Solved

loadbalancer cluster ip and multiple host headers

Posted on 2009-05-03
10
236 Views
Last Modified: 2012-05-06
hey guys

can someone tell me what is the best apporach

I have a load balancer cluster : 68.192.2.34  Cluster IP.  I have two front end webservers as nodes .

I have all my applicatiosn hosted in both a machines, so far good. they have host headers ( each Aplication - host heard  H1,H2,H3 and H4 are host headers on both nodes.

my question is shoudl i create a new cluster for the same nodes with different nics or use the same cluster ip for different host headers in dns.

Thanks

janu


0
Comment
Question by:Audi08
  • 4
  • 4
  • 2
10 Comments
 
LVL 4

Expert Comment

by:Macros82
Comment Utility
So your question is to go with the current structure (virtual cluster IP and point all Host headers tp that in DNS)

OR

Recreate the whole cluster and virtual IP address using different network cards than the one currently being used??

I might be able to help but can you please clarify?
0
 
LVL 4

Expert Comment

by:Macros82
Comment Utility
If the Host Headers are allready setup then use the same cluster IP for different headers, afterall host headers allow you to run sites on the same IP.

The only hiccups are:
- you can't run SSL for different domains; only for different sub-domains
through a domain wildcard certificate
- it does not work for applications that construct URL's from the server
name, or localhost or IP address

However you are already using host headers so we will just run with that.

But in general if you have the IPs to spare then host headers are
not needed. If you are short of IP's they are.
0
 
LVL 1

Author Comment

by:Audi08
Comment Utility
i want to expose h1 and h4 to some people and not h3 , i want custom security for h3,
 my business case is : if some one mistakely  add user to name to h3. we are gone for dead .
this happens between two domains trusts : so whgen i expose to toehr doamin guies, i dont want then to go through h3 or even try to hit it.

h3 is intranet share point: moss  takes care of security well but  we dont want  to take changes or want even to think they can hit our site.

Plan a: create a  new cluster with different IP and use this for h3, separate security and authentication.
separate load balancer cluster.  we have posts avaliabel and also IP availiable , and also nics cards.

i am not able to decide which route to go in case we even decide for ssl  and ISA in coming future.

So if i ma not wrong it is better to split the now into differnre cluster than doing in the same clustrer..
I want to tknow how are others taking case of this issues. best practices....

thanks
Janu





0
 
LVL 51

Expert Comment

by:tedbilly
Comment Utility
OK, load balancing or clustering manages routing NOT security.  Control security within the applications themselves without worrying about how the traffic got there.
0
 
LVL 1

Author Comment

by:Audi08
Comment Utility
well i know it is routing not security, thanks for the clarification, but i dotn want any one to be able to even hit or touch the server.
that is why i thin k for the same node i need to create a second nlb cluster.
does it make sense. please in put ur thoughts/ideas.

ex: nlb cluset 1    66.23.12.45
wfe1 wfe2 and port 80 exposed to secodn domaina nd first domain.
h1 , h2, h3 allpoint to 12.45 currrenlty.
so irrespective of security,second  domain  guies can hit h1 h2 and h3
foret security , i dont want h3 to be hit atall.
so now tell me is there a need to create a new cluster cluster 2 with 66.23.12.47 and dedicate it to h3.
do u see any need? if so  how would you deal this using only 1 cluster.

thanks
Janu


0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 51

Accepted Solution

by:
tedbilly earned 250 total points
Comment Utility
Sorry, I don't think it makes sense at all.  You do not need a second cluster.  If you are using Windows NLB (which it seems to be) nothing is stopping someone from bypassing it and going directly to a server.  NLB is just a fancy way of redirecting traffic for one FQDN to multiple servers.  Nothing is stopping someone from bypassing it.

If you want to control access outside the application use a firewall.
0
 
LVL 1

Author Comment

by:Audi08
Comment Utility
one more time :  i might be  in doubt. my environemtn
domain a and domain b .
every thing is in doamin an all service offered .
domain a has h1 h2h3 application load balanced  cluster some ip ( 66.32.23.45 clusrter ip)
all h1 h2 aND H3 POITN TO 23.45 DNS. We are opennng a fire wall port 80 and clusrer ip adddress .
so any one from daimaon b cna hit h1  h2 and h3.
i dont want domain b guies to hit h3.  h3 is our domain a intranet site and it should not be hit by any one.  and we have security in place  but it is security is  defined by users in most cases( sahrepoint). so at any cost we dont want domain b guies o see h3 at all.
any one from domain a who  has permission can give access to domain b users  give acces to . but i dont want this to happen,  so now tell me, still u see only one cluster. ok , so in this case using one cluster and all application runnign in port 80 and exposed in fire wall . how can u restric domain b guies not hitting h3.
thanks
janu
0
 
LVL 51

Expert Comment

by:tedbilly
Comment Utility
A firewall like ISA 2006 can block based on the host header name.  If you're security is using the built in Windows authentication then it's very secure.  If you configured Sharepoint to only allow one domain to access it, then your intranet site is safe.
0
 
LVL 1

Author Comment

by:Audi08
Comment Utility
sounds good :
in future we willbe going for isa 2006, but for now we have to go some thing liek this : sounds good.
how do we do it. is there a setting somewhere i could restrict it only one domain. is this  web applicaion setting or not . if it is not then i cannot use this approach . becasue some of my custom application uses file repository as sharepoint backend too .

If you configured Sharepoint to only allow one domain to access it, then your intranet site is safe.
thanks
janu

thanks
sjanu
0
 
LVL 51

Expert Comment

by:tedbilly
Comment Utility
When you setup Sharepoint by default no one has access.  As you create sites you decide who has access to what.  So, when you are opening access to the sites only add members of the domain you want to access the sites.  It's that easy.  Sharepoint will automatically reject everyone else.

For example add 'MYDOMAIN\Domain Users' as members or visitors to the sites.  Don't add 'Authenticated Users' because that will allow anyone including trusted domains.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now