Network Load Balancing parameters

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Network Load Balancing parameters

This topic describes the parameters that are specific to each host in a Network Load Balancing cluster and the parameters for a Network Load Balancing cluster as a whole. It also describes the parameters that control how the cluster functions. These are called port rules. Values entered for the entire cluster must be the same for all host computers in the cluster. You enter parameters in the Network Load Balancing Properties dialog box and they are recorded in the registry.

The parameters are contained in the following tabs on the Network Load Balancing Properties dialog box:

Tab These parameters

Cluster parameters

Apply to the entire cluster.

Host parameters

Apply to a specific host.

Port rules

Control how the cluster functions.

Cluster parameters

Parameter Description

IP address on the Cluster Parameters tab

This parameter specifies the cluster's primary IP address in standard Internet dotted notation (for example, w.x.y.z). The address is a virtual IP address and must be set identically for all hosts in the cluster. This IP address is used to address the cluster as a whole, and it should be the IP address that maps to the full Internet name that you specify for the cluster. This should be the primary IP address and subnet mask for the cluster. If you want to add multiple IP addresses to the cluster, you enter the additional IP addresses in the TCP/IP properties dialog box or in the Cluster IP Addresses dialog box in Network Load Balancing Manager.

Important

  • Typically, both the dedicated IP address and the cluster IP address, entered during setup in the Network Load Balancing Properties dialog box, must also be entered in the Internet Protocol (TCP/IP) Properties dialog box. Make sure that the addresses are the same in both places. However, if you are configuring a virtual private network (VPN) load balancing cluster, you should not configure the dedicated IP address. On a VPN, only the cluster IP address should be present on each of the cluster hosts.

Subnet mask on the Cluster Parameters tab

This parameter denotes the subnet mask for the IP address specified. The mask is entered in standard Internet dotted notation (for example, 255.255.255.0).

Full Internet name on the Cluster Parameters tab

This parameter specifies a full Internet name for the Network Load Balancing cluster (for example, cluster.microsoft.com). This name is used for the cluster as a whole and should be the same for all hosts in the cluster. If you alias several names for the cluster, the primary (main) name should be entered here. In any case, this name should be resolvable to the cluster's primary IP address through your DNS server or Hosts file.

Network address on the Cluster Parameters tab

This parameter specifies the network address (media access control [MAC] address) for the network adapter to be used for handling client-to-cluster traffic.

If multicast support is disabled (causing the host to revert to unicast mode), Network Load Balancing automatically instructs the driver belonging to the cluster adapter to override the adapter's unique, built-in network address and to change its MAC address to the cluster's MAC address. This is the address used on all cluster hosts. You do not need to manually configure the network adapter to recognize this address.

Note

  • Some network adapters might not allow the built-in network address to be modified. If you experience this problem, you must obtain and install a different network adapter that supports this functionality.

If you have other Network Load Balancing clusters on one local subnet, each cluster needs to use a different network address. When you select a different primary IP address for each cluster, Network Load Balancing automatically ensures that the clusters use unique network addresses.

Cluster Operation Mode on the Cluster Parameters tab

These parameters specify whether or not a multicast MAC address should be used for cluster operations. If multicast is enabled, Network Load Balancing converts the cluster MAC address belonging to the cluster adapter into a multicast address. It also ensures that the cluster's primary IP address resolves to this multicast address as part of the ARP protocol. At the same time, the adapter can now use its original, built-in MAC address that, in unicast mode, was disabled.

Note

  • If Network Load Balancing clients are accessing a cluster through a router when the cluster has been configured to operate in multicast mode, be sure that the router meets the following requirements:

    • Accepts an ARP reply that has one MAC address in the payload of the ARP structure but appears to arrive from a station with another MAC address, as identified by the Ethernet header.

    • In multicast mode, accepts an ARP reply that has a multicast MAC address in the payload of the ARP structure.

