Sharing ISPs

Discussion in 'Server Networking' started by rg, Jan 16, 2009.

  1. rg

    rg Guest

    I have an SBS 2003 server and several public Internet access paths. The
    server is my firewall, running ISA 2004. I would like some guidance on how
    to set up two broadband access methods. (I also have dialup for emergencies,
    FWIW.)

    I would like to see the server use the fastest path to any given server, but
    to back off traffic onto the other ISP if one connections approaches
    saturation. Naturally, if one connection fails, all traffic should go
    through the other one. Ideally, if one connection saturates with traffic to
    a single server, some traffic should be routed to the other ISP.

    Optionally, if both fail, use the dialup! But lets not consider this option
    for now...

    Is this supported? Any guidance appreciated.

    Thanks!
     
    rg, Jan 16, 2009
    #1
    1. Advertisements

  2. You will need to get yourself a perimeter device with multiple WAN
    interfaces that can handle load balancing & failover. I don't know that
    you'll be able to use ISA with that, but I may be wrong.

    You will also need to be careful about your DNS & MX records, etc. - inbound
    access can be tricky with multiple WAN links.
     
    Lanwench [MVP - Exchange], Jan 16, 2009
    #2
    1. Advertisements

  3. Nope.
    It won't.
    Ain't never gonna happen.

    You need an upstream routing device of some sort that will make those
    routing choices. That's what Lanwench is getting at.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
     
    Phillip Windell, Jan 16, 2009
    #3
  4. rg

    SteveB Guest

    There are a number of dual WAN routers out there that may do everything you
    want.
     
    SteveB, Jan 16, 2009
    #4
  5. rg

    rg Guest

    I can't believe my eyes! So many replies say "can't be done!"

    Ok, first, I'm not worried about in-bound connections. Although, even that
    would be easier than some responders would imply.

    Anyway, I thought SBS meant "Small Business Server," the single platform
    solution to all the needs of a small business. I'm not asking about "Big
    Business Server Facility" where we have separate RAS, Exchange, Web, etc.,
    platforms and all the fancy hardware that goes with it.

    At the very least I should be able to attach two external NICs and set the
    default route merit values to favor the faster ISP. I'm just asking here
    because this must be a common scenario that can be more smartly handled by
    ISA/RRAS. Am I the first to consider this "small" approach?

    My thanks to all who took the time to respond.
     
    rg, Jan 17, 2009
    #5
  6. Not at all. However, what you requested can't be done without additional
    hardware.
    Well, for one thing, SMTP is an "inbound connection" - and that's pretty
    important to most people. It can be dealt with, but it's more complex.
    Salespeople and marketing departments would like you to think so, but it
    ain't necessarily so.
    No, but you seem to be the first who thinks it's possible without additional
    hardware.
     
    Lanwench [MVP - Exchange], Jan 17, 2009
    #6
  7. one of the routers with two WAN interfaces will handle this. I think there's
    even one, at least, out there that will do 2 ethernet WANs and dialup.
     
    SuperGumby [SBS MVP], Jan 17, 2009
    #7
  8. Hi rg:

    Your idea sounds interesting in concept. Not sure if its doable. We know
    there exists dual WAN routers, so failover should work, but to have enough
    intelligence that the router tests the speed of the route on every request,
    not just on one connection but on two, seems to me to be wishing for more
    than is possible. By the time the two tests were made, the results
    compared, the conditions may have changed and forced another comparison, by
    which time..... you may begin to see a pattern here.

    I suspect that if it is doable it would be by some edge device with a
    relatively huge price tag, and the money may be better spent in finding a
    bigger pipe to the internet with a carrier that will assure you of the
    fewest controllable bottlenecks and very reliable public DNS.

    BTW, always interested in new terminology.... what are "public Internet
    access paths", in the context you are using it here? How would that differ
    from "private Internet access paths"?
     
    Larry Struckmeyer [SBS-MVP], Jan 18, 2009
    #8
  9. Hi rg:

    Your idea sounds interesting in concept. Not sure if its doable. We know
    there are dual WAN routers, so failover should work, but to have enough
    intelligence that the router tests the speed of the route on every request,
    not just on one connection but on two, seems to me to be wishing for more
    than is possible. By the time the two tests were made, the results
    compared, the conditions may have changed and forced another comparison, by
    which time..... you may begin to see a pattern here.

    I suspect that if it is doable it would be by some edge device with a
    relatively huge price tag, and the money may be better spent in finding a
    bigger pipe to the internet with a carrier that will assure you of the
    fewest controllable bottlenecks and very reliable public DNS.

    BTW, always interested in new terminology.... what are "public Internet
    access paths", in the context you are using it here? How would that differ
    from "private Internet access paths"?
     
    Larry Struckmeyer [SBS-MVP], Jan 18, 2009
    #9
  10. There's marketing,...then there is the real world. It is "Small Business"
    because of the limitations built into it. It doesn't meet *all* needs of a
    small business,...it meets the needs it was designed to meet,...there is a
    big difference there.

