Sharing ISPs

I have an SBS 2003 server and several public Internet access paths. The
server is my firewall, running ISA 2004. I would like some guidance on how
to set up two broadband access methods. (I also have dialup for emergencies,
FWIW.)

I would like to see the server use the fastest path to any given server, but
to back off traffic onto the other ISP if one connections approaches
saturation. Naturally, if one connection fails, all traffic should go
through the other one. Ideally, if one connection saturates with traffic to
a single server, some traffic should be routed to the other ISP.

Optionally, if both fail, use the dialup! But lets not consider this option
for now...

Is this supported? Any guidance appreciated.

Thanks!

 

You will need to get yourself a perimeter device with multiple WAN
interfaces that can handle load balancing & failover. I don't know that
you'll be able to use ISA with that, but I may be wrong.

You will also need to be careful about your DNS & MX records, etc. - inbound
access can be tricky with multiple WAN links.

 

Nope.
It won't.
Ain't never gonna happen.

You need an upstream routing device of some sort that will make those
routing choices. That's what Lanwench is getting at.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.

 

There are a number of dual WAN routers out there that may do everything you
want.

 

I can't believe my eyes! So many replies say "can't be done!"

Ok, first, I'm not worried about in-bound connections. Although, even that
would be easier than some responders would imply.

Anyway, I thought SBS meant "Small Business Server," the single platform
solution to all the needs of a small business. I'm not asking about "Big
Business Server Facility" where we have separate RAS, Exchange, Web, etc.,
platforms and all the fancy hardware that goes with it.

At the very least I should be able to attach two external NICs and set the
default route merit values to favor the faster ISP. I'm just asking here
because this must be a common scenario that can be more smartly handled by
ISA/RRAS. Am I the first to consider this "small" approach?

My thanks to all who took the time to respond.

 

Not at all. However, what you requested can't be done without additional
hardware.

Well, for one thing, SMTP is an "inbound connection" - and that's pretty
important to most people. It can be dealt with, but it's more complex.

Salespeople and marketing departments would like you to think so, but it
ain't necessarily so.

No, but you seem to be the first who thinks it's possible without additional
hardware.

 

one of the routers with two WAN interfaces will handle this. I think there's
even one, at least, out there that will do 2 ethernet WANs and dialup.

 

Hi rg:

Your idea sounds interesting in concept. Not sure if its doable. We know
there exists dual WAN routers, so failover should work, but to have enough
intelligence that the router tests the speed of the route on every request,
not just on one connection but on two, seems to me to be wishing for more
than is possible. By the time the two tests were made, the results
compared, the conditions may have changed and forced another comparison, by
which time..... you may begin to see a pattern here.

I suspect that if it is doable it would be by some edge device with a
relatively huge price tag, and the money may be better spent in finding a
bigger pipe to the internet with a carrier that will assure you of the
fewest controllable bottlenecks and very reliable public DNS.

BTW, always interested in new terminology.... what are "public Internet
access paths", in the context you are using it here? How would that differ
from "private Internet access paths"?

 

Hi rg:

Your idea sounds interesting in concept. Not sure if its doable. We know
there are dual WAN routers, so failover should work, but to have enough
intelligence that the router tests the speed of the route on every request,
not just on one connection but on two, seems to me to be wishing for more
than is possible. By the time the two tests were made, the results
compared, the conditions may have changed and forced another comparison, by
which time..... you may begin to see a pattern here.

I suspect that if it is doable it would be by some edge device with a
relatively huge price tag, and the money may be better spent in finding a
bigger pipe to the internet with a carrier that will assure you of the
fewest controllable bottlenecks and very reliable public DNS.

BTW, always interested in new terminology.... what are "public Internet
access paths", in the context you are using it here? How would that differ
from "private Internet access paths"?

 

There's marketing,...then there is the real world. It is "Small Business"
because of the limitations built into it. It doesn't meet *all* needs of a
small business,...it meets the needs it was designed to meet,...there is a
big difference there.

The duel ISP thing has nothing to do with SBS. SBS is not a Server, not a
"Router",...when you add ISA to it you have a Firewall and a simple "low
end" LAN Router.

The newer "home user" NAT Boxes have been incorporating line failover for
may a year or so. Commercial grade Routers have always been able to do this
but they do it with Dynamic Routing Protocols like RIP, IGRP, OSPF, etc.

