How to configure Network Load Balancing to work with IPsec (820752)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition

SUMMARY

This article describes how to configure your Microsoft Windows Server 2003 Network Load Balancing (NLB) cluster to accept Internet Protocol security (IPsec) traffic on your network. Use this procedure if you want to use your NLB cluster to receive virtual private network (VPN) traffic. This configuration helps to improve end-to-end security between clients and servers.

MORE INFORMATION

Create the cluster and configure the Internet Protocol (IP) properties of NLB for use with a VPN

To correctly configure the IP properties of NLB for use with a VPN, follow these steps:
  1. On the first node that you want to configure for NLB, click Start, click Run, type ncpa.cpl, and then click OK.
  2. Right-click the network adaptor that you want to load balance, and then click Properties.
  3. To enable NLB, click to select the Network Load Balancing check box on the General tab.

    Note If NLB is not listed, click Install, click Service, click Add, click Network Load Balancing in the Network Service column, and then click OK.
  4. Click Internet Protocol (TCP/IP) on the General tab, and then click Properties.

    Note When you click Internet Protocol (TCP/IP), make sure that you do not clear the check box.
  5. Click Use the following IP address.
  6. Assign only the cluster virtual IP address and subnet mask to the network adaptor, and then click OK. Note that the IP address and subnet mask will be the same on every node of the cluster.
  7. Click Close, and then exit the Network Connections dialog box.
  8. Start Network Load Balancing Manager. To do this, click Start, point to All Programs, point to Administrative Tools, and then click Network Load Balancing Manager.
  9. Right-click Network Load Balancing Clusters, and then click New Cluster.
  10. Under Cluster IP configuration, specify the virtual IP address of the cluster, the subnet mask, and the full Internet name for the cluster. Note that the full Internet name is the Domain Name System (DNS) name for the cluster.
  11. Under Cluster operation mode, configure the cluster operation mode for either unicast or multicast.
  12. Click Next.
  13. In the Cluster IP Addresses dialog box, click Next.
  14. In the Port Rules dialog box, click Next.
  15. In the Connect dialog box, type the name of the node that will be part of the cluster in the Host box, and then click Connect.
  16. Under Interfaces available for configuring a new cluster, click the interface on the host that is set to the virtual IP address of the cluster, and then click Next.
  17. In the Host Parameters dialog box, verify the following:
    • In the Priority (unique host identifier) box, the host priority is a unique number in the cluster.
    • Under Dedicated IP configuration, the dedicated IP address and the subnet mask fields are empty.
  18. Click Finish.
  19. Repeat steps 1 through 7 on each additional node that you want to add to the NLB cluster.
  20. Add the hosts to the cluster by using the Network Load Balancing Manager tool. To do this, start the tool on the first node of the cluster, right-click the cluster where you want to add the host, and then click Add Host To Cluster.
  21. In the Connect dialog box, type the name of the host that you want to add in the Host box, and then click Connect.
  22. Under Interfaces available for configuring a new cluster, click the interface on the host that is set to the virtual IP address of the cluster, and then click Next.
  23. In the Host Parameters dialog box, verify the following:
    • In the Priority (unique host identifier) box, the host priority is a unique number in the cluster.
    • Under Dedicated IP configuration, the dedicated IP address and the subnet mask fields are empty.
  24. Click Finish.

    Note You may have to click Refresh on the Cluster menu to update the configuration changes.

Permit the NLB cluster to accept IPsec traffic

To permit the NLB cluster to accept IPsec traffic, follow these steps:
  1. Make sure that your IPsec policy includes the shared Internet Protocol (IP) address or the host name of the cluster.
  2. On a cluster node, start Network Load Balancing Manager, and then connect to the cluster.
  3. In the left pane, right-click the cluster, and then click Cluster Properties.
  4. Add a port rule that permits User Datagram Protocol (UDP) traffic on port 500 and on port 4500 if one is not already configured. To do this, follow these steps:
    1. Click the Port Rules tab, and then click Add.
    2. In the From list, type 500, and then type 4500 in the To list.

      Note You must permit UDP traffic both on port 500 and on port 4500 in the same port rule. You cannot create a separate rule for each port.
  5. Next to Affinity, click Single or Class C.

    Note You must enable Affinity to permit IPsec communication with your NLB cluster. Affinity is the method that is used by the cluster hosts to maintain the session state. The affinity settings work as follows:
    • When no affinity is specified, all network requests are load balanced across the cluster without respect to their source.
    • An affinity setting of Single causes the cluster host (node) to read the host header of the client request to determine the source IP address of that request. The cluster host then responds to all other requests from that single IP address, maintaining the session state with that client.
    • An affinity setting of Class C performs much the same function as Single, but the cluster node responds to all requests from clients in the same class C subnet as that of the original request.
  6. Leave the default filtering mode option as Multiple host, and then click OK.
  7. Allow sufficient time for the cluster to converge.
Important Traffic to any port is permitted to reach servers if you use IPsec in a cluster. If you disable other ports or port ranges in your NLB cluster, you still receive IPsec traffic on those ports. The port filtering does not filter IPsec traffic when you use IPsec tunnels.

For more information about IPsec, search for IPsec in Windows Server 2003 Help and Support Center.

For more information about IPsec in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

810207 IPsec default exemptions are removed in Windows Server 2003

For more information about IPsec in Microsoft Windows 2000, visit the following Web site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx

For more information about NLB clusters, visit the following Web site:

http://www.microsoft.com/windowsserver2003/techinfo/overview/clustering.mspx

For more information about how to configure a NLB cluster, search for cluster in Windows Server 2003 Help and Support Center.

For more information about NLB parameters, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/57c24429-0268-4ed8-afdf-fd4b0b6539b71033.mspx

For more information about how to configure NLB in a typical environment where VPN is not used, click the following article number to view the article in the Microsoft Knowledge Base:

323437 How to configure Network Load Balancing parameters in Windows Server 2003

Modification Type:MajorLast Reviewed:2/25/2006
Keywords:kbinfo kbhowto KB820752 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.