    The duel ISP thing has nothing to do with SBS. SBS is not a Server, not a
    "Router",...when you add ISA to it you have a Firewall and a simple "low
    end" LAN Router.

    The newer "home user" NAT Boxes have been incorporating line failover for
    may a year or so. Commercial grade Routers have always been able to do this
    but they do it with Dynamic Routing Protocols like RIP, IGRP, OSPF, etc.

    Without an upstream device built to handle this you are stuck with the
    abilities built into Windows,...and ISA just depends on Windows for that.
    It is clunky, undependable, and not likely to satisfy what you are looking
    for,...hence why we hardly ever mention it and the standard answer is "No
    you can't do that".

    I couldn't verify it with these articles, but the multiple Gateways may need
    to be on the same subnet on the same Nic,...which is not going to happen
    with two ISPs.
    Here's the links if you want to "punish" yourself with trying this:

    128978 - Dead Gateway Detection in TCP/IP for Windows NT
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;128978

    171564 - TCP/IP Dead Gateway Detection Algorithm Updated for Windows NT
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;171564


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 19, 2009
    #10
  11. rg

    rg Guest

    "several public Internet access paths" means I have two independent ISPs. I
    shouldn't be so vague... <G> Sorry.
     
    rg, Jan 22, 2009
    #11
  12. rg

    rg Guest

    I have succeeded in using two ISPs by setting the default gateway merit for
    the faster ISP below the one for the slower. I then added some of the slower
    ISP's networks to the routing table using a merit value that was below
    either default gateway, but pointing to his gateway.

    This seems to work very well since I can use tracert to see which gateway is
    being used for any specific destination. All I had to do was re-run the SBS
    connection wizard to make ISA accept this scenario without complaining!

    Those URLs you provided seem to indicate that the problem of one ISP failing
    is already taken care of. They also explain why the default route
    mysteriously changes by itself if I don't set the merit values far enough
    apart. THANKS!

    Now if only I could dynamically "bump" the default route for every third
    outgoing TCP connection request (SYN flag set) to send it out the slower ISP
    to do some load sharing. This simple feat alone would go a long way in
    improving my total bandwidth while avoiding extra equipment purchases. That
    is the purpose of my posting to this forum.
     
    rg, Jan 22, 2009
    #12
  13. In

    You meant "METRIC," not MERIT, in the following sentence:
    "> I have succeeded in using two ISPs by setting the default gateway
    merit..."

    There used to be a product that does exactly this specifically for ISA
    called Rainwall RainConnect (by EMC), however it was discontinued back in
    2006. One of the alternatives, which I have not used but heard about, is
    Radware's Linkproof.

    Another thing to consider load balancing ISPs is if you are hosting mail
    internally. Make sure you set an additional MX record for the domain. You
    can either load balance them wtih the same weight, or make one higher than
    the other.

    However if you are offering external access to SBS' "My Company" portal,
    you have to choose one or the other. Another way around it is to add an
    additional host for the other line, so if one is down, instruct your users
    to use the other. No point in changing the public record when one ISP goes
    down because by the time it propogates to the rest of the world, the ISP
    would have the line back up.


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly.
    Please check http://support.microsoft.com for regional support phone
    numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Jan 22, 2009
    #13
  14. And so you can yank the network cable on the "external" side of the
    functioning NAT box and it switches to the other link? Note, I said the
    external side,...because you want the NAT box "itself" to still respond to
    the SBS. Bet it does work because the from the SBS view of things the link
    is still up because the NAT box is still alive and all the Dead-Gateway
    detection cares about is the first "hop" as far as I know.
    Never gonna happen.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 22, 2009
    #14
  15. Meant,..."Bet it does *not* work..."

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 22, 2009
    #15
  16. rg

    rg Guest

    Any existing connections through the disconnected ISP would fail.
    Correct! I realized immediately upon posting that the SYN flag can't be used
    to influence routing without adding complicated connection tracking to the
    router - not the job of the router.

    But what WOULD work is to use the source port value. And as I researched
    this I found that's exactly how MS NLB does it. Of course, NLB is for
    incoming traffic only - for now. <G>
     
    rg, Jan 26, 2009
    #16
  17. Yes, but it would not jump to the other path because the current "gateway"
    is not dead (the "break" is *upstream* from it).
    Yes, I think you are getting the point I'm trying to make. Although it *is*
    the job of a router because Dynamic Routing Protocols that interact between
    the routers that cover multiple redundant pathes to the same destination
    will take care of this. What this is not the job of is the Windows OS or a
    Firewall Product like ISA Server.

    Now with that said some of the later hardware firewalls have mechanism to
    handle this that didn't used to exist. Perhaps a future version of ISA will
    as well,...but for now it does not. Some of the "home user" NAT Boxes have
    this ability to but they are not doing it with traditional Dynamic Routing
    Protocols,...so they are using some other method.

    Dynamic Routing Protocols need all the involved routers to work together
    which means all the the redundant paths have to be under the control of the
    same provider,...unless by some miracle two different ISP's would cooperate
    together to make it happen.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 26, 2009
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.