Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Network Load Balancing Best Practices (Using Clustering for a Highly Available Web Site: An Example)

Updated: September 1, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The Microsoft.com Web site implements many of the following best practices, as illustrated throughout this document. Additional best practices have also been included. Web site administrators should review these practices to ensure that they are using Network Load Balancing most effectively.

Properly Secure the Network Load Balancing Hosts and the Load-Balanced Applications.

  • Network Load Balancing does not provide additional security for the load-balanced hosts and cannot be used as a firewall. Therefore, it is important to properly secure the load-balanced applications and hosts. To find out about security procedures for your applications, see the documentation for each particular application. For example, if you are using Network Load Balancing to load balance a cluster of servers running Internet Information Services (IIS), follow the procedures and guidelines for securing IIS. To view the IIS product documentation, install IIS, open the IIS User Interface (the IIS snap-in), and then click Help.

  • To avoid interference from unauthorized heartbeat packets, you must physically protect the Network Load Balancing subnet from intrusion by unauthorized computers and devices.

  • If you use the optional host list with Network Load Balancing Manager, ensure that only users in the local Administrators group have access to the host list file.

Use Two or More Network Adapters in Each Cluster Host Whenever Possible. Two Network Adapters, However, are not Required.

  • If the cluster is operating in unicast mode (the default), Network Load Balancing cannot distinguish among single adapters on individual hosts. Therefore, to make communication among cluster hosts possible, each cluster host must have at least two network adapters.

  • Although you are able to configure Network Load Balancing on more than one network adapter, make sure that you install Network Load Balancing on only one adapter (called the cluster adapter) if you use a second network adapter to address this best practice.

Use Only the TCP/IP Network Protocol on the Cluster Adapter.

  • Do not add any other protocols (for example, IPX) to this adapter.

Use Network Load Balancing Manager to Configure Options.

  • You can configure many Network Load Balancing options using either Network Load Balancing Manager or the Network Load Balancing Properties dialog box that you can access through Network Connections. However, Network Load Balancing Manager is the preferred method. We recommend that you do not use both Network Load Balancing Manager and Network Connections together to change Network Load Balancing properties. Also, you should not use two instances of Network Load Balancing Manager to configure the same cluster.

Do not Enable Network Load Balancing Remote Control.

  • The Network Load Balancing remote control option presents many security risks, including the possibility of data tampering, denial of service and information disclosure. We strongly recommend that you do not enable remote control. Instead, use Network Load Balancing Manager or other remote management tools such as Windows Management Instrumentation (WMI).

    If you choose to enable remote control, it is vital that you restrict access by specifying a strong remote control password. It is also imperative that you use a firewall to protect the Network Load Balancing UDP control ports (the ports that receive remote control commands) to shield them from outside intrusion (see Diagram 7). By default, these are ports 1717 and 2504 at the virtual IP address. Use remote control only from a secure, trusted computer within your firewall.

f59b208e-5e4d-4bc4-8810-c7a761c7c8c9

Diagram 7

Enable Network Load Balancing Manager Logging.

  • You can configure Network Load Balancing Manager to log each Network Load Balancing Manager event. This log can be very useful for troubleshooting problems or errors when using Network Load Balancing Manager. Enable Network Load Balancing Manager logging by clicking Log Settings in the Network Load Balancing Manager Options menu. Select the Enable logging check box and specify a name and location for the log file.

    The Network Load Balancing Manager log file contains potentially sensitive information about the Network Load Balancing cluster and hosts, so it must be properly secured. By default, the log file inherits the security settings of the directory in which it is created, so you might have to change the explicit permissions on the file to restrict read and write access to those individuals who do not need full control of the file. Be aware that the individual using Network Load Balancing Manager does require full control of the log file.

Verify that the Configuration Options for Cluster Parameters, Port Rules and Host Parameters are Set as Follows:

  • Make sure that all hosts in a cluster have identical cluster parameters and port rules for each unique virtual IP address.

    Each unique virtual IP address must be configured with the same port rules for every host that services that virtual IP address. However, if you have multiple virtual IP addresses configured on a host, each of those virtual IP addresses can have a different set of port rules.

  • Verify that port rules are set for all ports that are used by the load-balanced application. For example, FTP uses port 20, port 21, and ports 102465535.

  • Verify that the dedicated IP address is unique for each host and that the virtual IP address is added to each cluster host.

  • If fragmentation of the network traffic is a possibility and you are using UDP or Both (UDP and TCP/IP) for your protocol setting, verify that the affinity setting is set to Single or Class C.

Verify that any Load-Balanced Application is Started on all Cluster Hosts on which the Application is Installed.

  • Network Load Balancing does not start or stop applications.

Verify that the Configuration Options for Dedicated IP Address and Virtual IP Address are Set as Follows:

  • Make sure that the virtual IP address (VIP) and, optionally the DIP, are entered during Setup in the Network Load Balancing Properties dialog box and also in the Internet Protocol (TCP/IP) Properties dialog box. Make sure that the addresses are the same in both places. This is most easily achieved by using Network Load Balancing Manager to create and manage your cluster.

    If you omit this step, the cluster will converge and appear to be working properly, but the cluster host will not accept and handle cluster traffic.

    For more information about convergence, you can view Help and Support Center topics on the Web in the Product Documentation for Windows Server 2003 section of the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=4299). You can also open Help and Support Center on a computer running a product in the Windows Server 2003 family by clicking Start, and then clicking Help and Support. Look for the topics on Network Load Balancing, which can be found by navigating to Availability and Scalability\Windows Clustering\Network Load Balancing or searching Help.

  • Verify that the DIP (if present) is always listed first (before the virtual IP address) in the Internet Protocol (TCP/IP) Properties dialog box. This ensures that responses to connections that originate from a host will return to the same host.

  • Verify that both the dedicated IP address and the virtual IP address are static IP addresses. They cannot be DHCP addresses.

Ensure that All Hosts in a Cluster Belong to the Same Subnet and that the Clusters Clients are Able to Access this Subnet.

Perform Moves of a Cluster Host According to the Following Guidelines:

  • If you move a cluster host from one cluster to another on the same subnet by changing the virtual IP address, first remove Network Load Balancing and remove the virtual IP address from TCP/IP. Then, re-enable Network Load Balancing after changing the IP address. This will prevent you from experiencing an IP address conflict.

Verify that all Cluster Hosts are Operating in Either Unicast or Multicast Mode, but not Both.

  • All network adapters within a cluster must be configured identically with regards to unicast or multicast.

Do not Enable Network Load Balancing on a Computer that is Part of a Server Cluster.

  • Network Load Balancing can interfere with network adapters used by server clusters. Microsoft does not support the same computer being a host in a Network Load Balancing cluster and also being a node within a server cluster.

Avoid Uninstalling Network Load Balancing.

  • There is typically no need to uninstall this feature. Network Load Balancing is an integral part of the products in the Windows Server 2003 family and does not need to be installed or uninstalled separately.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.