Compare cert salaries and plan your next career move
deth1k wrote: » Are you allowing DNS?
Everyone wrote: » Is there a proxy between the firewall and the web servers? I had a pair of servers setup with NLB once, and this stupid proxy blocked traffic to the virtual IP for the NLB cluster. If I changed the firewall rule to go to either server's IP individually, it worked. If the proxy was turned off, it would work using the virtual IP. If you can't access it from the virtual IP anywhere, then NLB probably isn't configured properly.
higherho wrote: » My firewall is not configured to setup as a proxy. I will have to check with the network guys from our other team (our network is segregated from theirs but we use their external connection).
higherho wrote: » When I try to access the web site I dont see the packets building as the virtual IP but instead an IP that is associated with the web traffic NIC. I just find it extreamly odd that I can access any other web page fine.
Everyone wrote: » Right, this proxy was another box that was in-between the firewall and the rest of the network. In my case it was an ISA firewall, and a St. Bernard proxy. I didn't have access to the proxy. Guy who did have access couldn't find any reason for it to block it, it just didn't want to play nice with NLB. If the traffic isn't going to the virtual IP, then NLB isn't going to work. Each server should have both their on unique IP, and the virtual IP that they share. If you can get the website to come up by going to the unique IP, but not shared virtual IP, than either NLB isn't configured properly, or IIS isn't configured properly. If you can ping the shared virtual IP, then the problem is most likely IIS.
Do the websites happen to be VMs? If they are, and running on different ESX hosts, there's some configuration that has to be done in vSphere for Windows NLB to work between VMs.
higherho wrote: » I appreciate your help Everyone! Each web server has two nics one connected to a 114 network and the web traffic nic / loadbalancer 116 network. The Virtual IP is configured on each web servers load balance NIC. When you say ping the virtual IP do you mean ping the virtual IP from the IIS boxes themselves? If so I am able to ping that IP on each box. I can also ping the IP from other domains as well. I've tried going to the website with its unique IP (the web sites IP I assume you are talking about?) and I'm still unable to go to it. I get Internet explorer cannot disaply the webpage. No VM's in this environment. No the websites are
Everyone wrote: » The web traffic NIC should have 2 IPs bound to it on each server. Unique IP and shared IP (the virtual IP/ NLB IP). The 2nd (private) NIC should be for heartbeat traffic only, it should not have a gateway configured on it, and it should have only 1 IP bound to it.
In IIS on each server, they need to be configured to respond to requests on the appropriate IP(s) and ports. A record in DNS for the website should point to the load balanced IP (the one that all these web servers share). So someone trying to browse to www.website.com should connect to the NLB IP. Firewall should be passing traffic to that IP. The domain that the web servers are sitting in that DNS has a host A record (within the forward lookup zone of the domain) with that virtual IP associated to it. THE FQDN of the host A record is the name of the NLB. If you browse to Server A's public IP (the unique one, not the shared one), as long as IIS is answering on that IP, something should come up. Same for Server B, etc. If nothing comes up, problem is with IIS. Would IIS block me from visiting an external website though? these servers do not have public IP's associate to them (the websites on the box do though). Any traffic going out to the web goes to the firewall and out through our firewalls external interface with that public IP that is associate to it. If you can ping the NLB IP (the one that is shared between all of them), but not access the website using that address, then the problem is with IIS. If you can't ping it, then the problem is with NLB (or like I said something weird like a proxy sitting between the firewall and network). I'm trying to hit someone elses website with these two servers (outside of our network). This isn't about the local websites on the boxes themselves.
A record in DNS for the website should point to the load balanced IP (the one that all these web servers share). So someone trying to browse to www.website.com should connect to the NLB IP. Firewall should be passing traffic to that IP.
If you browse to Server A's public IP (the unique one, not the shared one), as long as IIS is answering on that IP, something should come up. Same for Server B, etc. If nothing comes up, problem is with IIS.
If you can ping the NLB IP (the one that is shared between all of them), but not access the website using that address, then the problem is with IIS. If you can't ping it, then the problem is with NLB (or like I said something weird like a proxy sitting between the firewall and network).
higherho wrote: I'm trying to hit someone elses website with these two servers (outside of our network). This isn't about the local websites on the boxes themselves.
Everyone wrote: » Sounds like DNS is configured on the wrong NIC. Heartbeat NIC doesn't need DNS, the other NIC should have that. Ok that changes things a lot, I must have misunderstood or overlooked that. NLB is inbound only. All outbound traffic will come from the unique public IP of each server, it will NEVER come from the NLB IP. So your firewall needs to allow traffic from Server A AND Server B's IP to whatever the destination is, etc.
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
