We help IT Professionals succeed at work.

loadbalancer cluster ip and multiple host headers

257 Views
Last Modified: 2012-05-06
hey guys

can someone tell me what is the best apporach

I have a load balancer cluster : 68.192.2.34  Cluster IP.  I have two front end webservers as nodes .

I have all my applicatiosn hosted in both a machines, so far good. they have host headers ( each Aplication - host heard  H1,H2,H3 and H4 are host headers on both nodes.

my question is shoudl i create a new cluster for the same nodes with different nics or use the same cluster ip for different host headers in dns.

Thanks

janu


Comment
Watch Question

Commented:
So your question is to go with the current structure (virtual cluster IP and point all Host headers tp that in DNS)

OR

Recreate the whole cluster and virtual IP address using different network cards than the one currently being used??

I might be able to help but can you please clarify?

Commented:
If the Host Headers are allready setup then use the same cluster IP for different headers, afterall host headers allow you to run sites on the same IP.

The only hiccups are:
- you can't run SSL for different domains; only for different sub-domains
through a domain wildcard certificate
- it does not work for applications that construct URL's from the server
name, or localhost or IP address

However you are already using host headers so we will just run with that.

But in general if you have the IPs to spare then host headers are
not needed. If you are short of IP's they are.

Author

Commented:
i want to expose h1 and h4 to some people and not h3 , i want custom security for h3,
 my business case is : if some one mistakely  add user to name to h3. we are gone for dead .
this happens between two domains trusts : so whgen i expose to toehr doamin guies, i dont want then to go through h3 or even try to hit it.

h3 is intranet share point: moss  takes care of security well but  we dont want  to take changes or want even to think they can hit our site.

Plan a: create a  new cluster with different IP and use this for h3, separate security and authentication.
separate load balancer cluster.  we have posts avaliabel and also IP availiable , and also nics cards.

i am not able to decide which route to go in case we even decide for ssl  and ISA in coming future.

So if i ma not wrong it is better to split the now into differnre cluster than doing in the same clustrer..
I want to tknow how are others taking case of this issues. best practices....

thanks
Janu





Ted BouskillSenior Software Developer
CERTIFIED EXPERT
Top Expert 2009

Commented:
OK, load balancing or clustering manages routing NOT security.  Control security within the applications themselves without worrying about how the traffic got there.

Author

Commented:
well i know it is routing not security, thanks for the clarification, but i dotn want any one to be able to even hit or touch the server.
that is why i thin k for the same node i need to create a second nlb cluster.
does it make sense. please in put ur thoughts/ideas.

ex: nlb cluset 1    66.23.12.45
wfe1 wfe2 and port 80 exposed to secodn domaina nd first domain.
h1 , h2, h3 allpoint to 12.45 currrenlty.
so irrespective of security,second  domain  guies can hit h1 h2 and h3
foret security , i dont want h3 to be hit atall.
so now tell me is there a need to create a new cluster cluster 2 with 66.23.12.47 and dedicate it to h3.
do u see any need? if so  how would you deal this using only 1 cluster.

thanks
Janu


Senior Software Developer
CERTIFIED EXPERT
Top Expert 2009
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
one more time :  i might be  in doubt. my environemtn
domain a and domain b .
every thing is in doamin an all service offered .
domain a has h1 h2h3 application load balanced  cluster some ip ( 66.32.23.45 clusrter ip)
all h1 h2 aND H3 POITN TO 23.45 DNS. We are opennng a fire wall port 80 and clusrer ip adddress .
so any one from daimaon b cna hit h1  h2 and h3.
i dont want domain b guies to hit h3.  h3 is our domain a intranet site and it should not be hit by any one.  and we have security in place  but it is security is  defined by users in most cases( sahrepoint). so at any cost we dont want domain b guies o see h3 at all.
any one from domain a who  has permission can give access to domain b users  give acces to . but i dont want this to happen,  so now tell me, still u see only one cluster. ok , so in this case using one cluster and all application runnign in port 80 and exposed in fire wall . how can u restric domain b guies not hitting h3.
thanks
janu
Ted BouskillSenior Software Developer
CERTIFIED EXPERT
Top Expert 2009

Commented:
A firewall like ISA 2006 can block based on the host header name.  If you're security is using the built in Windows authentication then it's very secure.  If you configured Sharepoint to only allow one domain to access it, then your intranet site is safe.

Author

Commented:
sounds good :
in future we willbe going for isa 2006, but for now we have to go some thing liek this : sounds good.
how do we do it. is there a setting somewhere i could restrict it only one domain. is this  web applicaion setting or not . if it is not then i cannot use this approach . becasue some of my custom application uses file repository as sharepoint backend too .

If you configured Sharepoint to only allow one domain to access it, then your intranet site is safe.
thanks
janu

thanks
sjanu
Ted BouskillSenior Software Developer
CERTIFIED EXPERT
Top Expert 2009

Commented:
When you setup Sharepoint by default no one has access.  As you create sites you decide who has access to what.  So, when you are opening access to the sites only add members of the domain you want to access the sites.  It's that easy.  Sharepoint will automatically reject everyone else.

For example add 'MYDOMAIN\Domain Users' as members or visitors to the sites.  Don't add 'Authenticated Users' because that will allow anyone including trusted domains.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.