Without an upstream device built to handle this you are stuck with the
abilities built into Windows,...and ISA just depends on Windows for that.
It is clunky, undependable, and not likely to satisfy what you are looking
for,...hence why we hardly ever mention it and the standard answer is "No
you can't do that".

I couldn't verify it with these articles, but the multiple Gateways may need
to be on the same subnet on the same Nic,...which is not going to happen
with two ISPs.
Here's the links if you want to "punish" yourself with trying this:

128978 - Dead Gateway Detection in TCP/IP for Windows NT
http://support.microsoft.com/default.aspx?scid=kb;EN-US;128978

171564 - TCP/IP Dead Gateway Detection Algorithm Updated for Windows NT
http://support.microsoft.com/default.aspx?scid=kb;EN-US;171564


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

"several public Internet access paths" means I have two independent ISPs. I
shouldn't be so vague... <G> Sorry.

 

I have succeeded in using two ISPs by setting the default gateway merit for
the faster ISP below the one for the slower. I then added some of the slower
ISP's networks to the routing table using a merit value that was below
either default gateway, but pointing to his gateway.

This seems to work very well since I can use tracert to see which gateway is
being used for any specific destination. All I had to do was re-run the SBS
connection wizard to make ISA accept this scenario without complaining!

Those URLs you provided seem to indicate that the problem of one ISP failing
is already taken care of. They also explain why the default route
mysteriously changes by itself if I don't set the merit values far enough
apart. THANKS!

Now if only I could dynamically "bump" the default route for every third
outgoing TCP connection request (SYN flag set) to send it out the slower ISP
to do some load sharing. This simple feat alone would go a long way in
improving my total bandwidth while avoiding extra equipment purchases. That
is the purpose of my posting to this forum.

 

In

You meant "METRIC," not MERIT, in the following sentence:
"> I have succeeded in using two ISPs by setting the default gateway
merit..."

There used to be a product that does exactly this specifically for ISA
called Rainwall RainConnect (by EMC), however it was discontinued back in
2006. One of the alternatives, which I have not used but heard about, is
Radware's Linkproof.

Another thing to consider load balancing ISPs is if you are hosting mail
internally. Make sure you set an additional MX record for the domain. You
can either load balance them wtih the same weight, or make one higher than
the other.

However if you are offering external access to SBS' "My Company" portal,
you have to choose one or the other. Another way around it is to add an
additional host for the other line, so if one is down, instruct your users
to use the other. No point in changing the public record when one ISP goes
down because by the time it propogates to the rest of the world, the ISP
would have the line back up.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.

 

And so you can yank the network cable on the "external" side of the
functioning NAT box and it switches to the other link? Note, I said the
external side,...because you want the NAT box "itself" to still respond to
the SBS. Bet it does work because the from the SBS view of things the link
is still up because the NAT box is still alive and all the Dead-Gateway
detection cares about is the first "hop" as far as I know.

Never gonna happen.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

Meant,..."Bet it does *not* work..."

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

Any existing connections through the disconnected ISP would fail.

Correct! I realized immediately upon posting that the SYN flag can't be used
to influence routing without adding complicated connection tracking to the
router - not the job of the router.

But what WOULD work is to use the source port value. And as I researched
this I found that's exactly how MS NLB does it. Of course, NLB is for
incoming traffic only - for now. <G>

 

Yes, but it would not jump to the other path because the current "gateway"
is not dead (the "break" is *upstream* from it).

Yes, I think you are getting the point I'm trying to make. Although it *is*
the job of a router because Dynamic Routing Protocols that interact between
the routers that cover multiple redundant pathes to the same destination
will take care of this. What this is not the job of is the Windows OS or a
Firewall Product like ISA Server.

Now with that said some of the later hardware firewalls have mechanism to
handle this that didn't used to exist. Perhaps a future version of ISA will
as well,...but for now it does not. Some of the "home user" NAT Boxes have
this ability to but they are not doing it with traditional Dynamic Routing
Protocols,...so they are using some other method.

Dynamic Routing Protocols need all the involved routers to work together
which means all the the redundant paths have to be under the control of the
same provider,...unless by some miracle two different ISP's would cooperate
together to make it happen.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------