Network Load Balancing Best practices

6 out of 15 rated this helpful Rate this topic

Updated: December 21, 2011

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

  • The general security and configuration guidance in this topic also applies to Network Load Balancing (NLB) clusters in Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012. However, for detailed operational guidance about NLB in Windows Server 2008 or Windows Server 2008 R2, see Network Load Balancing

  • The NLB functionality in Windows Server 2012 is generally the same as in Windows Server 2008 R2. However, some task details are changed in Windows Server 2012. For information on new ways to do tasks, see Common Management Tasks and Navigation.

Best practices

Properly secure the Network Load Balancing hosts and the load balanced applications.

  • Network Load Balancing does not provide additional security for the load balanced hosts and cannot be used as a firewall. It is therefore important to properly secure the load balanced applications and hosts. Security procedures can typically be found in the documentation for each particular application. For example, if you are using Network Load Balancing to load balance a cluster of Internet Information Services (IIS) servers, you should follow the procedures and guidelines for securing IIS. To view the IIS 6.0 product documentation, install IIS and then see Microsoft Internet Information Services, or install IIS and then open the IIS User Interface (the IIS snap-in) and click Help

  • The Network Load Balancing subnet must be physically protected from intrusion by unauthorized computers and devices in order to avoid interference from unauthorized heartbeat packets.

  • If you use the optional host list with Network Load Balancing Manager, ensure that only users in the local Administrators group have access to the host list file. 

    For other general information on best practices for securing servers, see Best practices for security and the Microsoft Windows Resource Kits Web site. For tips about installing IIS, see Installing IIS.

Use two or more network adapters in each cluster host whenever possible. Two network adapters, however, are not required.

  • If the cluster is operating in unicast mode (the default), Network Load Balancing cannot distinguish between single adapters on each host. Therefore, any communication among cluster hosts is not possible unless each cluster host has at least two network adapters.

  • You can configure Network Load Balancing on more than one network adapter. However, if you use a second network adapter to address this best practice, make sure that you install Network Load Balancing on only one adapter (called the cluster adapter). 

    For more information, see Multiple network adapters.

Use only the TCP/IP network protocol on the cluster adapter.

  • Do not add any other protocols (for example, IPX) to this adapter.

Use Network Load Balancing Manager.

  • You can configure many Network Load Balancing options through either Network Load Balancing Manager or the Network Load Balancing Properties dialog box accessed through Network Connections. However, Network Load Balancing Manager is the preferred method. Using both Network Load Balancing Manager and Network Connections together to change Network Load Balancing properties can lead to unpredictable results.

Do not enable Network Load Balancing remote control.

  • The Network Load Balancing remote control option presents many security risks, including the possibility of data tampering, denial of service and information disclosure. It is highly recommended that you do not enable remote control and instead use Network Load Balancing Manager or other remote management tools such as Windows Management Instrumentation (WMI). 

    Firewall blocking remote control commands If you choose to enable remote control, it is vital that you restrict access by specifying a strong remote control password. It is also imperative that you use a firewall to protect the Network Load Balancing UDP control ports (the ports that receive remote control commands) in order to shield them from outside intrusion. By default, these are ports 1717 and 2504 at the cluster IP address. Use remote control only from a secure, trusted computer within your firewall.

    For more information on the remote control parameter, see Remote control in Network Load Balancing parameters. For more information about strong passwords, see Strong passwords.

Enable Network Load Balancing Manager logging.

  • You can configure Network Load Balancing manager to log each Network Load Balancing Manager event. This log can be very useful in troubleshooting problems or errors when using Network Load Balancing Manager. Enable Network Load Balancing Manager logging by clicking Log Settings in the Network Load Balancing Manager Options menu. Check the Enable logging box and specify a name and location for the log file. 

    The Network Load Balancing Manager log file contains potentially sensitive information about the Network Load Balancing cluster and hosts, so it must be properly secured. By default, the log file inherits the security settings of the directory in which it is created, so you might have to change the explicit permissions on the file to restrict read and write access to those individuals who don't need full control of the file. Be aware that the individual using Network Load Balancing Manager does require full control of the log file. For more information, see Access Control How To...

Verify that the following is true for cluster parameters, port rules and host parameters:

  • Cluster parameters and port rules for each unique virtual IP address are identical across all hosts. 

    Each unique virtual IP address must be configured with the same port rules across all hosts that service that Virtual IP address. However, if you have multiple virtual IP addresses configured on a host, each of those virtual IP addresses can have a different set of port rules.

  • Port rules are set for all ports used by the load-balanced application. For example, FTP uses port 20, port 21, and ports 1024-65535). 

    Always click Add after setting a port rule. Otherwise, the port rule will not appear in the list of rules, and the rule will not take effect.

  • The dedicated IP address is unique and the cluster IP address is added to each cluster host.

  • Affinity is set to Single or Class C when you are using UDP or Both for your protocol setting. 

    For more information, see Cluster parameters, Host parameters, and Port rules in Network Load Balancing parameters.

Verify that any given load-balanced application is started on all cluster hosts on which the application is installed.

  • Network Load Balancing does not start or stop applications.

Verify that the following is true for the dedicated IP address and the cluster IP address:

  • Except in the case of a virtual private network (VPN),both the dedicated IP address and the cluster IP address must be entered during setup in theNetwork Load Balancing Properties dialog box and also in the Internet Protocol (TCP/IP) Properties dialog box.Make sure that the addresses are the same in both places. However, if you are configuring a VPN load balancing cluster, you should not configure the dedicated IP address. On a VPN, only the cluster IP address should be present on each of the cluster hosts because clients running Windows 95, Windows 98, or Windows NT 4.0 may be unable to connect to the cluster if the dedicated IP address is configured on the Network Load Balancing cluster hosts. 

    If you omit this step, the cluster will converge and appear to be working properly, but the cluster host will not accept and handle cluster traffic.

  • The dedicated IP address is always listed first (before the cluster IP address) in the Internet Protocol (TCP/IP) Properties dialog box. This will ensure that responses to connections originating from a host will return to the same host. For more information, see Set up TCP/IP for Network Load Balancing.

  • Both the dedicated IP address and the cluster IP address must be static IP addresses. They cannot be DHCP addresses.

Ensure that all hosts in a cluster belong to the same subnet and that the cluster's clients are able to access this subnet.

  • No cluster interconnect is used by Network Load Balancing other than the subnet in which the cluster is located. You should therefore not connect two network adapters in an effort to create a system area network (SAN) for which there is no need.

Perform moves of a cluster host according to the following guidelines:

  • If you move a cluster host from one cluster to another on the same subnet by changing the cluster IP address, first remove Network Load Balancing as described in Remove a host from a Network Load Balancing cluster, and then reenable Network Load Balancing after changing the IP address. 

    This will prevent you from experiencing an IP address conflict.

Verify that all cluster hosts are operating in either unicast or multicast mode, one or the other, but not both.

Always begin Network Load Balancing command-line commands with "nlb.exe".

For more information, see Nlb.

Do not enable Network Load Balancing on a computer that is part of a server cluster.

  • Network Load Balancing can interfere with server cluster's use of network adapters and Microsoft does not support this configuration. Instead, use separate Network Load Balancing and server clusters.

For more information on server clusters, see Windows Clustering.

Avoid uninstalling Network Load Balancing.

  • There is typically no need to uninstall this feature. Network Load Balancing is an integral part of the products in the Windows Server 2003 family and does not need to be installed or uninstalled separately.