTP servers on the same port?
ASKER
By using alternate ports, I can have the client upload content to each of the serers, verifying the content was uploaded successfully to each of the FTP servers, where as if I used the same port for both servers, and used FRS to replicate the data, it would be a craps shoot as to which server they landed on each time, and you'd have no way to know if both servers had the current data.
As to FRS, in my experience, while it's good for very small sets of files, as soon as file size goes much beyond a few MB, the system begins to crumble. This client will be uploading some video content, and needs to be able to synchronize large files, and I really don;t want to hack the FRS numbers in the registry controlling the cache size for files being replicated.
Thanks,
Jay
As to FRS, in my experience, while it's good for very small sets of files, as soon as file size goes much beyond a few MB, the system begins to crumble. This client will be uploading some video content, and needs to be able to synchronize large files, and I really don;t want to hack the FRS numbers in the registry controlling the cache size for files being replicated.
Thanks,
Jay
Well then you're having the client connect to each ftp server by it's dedicated IP or by the cluster IP
If by the cluster IP/dns name I don't see how you're forcing it to choose which server by port, since load balancing would take a request for port 21, and try to send it to the port 24 ftp.
If by the cluster IP/dns name I don't see how you're forcing it to choose which server by port, since load balancing would take a request for port 21, and try to send it to the port 24 ftp.
ASKER
Ah, I see your concern. No, I have the client specify which server they want to update by indicating the port (either via IE using the ftp://xxx.whatever.com:24 or specifying the port in whtever client they use ) and that way they can be steered to either server 1 (port 21) or Server 2 (port 24).
Ok.
So then your question is more of how to replicate the data between the 2 ftp sites?
So then your question is more of how to replicate the data between the 2 ftp sites?
ASKER
In lieu of being able to have the client simply send data to each site separately (which is the best way to confirm that data is synchronized, cause then its the clients responsibility), yes. My preferrence though is to get the NLB working on the alternate port. Actually, either way it has to use the NLB address, as that is the addredd that PRTG monitors for the purposes of billing the client for bandwidth useage.
As far as I know, the FTP servers would need to be on the same port for NLB to work.
I know FRS has some problems with file replication, but if the 2 servers are in the same spot, give DFS a try.
I know FRS has some problems with file replication, but if the 2 servers are in the same spot, give DFS a try.
ASKER
Actually, NLB is working like a charm, its FTP that is having the issue, and i'm sure it's somehow related to the passive port that is opened after the initial connection. Like I said it authenticates, and works all the way up to the point that the passive port is opened, and the LIST command is sent, and the server never seems to respond (or the client does recognize it when it does).
SinceI I needed to get the system up and running, I simply moved them off the NLB, and am using their seperate IP addresses. This significantly complicates monitoring, but it works. I'm still open to anyone that has used FTP on an NLB via an alternate port (other than 21). Any Gurus out there that either can definitivley show me how to do it, or tell me why it won't work.
SinceI I needed to get the system up and running, I simply moved them off the NLB, and am using their seperate IP addresses. This significantly complicates monitoring, but it works. I'm still open to anyone that has used FTP on an NLB via an alternate port (other than 21). Any Gurus out there that either can definitivley show me how to do it, or tell me why it won't work.
If both the FTP servers are on the same alternate port it should work fine. If one FTP server is on port 21 and another on port 24, this won't work through NLB.
Try putting both FTP servers on the same port, and see if they respond when accessed by the Virtual-IP with the passive opened port.
Try putting both FTP servers on the same port, and see if they respond when accessed by the Virtual-IP with the passive opened port.
ASKER
I tried that to no avail. There is apparently something inherent about FTP that just won't work on an NLB if you use a non-standard port. I went back to the original configuration of using two sepreate IP addresses, each pointed to one of the servers, and using port 21 for each. I'll just have to monitor bandwdith on each IP address, and for each client seperatley, then add the totals up for purposes of billing the client. This is kinda "hokey" but it'll have to do. Thnaks for trying though.
Snakebyte
Snakebyte
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.