Management and Operations
Applies To: Windows Server 2003 with SP1
Q. How Can I Keep a Record of NLB Manager Activities?
A. You can configure Network Load Balancing Manager to log each Network Load Balancing Manager event. This log can be very useful in troubleshooting problems or errors when using Network Load Balancing Manager. Enable Network Load Balancing Manager logging by clicking Log Settings in the Network Load Balancing Manager Options menu. Check the Enable logging box and specify a name and location for the log file.
The Network Load Balancing Manager log file contains potentially sensitive information about the Network Load Balancing cluster and hosts, so it must be properly secured. By default, the log file inherits the security settings of the directory in which it is created, so you might have to change the explicit permissions on the file to restrict read and write access to those individuals who do not need full control of the file. Be aware that the individual using Network Load Balancing Manager does require full control of the log file.
Q. Can I Manage an NLB Cluster Remotely Using WLBS.EXE?
A. Yes, but this is not recommended for security reasons. WLBS.EXE can be used to control participation of nodes in the cluster, but it cannot be used to alter the configuration of the cluster. In Windows Server 2003, use NLB Manager to configure and manage NLB clusters.
Q. I am Seeing NLBS Event Number ### and am Not Sure What To Do About it. Where Can I Find Detailed Information About NLB Events in the Event Log?
A. The document containing detailed descriptions of all NLB events, their causes and possible resolutions can be found at http://www.microsoft.com/technet/support/ee/ee_advanced.aspx.
Q. How Do I Deal with Denial of Service (DOS) Attacks on my NLB Cluster?
A. NLB utilizes TCP/IP Denial of Service attack protection to protect itself from denial of service attacks. Specifically, NLB is prone to SYN attacks because of the state that it maintains for TCP connection affinity. To protect an NLB cluster from SYN attacks, make sure that TCP/IP SYN attack protection is enabled. See the following KB articles that explain how to enable TCP/IP DOS attack protection: HOW TO: Harden the TCP/IP Stack Against Denial of Service Attacks in Windows 2000, (http://go.microsoft.com/fwlink/?LinkId=18377) and HOW TO: Harden the TCP/IP Stack Against Denial of Service Attacks in Windows Server 2003, (http://go.microsoft.com/fwlink/?LinkId=18376).
NLB can also fail because of heartbeat loss due to insufficient network resources. This may cause partitioning of the cluster, which can cause connectivity problems for clients, as clients may be serviced by multiple NLB hosts. To soften the heartbeat loss criteria in NLB, use the NLB WMI interface to change the AliveMsgTolerance (from 5 to 100; default is 5) and/or the AliveMsgPeriod (from 100 to 10000 in milliseconds; default is 1000). These changes can cause NLB to broadcast heartbeats less often (back-off) and/or allow for more heartbeat loss before logging an event.
Changing the AliveMsgPeriod requires a re-load of the NLB driver (bind/unbind or reboot); changing AliveMsgTolerance requires only an NLB reload operation.
Q. How Do I Secure My NLB Cluster?
A. NLB assumes that the LAN to which it is homed is trusted. Ensuring that only trusted machines are homed to this LAN is the first step to protecting an NLB cluster. As an additional measure, ensure that NLB remote control is disabled on all hosts. If it must be enabled, then it is vital that the firewall or router block traffic to UDP port 1717 and UDP port 2504 except to those clients that need access.
Q. How do I configure my cluster to handle load non-uniformly?
A. NLB distributes load among hosts within the cluster according to the load’s associated port rule. By default, a port rule distributes an equal share of the load to each host. To configure a host to handle more or less than an equal share of the load, edit the port rule to clear the “Equal” load weight check box and enter a load weight number between 1 and 100.
The load weight is a relative weight among converged nodes in the cluster that indicates how much load a host should handle. To determine the percentage load a host will handle, divide that host’s load weight by the sum of the load weights from the other hosts in the cluster for the same port rule. (A port rule with the “Equal” checkbox checked has a load weight of 50.)
For example, consider the case of a two-host cluster. If Host 1’s port rule has a load weight of 30 and Host 2’s port rule has a load weight of 10, Host 1 will handle 30/(30+10) or 75% of the load. Host 2 will handle 25% of the load.
Caution for Windows 2000 only: Modifying the load weight of a port rule on a host causes all current connections handled by that host to reset. This includes connections associated with other port rules, but does not include traffic addressed to the dedicated IP address, if any. This caution does not apply to Windows Server 2003 and later. (Changing any other property of the cluster resets all current connections on that host for all versions of Windows.)