Configuring NLB for a Forefront UAG array

  • Article

Updated: February 15, 2013

Applies To: Unified Access Gateway

You can load balance traffic across multiple Forefront Unified Access Gateway (UAG) array servers using a hardware load balancer or by using the Windows network load balancing (NLB) feature that is integrated into Forefront UAG.

This topic describes the following steps that are required for configuring integrated NLB:

Important

If you are working in a virtual environment, you must configure the virtual machines as described in Configuring NLB in a virtual environment.

  1. Defining virtual IP addresses (VIPs)

  2. Load balancing trunks

  3. Starting NLB services

  4. You may also need to do the following:

    • Configuring affinity stickiness time-out

For information about planning for load balancing in a high availability deployment, see Load balancing design.

Configuring NLB in a virtual environment

If you are running Forefront UAG in a virtual machine on a server running Hyper-V and you want to configure NLB, on each server, do the following:

To configure NLB in a virtual environment

  1. In the Hyper-V Manager console, in the Virtual Machines list, make sure that each of your virtual machines is shut down.

  2. Right-click the virtual machine, and select Settings.

  3. On the Settings for <machine name> dialog box, click the network adapter on which you will configure NLB in Forefront UAG.

    Note

    You can configure NLB on the internal network adapter or on the external network adapter.

  4. Select the Enable spoofing of MAC addresses check box.

  5. When you have configured all of the network adapters, on the Settings for <machine name> dialog box, click OK.

  6. Repeat steps 2 – 5 for each virtual machine in your configuration.

Note

If you do not enable the setting, no warning is issued, but the behavior of the server after configuring NLB may be unpredictable.

Forefront UAG is supported as a virtual machine on servers that have Windows Server 2008 with Service Pack 2 (SP2), or Windows Server 2008 R2 with the Hyper-V role.

Defining virtual IP addresses (VIPs)

The following procedure describes how to add VIPs to networks. Note that when you set up NLB to load balance traffic to Forefront UAG trunks, you can configure a VIP on the external network only. Configuring VIPs on the internal network is not supported.

To define virtual IP addresses (VIPs)

  1. On the array manager, on the Admin menu, click Network Load Balancing.

  2. On the Network Load Balancing dialog box, click Add to add a virtual IP address to a network. To load balance requests for applications and resources published via Forefront UAG trunks, select the external network. Note that when you use NLB, IP addresses should not be assigned from DHCP.

  3. On the Configure Virtual IP Addresses dialog box, specify an IPv4 network address and mask for the adapter connected to the external network, and then click OK to close the dialog box. Note that you cannot specify a dedicated IP address (DIP) as a VIP.

  4. To modify an existing VIP, on the Network Load Balancing dialog box, click Edit. On the Configure Virtual IP Address dialog box, modify the VIP, and then click OK.

  5. In NLB mode, select Unicast, Multicast, or IGMP Multicast. Note that to use multicast, any routers you are using must support multicast traffic. The selected NLB mode will be applied to all VIPs connected with the relevant network adapter.

Note

After configuring a network adapter to use NLB, configuring multiple dedicated IP addresses (DIPs) on the adapter is not supported. If multiple DIPs were previously configured, only one will remain after you configure NLB; the rest will be deleted.

Note

If you misconfigure the subnet mask for the VIP, when you activate the configuration, TMG raises an alert and NLB cannot start. To resolve this:

  1. On the Forefront UAG Management console, on the Network Load Balancing dialog box, remove the VIP, and on the main properties page of the trunk, click Use non-integrated NLB.

  2. Activate the configuration.

  3. Make sure that the VIP was removed from the network adapter. If it was not, remove it manually.

  4. Reconfigure NLB with the correct VIP and subnet mask.

  5. Activate the configuration.

Load balancing trunks

After defining VIPs, you should configure the trunks that you want to load balance. Note that when you create a new trunk in an array configuration, you can select a VIP to associate with the trunk.

To configure load balancing trunks

  1. In the Forefront UAG Management console, select each trunk to which you want to load balance requests.

  2. On the main properties page of the trunk, click Use integrated NLB.

  3. In Virtual IP, specify the VIP on which the external network is listening.

  4. Activate the configuration in the toolbar.

Note

For trunks that are not load balanced, make sure that you have selected Use non-integrated NLB, and verify that the trunk has a unique IP address specified on each array member.

Starting NLB services

After defining VIPs, selecting trunks for load balancing, and activating the configuration, you must start NLB manually for each array member, as follows.

To start NLB

  1. On the array manager server, in the Forefront UAG Management console, on the Admin menu, click Web Monitor.

  2. In Array Monitor, click Current Status.

  3. For each array node, select the check box for the node, in the actions drop-down list, click Start, and then click Apply.

Note

When you open Web Monitor it may take up to a minute for NLB information to appear.

Configuring affinity stickiness time-out

An IP affinity setting specifies for how long an endpoint source IP address uses the same array member, even if other array members are available. By default, this is set to 30 minutes. After configuring trunks for load trunk balancing, you can modify the IP affinity setting for a trunk, if required. When using NLB, Forefront UAG always uses IP affinity. The following procedure describes how to set the stickiness time-out.

To configure the affinity stickiness time-out

  1. On the array manager server, open the Forefront UAG Management console.

  2. On the Forefront UAG server, open Registry Editor.

  3. Navigate to HKEY_LOCAL_MACHINE\Software\WhaleCom\e-Gap\Von\Configuration.

  4. Create a DWORD value NlbStickiness and set the value to a setting between 0 and 30 minutes. If you do not create this registry key and enter a value, a default of 30 minutes is applied.

  5. In the Forefront UAG Management console, activate the configuration.

Next Steps

After you begin working with your deployed array, you can manage array members, and monitor their status, using the Forefront UAG Web Monitor. For more information, see Administering arrays.