Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

WINDOWS 2003 NLB \ WINDOWS FIREWALL

Posted on 2010-09-09
8
612 Views
Last Modified: 2012-05-10
I have two 2003  web servers and would like to use them with NLB. Is it possible to use NLB and use the windows firewall as well?
0
Comment
Question by:webiis
  • 3
  • 3
  • 2
8 Comments
 
LVL 3

Accepted Solution

by:
rob_AXSNL earned 500 total points
ID: 33640303
No you can't as the whole NLB network must be protected as someone could mess up the heart beat. So, the NLB subnet must be protected by a firewall.
0
 

Author Comment

by:webiis
ID: 33640560
Ah! so the NLB cluster IP can not be a public IP. Must be a private IP with a nat setup.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33641270
you can run the heartbeat on a backend subnet or on a management lan.

NLB can have a public address - MS firewall would need to be carefully setup. members of the nlb operate their own firewalls.

but - any new build should be placed behind a nat firewall. best practice
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:webiis
ID: 33641403
I can setup a backend subnet pretty easily. I am running v sphere. I'm not sure what you mean by "members of nlb operate their own firewalls" ?
Do I enable the windows firewall on each server? Will it block functions of NLB?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33642829
set up nlb - look over your domain fw settings for nlb entries - apply public fw to adapter - test nlb

if you put behind NAT fw then you wont have to worry about it.
0
 
LVL 3

Expert Comment

by:rob_AXSNL
ID: 33644315
Ah! so the NLB cluster IP can not be a public IP. Must be a private IP with a nat setup.

Behind a firewall doesnt mean is has to be nat. You can assign a public ip address to your dmz and just open up tcp 80 and 443...
0
 

Author Comment

by:webiis
ID: 33652297
greg - do you have an article you can forward me on the setup using the native windows firewall. Just so I have some kind of guide.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33652670
sure thing:

http://technet.microsoft.com/en-us/network/bb545423.aspx

http://blogs.technet.com/b/mempson/archive/2008/02/26/key-firewall-ports-for-windows-server-2008.aspx

this shows both UI's for the firewall:
http://blogs.technet.com/b/sbs/archive/2010/02/18/managing-your-firewalls-with-sbs-2008-and-windows-7.aspx

this talks about replication port usage:  there's a good link to IANA port numbers in it.

http://blogs.technet.com/b/askds/archive/2007/08/24/dynamic-client-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx

the rules in the firewall are very granular and will allow you to open ports just for your subnets and/or public access.

I do not recommend placing the server directly on the internet.  
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question