Hello All!
I'm trying to configure a MS Load Balancing Array. This is software-based
load balancing on NT/W2000.
I have a test configuration outside of my PIX firewall. After much ado, I
got this rig working properly.
Basically, I have a "virtual" IP address of x.y.z.150. And I have two
load-leveled test servers which are
really configured at x.y.z.151 and x.y.z.152, even though they are addressed
as x.y.z.150.
I had to add an ARP statement to my router so folks external to my subnet
could "see" this virtual node.
This was per a MS Knowledge Base article here:
http://support.microsoft.com/support/kb/articles/Q197/8/62.AS
The LB array has a virtual MAC which is used in the router ARP statementlike
this:
ARP x.y.z.150 03bf.1400.00aa ARPA
OK, so all of this worked as long as everything is outside the firewall. I
gather the ARP statement in the router deals with the fact that packets
destined for .150 are really going to/from .151 or .152 (but I clearly don't
understand exactly what's going on here). But it DOES work!
Now I have a second test array behind the PIX firewall, configured
identically except that I use a private network
and NAT in the PIX. I have "static" and "conduit" statements in the PIX to
pass the x.y.x.170 traffic to 20.0.0.170 (port 80 and 443 only), and I have
two load balanced servers at .171 and .172. I can "see" the .170 address
from my internal network, but folks outside the network can't reach it.
I suspect that I must deal with the ARP issue in the PIX firewall as well as
in the router. When the PIX performs NAT,
perhaps it does so only on the .170 address.
Questions:
Is there such a thing as an ARP configuration statement for the
PIX?
Should I establish statics/conduits for .171 and .172 to support
this array behind the firewall?
Any other ideas?
Thanks in advance!
Harry
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
