Solved

WINDOWS 2003 NLB \ WINDOWS FIREWALL

Posted on 2010-09-09
8
610 Views
Last Modified: 2012-05-10
I have two 2003  web servers and would like to use them with NLB. Is it possible to use NLB and use the windows firewall as well?
0
Comment
Question by:webiis
  • 3
  • 3
  • 2
8 Comments
 
LVL 3

Accepted Solution

by:
rob_AXSNL earned 500 total points
ID: 33640303
No you can't as the whole NLB network must be protected as someone could mess up the heart beat. So, the NLB subnet must be protected by a firewall.
0
 

Author Comment

by:webiis
ID: 33640560
Ah! so the NLB cluster IP can not be a public IP. Must be a private IP with a nat setup.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33641270
you can run the heartbeat on a backend subnet or on a management lan.

NLB can have a public address - MS firewall would need to be carefully setup. members of the nlb operate their own firewalls.

but - any new build should be placed behind a nat firewall. best practice
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:webiis
ID: 33641403
I can setup a backend subnet pretty easily. I am running v sphere. I'm not sure what you mean by "members of nlb operate their own firewalls" ?
Do I enable the windows firewall on each server? Will it block functions of NLB?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33642829
set up nlb - look over your domain fw settings for nlb entries - apply public fw to adapter - test nlb

if you put behind NAT fw then you wont have to worry about it.
0
 
LVL 3

Expert Comment

by:rob_AXSNL
ID: 33644315
Ah! so the NLB cluster IP can not be a public IP. Must be a private IP with a nat setup.

Behind a firewall doesnt mean is has to be nat. You can assign a public ip address to your dmz and just open up tcp 80 and 443...
0
 

Author Comment

by:webiis
ID: 33652297
greg - do you have an article you can forward me on the setup using the native windows firewall. Just so I have some kind of guide.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33652670
sure thing:

http://technet.microsoft.com/en-us/network/bb545423.aspx

http://blogs.technet.com/b/mempson/archive/2008/02/26/key-firewall-ports-for-windows-server-2008.aspx

this shows both UI's for the firewall:
http://blogs.technet.com/b/sbs/archive/2010/02/18/managing-your-firewalls-with-sbs-2008-and-windows-7.aspx

this talks about replication port usage:  there's a good link to IANA port numbers in it.

http://blogs.technet.com/b/askds/archive/2007/08/24/dynamic-client-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx

the rules in the firewall are very granular and will allow you to open ports just for your subnets and/or public access.

I do not recommend placing the server directly on the internet.  
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question