Solved

WINDOWS 2003 NLB \ WINDOWS FIREWALL

Posted on 2010-09-09
8
617 Views
Last Modified: 2012-05-10
I have two 2003  web servers and would like to use them with NLB. Is it possible to use NLB and use the windows firewall as well?
0
Comment
Question by:webiis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 3

Accepted Solution

by:
rob_AXSNL earned 500 total points
ID: 33640303
No you can't as the whole NLB network must be protected as someone could mess up the heart beat. So, the NLB subnet must be protected by a firewall.
0
 

Author Comment

by:webiis
ID: 33640560
Ah! so the NLB cluster IP can not be a public IP. Must be a private IP with a nat setup.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33641270
you can run the heartbeat on a backend subnet or on a management lan.

NLB can have a public address - MS firewall would need to be carefully setup. members of the nlb operate their own firewalls.

but - any new build should be placed behind a nat firewall. best practice
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:webiis
ID: 33641403
I can setup a backend subnet pretty easily. I am running v sphere. I'm not sure what you mean by "members of nlb operate their own firewalls" ?
Do I enable the windows firewall on each server? Will it block functions of NLB?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33642829
set up nlb - look over your domain fw settings for nlb entries - apply public fw to adapter - test nlb

if you put behind NAT fw then you wont have to worry about it.
0
 
LVL 3

Expert Comment

by:rob_AXSNL
ID: 33644315
Ah! so the NLB cluster IP can not be a public IP. Must be a private IP with a nat setup.

Behind a firewall doesnt mean is has to be nat. You can assign a public ip address to your dmz and just open up tcp 80 and 443...
0
 

Author Comment

by:webiis
ID: 33652297
greg - do you have an article you can forward me on the setup using the native windows firewall. Just so I have some kind of guide.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33652670
sure thing:

http://technet.microsoft.com/en-us/network/bb545423.aspx

http://blogs.technet.com/b/mempson/archive/2008/02/26/key-firewall-ports-for-windows-server-2008.aspx

this shows both UI's for the firewall:
http://blogs.technet.com/b/sbs/archive/2010/02/18/managing-your-firewalls-with-sbs-2008-and-windows-7.aspx

this talks about replication port usage:  there's a good link to IANA port numbers in it.

http://blogs.technet.com/b/askds/archive/2007/08/24/dynamic-client-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx

the rules in the firewall are very granular and will allow you to open ports just for your subnets and/or public access.

I do not recommend placing the server directly on the internet.  
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question