Dual ISA server ?

Snow-Munki · 7 Aug 2009 at 09:25

Just wondering if anyone has two ISA servers for redunancy reasons. We currently have one and use it just as a Internet Proxy server.

Reading up on it and enterprise seems a lot better with CARP and single management console etc, howevet checking the price, standard is £400 whereas enterprise is £4000 !!!

Anyone run two standard ISA servers, assume it still works just not as good ?

.walls · 7 Aug 2009 at 09:38

Snow-Munki said:
Anyone run two standard ISA servers, assume it still works just not as good ?

Yes and yes.

We have three ISA arrays in our production environment, three in the pre-prod environment and one array in the development environment. (long story). Does the job and no real complaints.

iaind · 7 Aug 2009 at 09:41

You could just run 2 standard ISA servers and use NLB - would be cheaper but your logs would be dispersed between the 2.

I run ours in VMWare for failover, would probably be cheaper than 8k!

Little_Crow · 7 Aug 2009 at 09:56

If it's just being used as a proxy, why not look at using a wpad or a pac file?
We use a pac file from a network share, and have it set via GPO.

As iand says, your logs would be dispersed, but it comes at a cost of an hour or so's work.

However a WPAD/PAC file is never going to load balance like NLB, but you could set it so that half your subnets go to one server, and the other half to the other.
You can even set it to automatically failover to the other server if there is an issue.

This would work nicely for logging if your users are fairly sedentary, as their logs would be on one server. Roaming users would have their logs spread, however.

If you're considering it, I can post my pac file to give you some pointers.

Snow-Munki · 7 Aug 2009 at 10:03

thanks for the info, guess problem with NLB / PAC files is if one ISA server goes down i'll need to manually repoint them to the working server.

Bit meh to have to update the config manually on two servers as I know someone in the dept will forget !!

But I guess it saves £8K ! And yes logging will be a pain. PAC file would be cool if you don't mind.... email in trust.

Little_Crow · 7 Aug 2009 at 10:14

I'll post it here so everyone can have a look.

There is no need to change anything to have it failover, people may need to close their browser and open it again so it re-reads the pac file, but that is all.

One thing to note below, it's easiest to set variables for your proxy IP's at the start and call them when necessary. We couldn't do that as we have to use an old version Java for particular apps, and it just couldn't handle the variables.

Any questions, just post away.

My anonymized pac file:
function FindProxyForURL(url, host)
{

//If name has no dots, don't use proxy
if (
isPlainHostName(host)
)
return "DIRECT";

//LocalHost Entries
if (
shExpMatch(url, "http://127.0.0.1*") ||
shExpMatch(url, "https://127.0.0.1*") ||
shExpMatch(url, "http://localhost*") ||
shExpMatch(url, "https://localhost*")
)
return "DIRECT";

//Other Direct Access Sites/Servers
if (
shExpMatch(url, "http://*.domain.xxx.xxx.uk*") ||
shExpMatch(url, "https://www.madeupsite.com/*")
)
return "DIRECT";

//Proxy for Site1 Subnets
if (
isInNet(myIpAddress(), "192.168.139.0", "255.255.255.0") ||
isInNet(myIpAddress(), "10.210.120.0", "255.255.248.0") ||
isInNet(myIpAddress(), "10.210.128.0", "255.255.248.0") ||
isInNet(myIpAddress(), "192.168.100.0", "255.255.255.0") ||
isInNet(myIpAddress(), "192.168.29.0", "255.255.255.128")
)
return "PROXY 10.210.121.147:8080; PROXY 10.210.137.9:8080";

//Proxy for Site2 Subnets
if (
isInNet(myIpAddress(), "10.210.136.0", "255.255.248.0")
)
return "PROXY 10.210.137.9:8080; PROXY 10.210.121.147:8080";

//Last Chance Saloon
else return "DIRECT";
}

oddjob62 · 7 Aug 2009 at 12:54

We have a 2 node + 1 config cluster. Just started moving stuff over to it, but seems to be working fine so far.

atomiser · 7 Aug 2009 at 17:41

im very interested in this post.

i have just had a 2 day course on isa and a 1 day course on websense, and it looks like i'm getting the job of installing it for our organisation - approx 5000 users, split across a private wan, with two internet feeds coming into different parts of the network - a north/south divide, if you will. this is only going to be used as a web proxy, since we have proper juniper netscreen devices for our perimeter security.

currently thinking along the lines of having a 2 node array using nlb at the primary datacentre site, and a 2 node array using nlb at the backup datacentre site. then we're thinking of using group policy to set the browser proxy settings to 'north; south' and 'south; north' dependant upon where you are within the organisation.

i think we are going to go with either dedicated hardware, or possibly down the appliance route. my preference for this application is not to virtualise. i'm keen to hear from as many people as possible about their implementations and any lessons learnt.

i am particularly interested in any arp issues you had using the microsoft nlb, what switching equipment you use, and which route you went down to resolve the issue i.e. static arp entries on the switches or whether you had any resolution from microsoft.

i'm also interested in how you have handled fault tolerance, upstream. for example, if you nlb the 'inside' connection, how does that know if there has been a failure in the 'outside' connection? i know you could mash together a script to do an upstream ping and to stop the firewall services in the event of a failure, but this isn't hugely elegant.

looking forward to some interesting posts here!