Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

second ISA server installation question 1

Status
Not open for further replies.
avputnam

avputnam

IS-IT--Management
Oct 23, 2003
93
US
We have Microsoft ISA Server 2006 Enterprise Edition installed on one server. We use it to control traffic to the Internet.

As the number of users continues to grow, we are considering adding an additional ISA server to share the load between the two servers.

I have 2 options:
1) Add new server to the existing ISA array
2) Install server as a new array.

Which one would you recommend?
 
Sort by date Sort by votes
The first one. You'll be able to configure NLB for them in that case.




Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;Security+;CCNA;nCSE;CISSP
 
Upvote 0 Downvote
Victor,

Thank you so much for the advice. I will greatly appreciate your opinion on the following:

We want to achieve a complete redundancy for ISA servers, meaning if one ISA fails, we should be able to seamlessly redirect everyone to the second ISA server.

Considering this, do you still recommend adding the second server to the ISA array or configuring the whole new configuration server + ISA services, so that two servers function independently?

In the array configuration, if configuration server fails, can array member assume its role in a fast manner?
 
Upvote 0 Downvote
You very welcome! :)

If you want redundant ISA infrastructure, you will need ISA NLB Cluster, which can be configured if you have 2 or more ISA servers in one Ent. Array. For this you have to have 2xISA EE at least (you have it!).
The one more thing I would definitely recommend is to join isa to the AD domain. It will allow you to be more flexible in the future and will not introduce any security holes.

If you have an ISA array with NLB AND CSS (conf. storage server) is a member of the Domain, you will get redundancy you need for ISA boxes. To get a redundancy for CSS you have to install 2 CSS-es and create a replication between them. Configure both CSS servers to be a part of the AD domain. (in this case you CAN have 2 CSS-es, otherwise you can have only one, which in turn wil not provide you redundancy for CSS part od ISA EE infrastructure)

If you have more questions, - let me know!

Good luck!



Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;Security+;CCNA;nCSE;CISSP
 
Upvote 0 Downvote
Victor, which option in your opinion is optimal:
2 ISA servers in enterprise domain with NLB configured
OR
2 CSS servers with replication between them


Both of my servers are domain member servers. When I created the first ISA, I installed as configuration storage server and extended the AD schema with ISA classes.

If I install the second ISA, will I have to extend the schema again?

Thank you again,
 
Upvote 0 Downvote
More precisely and acording to best practices the best redundant configuration would be:

2 W2k3 SE member servers with Latest SP and sec. patches
ISA 2004/2006 EE installed on both servers
2 ISA 2004/2006 CSS servers installed on 2 infrastructure servers in local area network. These servers to be members of the same AD domain.
Replication is configured for CSS
ISA NLB is implemented for Int/Ext interfaces (if you have DMZ NLB for DMZ as well)
ISA NLB Cluster is configured to use both CSSes

As I remember, ISA2000 is required a schema extension to implement an array. ISA2004/2006 does not require schema extension.




Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;Security+;CCNA;nCSE;CISSP
 
Upvote 0 Downvote
last question :)

Will you recommend a nice article on configuring NLB on ISA 2006 Enterprise Edition.

Thank you,
 
Upvote 0 Downvote
Victor, thank you so much for your help!
 
Upvote 0 Downvote
you're welcome and good luck! :)



Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;Security+;CCNA;nCSE;CISSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
818
intel233
intel233
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
218
Russtoleum
Russtoleum
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
213
ChrisHirst
ChrisHirst
TierOneTech
  • Locked
  • Question
TZ105 - can I define a second WAN interface for failover?
Replies
1
Views
205
jcarmichael1203
jcarmichael1203
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
188
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top