Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

loadbalancer cluster ip and multiple host headers

Posted on 2009-05-03
10
239 Views
Last Modified: 2012-05-06
hey guys

can someone tell me what is the best apporach

I have a load balancer cluster : 68.192.2.34  Cluster IP.  I have two front end webservers as nodes .

I have all my applicatiosn hosted in both a machines, so far good. they have host headers ( each Aplication - host heard  H1,H2,H3 and H4 are host headers on both nodes.

my question is shoudl i create a new cluster for the same nodes with different nics or use the same cluster ip for different host headers in dns.

Thanks

janu


0
Comment
Question by:Audi08
  • 4
  • 4
  • 2
10 Comments
 
LVL 4

Expert Comment

by:Macros82
ID: 24300067
So your question is to go with the current structure (virtual cluster IP and point all Host headers tp that in DNS)

OR

Recreate the whole cluster and virtual IP address using different network cards than the one currently being used??

I might be able to help but can you please clarify?
0
 
LVL 4

Expert Comment

by:Macros82
ID: 24300089
If the Host Headers are allready setup then use the same cluster IP for different headers, afterall host headers allow you to run sites on the same IP.

The only hiccups are:
- you can't run SSL for different domains; only for different sub-domains
through a domain wildcard certificate
- it does not work for applications that construct URL's from the server
name, or localhost or IP address

However you are already using host headers so we will just run with that.

But in general if you have the IPs to spare then host headers are
not needed. If you are short of IP's they are.
0
 
LVL 1

Author Comment

by:Audi08
ID: 24300546
i want to expose h1 and h4 to some people and not h3 , i want custom security for h3,
 my business case is : if some one mistakely  add user to name to h3. we are gone for dead .
this happens between two domains trusts : so whgen i expose to toehr doamin guies, i dont want then to go through h3 or even try to hit it.

h3 is intranet share point: moss  takes care of security well but  we dont want  to take changes or want even to think they can hit our site.

Plan a: create a  new cluster with different IP and use this for h3, separate security and authentication.
separate load balancer cluster.  we have posts avaliabel and also IP availiable , and also nics cards.

i am not able to decide which route to go in case we even decide for ssl  and ISA in coming future.

So if i ma not wrong it is better to split the now into differnre cluster than doing in the same clustrer..
I want to tknow how are others taking case of this issues. best practices....

thanks
Janu





0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 24300949
OK, load balancing or clustering manages routing NOT security.  Control security within the applications themselves without worrying about how the traffic got there.
0
 
LVL 1

Author Comment

by:Audi08
ID: 24300973
well i know it is routing not security, thanks for the clarification, but i dotn want any one to be able to even hit or touch the server.
that is why i thin k for the same node i need to create a second nlb cluster.
does it make sense. please in put ur thoughts/ideas.

ex: nlb cluset 1    66.23.12.45
wfe1 wfe2 and port 80 exposed to secodn domaina nd first domain.
h1 , h2, h3 allpoint to 12.45 currrenlty.
so irrespective of security,second  domain  guies can hit h1 h2 and h3
foret security , i dont want h3 to be hit atall.
so now tell me is there a need to create a new cluster cluster 2 with 66.23.12.47 and dedicate it to h3.
do u see any need? if so  how would you deal this using only 1 cluster.

thanks
Janu


0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 250 total points
ID: 24300992
Sorry, I don't think it makes sense at all.  You do not need a second cluster.  If you are using Windows NLB (which it seems to be) nothing is stopping someone from bypassing it and going directly to a server.  NLB is just a fancy way of redirecting traffic for one FQDN to multiple servers.  Nothing is stopping someone from bypassing it.

If you want to control access outside the application use a firewall.
0
 
LVL 1

Author Comment

by:Audi08
ID: 24301022
one more time :  i might be  in doubt. my environemtn
domain a and domain b .
every thing is in doamin an all service offered .
domain a has h1 h2h3 application load balanced  cluster some ip ( 66.32.23.45 clusrter ip)
all h1 h2 aND H3 POITN TO 23.45 DNS. We are opennng a fire wall port 80 and clusrer ip adddress .
so any one from daimaon b cna hit h1  h2 and h3.
i dont want domain b guies to hit h3.  h3 is our domain a intranet site and it should not be hit by any one.  and we have security in place  but it is security is  defined by users in most cases( sahrepoint). so at any cost we dont want domain b guies o see h3 at all.
any one from domain a who  has permission can give access to domain b users  give acces to . but i dont want this to happen,  so now tell me, still u see only one cluster. ok , so in this case using one cluster and all application runnign in port 80 and exposed in fire wall . how can u restric domain b guies not hitting h3.
thanks
janu
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 24301215
A firewall like ISA 2006 can block based on the host header name.  If you're security is using the built in Windows authentication then it's very secure.  If you configured Sharepoint to only allow one domain to access it, then your intranet site is safe.
0
 
LVL 1

Author Comment

by:Audi08
ID: 24301233
sounds good :
in future we willbe going for isa 2006, but for now we have to go some thing liek this : sounds good.
how do we do it. is there a setting somewhere i could restrict it only one domain. is this  web applicaion setting or not . if it is not then i cannot use this approach . becasue some of my custom application uses file repository as sharepoint backend too .

If you configured Sharepoint to only allow one domain to access it, then your intranet site is safe.
thanks
janu

thanks
sjanu
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 24301338
When you setup Sharepoint by default no one has access.  As you create sites you decide who has access to what.  So, when you are opening access to the sites only add members of the domain you want to access the sites.  It's that easy.  Sharepoint will automatically reject everyone else.

For example add 'MYDOMAIN\Domain Users' as members or visitors to the sites.  Don't add 'Authenticated Users' because that will allow anyone including trusted domains.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IIS rewrite rules for subsites as subfolders but not all 1 26
IIS FTP Logging 10 39
Rdp printing 5 23
Finding Events logs for IIS website that restarts 2 14
SharePoint Designer 2010 has tools and commands to do everything that can be done with web parts in the browser, and then some – except uploading a web part straight into a page that is edited in SPD. So, can it be done? Scenario For a recent pr…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question