    This allows the router to map the cluster's primary IP address and other multihomed addresses to the corresponding MAC address. If your router does not meet these requirements, you can also create a static ARP entry in the router. Cisco routers require a static ARP entry because they do not support the resolution of unicast IP addresses to multicast MAC addresses.

In multicast mode, the IGMP multicast check box enables Internet Group Management Protocol (IGMP) support for limiting switch flooding by limiting traffic to "Network Load Balancing ports" only. That is, enabling IGMP support ensures that traffic intended for a Network Load Balancing cluster passes through only those ports serving the cluster hosts and not all switch ports.

Notes

If you do not select multicast support (causing the host to revert to unicast mode), Network Load Balancing automatically instructs the driver belonging to the cluster adapter to override the adapter's unique, built-in network address and to change its MAC address to the cluster's MAC address. This is the address used on all cluster hosts. You do not need to manually configure the network adapter to recognize this address. (Note that some network adapters do not support changing their MAC addresses. If you experience this problem, you must install a network adapter that does.)

Important

  • Network Load Balancing does not support a mixed unicast/multicast environment within a single cluster. Within each cluster, all network adapters in that cluster must be either multicast or unicast; otherwise, the cluster will not function properly.

    However, there is no restriction on the number of network adapters: Different hosts can have a different number of adapters.

Note

  • Multicast support is not enabled by default. To enable it, see Enable multicast support. However, if you do not enable multicast support, you are advised to consider using at least two network adapters (with one network adapter dedicated to handling client-to-cluster traffic) in order to achieve optimum performance and the full range of networking functionality. For more information, see Multiple network adapters and Optimizing network performance.

Remote Control on the Cluster Parameters tab

This parameter specifies whether remote control operations are enabled. When enabled, remote, networked computers can control cluster operations by using the NLB.exe cluster-control application. Remote control is disabled by default.

Once remote control has been enabled, remote access can be restricted by specifying a remote control password.

Network Load Balancing remote control commands will not work correctly if they are sent from a computer that has Internet Protocol security (IPSec) configured such that the remote control traffic is encrypted by IPSec. For more information, see Internet Protocol Security (IPSec).

Caution

  • The Network Load Balancing remote control option presents many security risks, including the possibility of data tampering, denial of service and information disclosure. It is highly recommended that you do not enable remote control and instead use Network Load Balancing Manager or other remote management tools such as Windows Management Instrumentation (WMI).

    Firewall blocking remote control commands If you choose to enable remote control, it is vital that you restrict access by specifying a strong remote control password. It is also imperative that you use a firewall to protect the Network Load Balancing UDP control ports (the ports that receive remote control commands) in order to shield them from outside intrusion. By default, these are ports 1717 and 2504 at the cluster IP address. Use remote control only from a secure, trusted computer within your firewall. For more information about strong passwords, see Strong passwords.

Remote password on the Cluster Parameters tab

This parameter specifies a password used for restricting access to the cluster from remote, networked computers that use the NLB.exe cluster-control application. The password consists of a string of alphanumeric characters. The password must be entered as the value of this parameter and also a second time for confirmation in the Confirm password parameter.

After a password has been accepted, subsequent NLB.exe remote control operations must use the /PASSW command-line parameter and submit the password. Clearing both fields disables use of the remote control password.

If you choose to enable remote control it is vital that you restrict access by specifying a strong remote control password. It is also imperative that you use a firewall to protect the Network Load Balancing UDP control ports (the ports receiving remote control commands) in order to shield them from outside intrusion. By default, these are ports 1717 and 2504 at the cluster IP address. For more information about strong passwords, see Strong passwords.

The remote control password is not used to restrict control operations from a cluster host.

Confirm password on the Cluster Parameters tab

This parameter specifies the password entered in the Remote password field. It is used to confirm proper entry of this password. Clearing both fields disables use of a remote control password.

Host parameters

Parameter Description

Interface on the Host Parameters tab

This parameter only appears when using Network Load Balancing Manager and is configured when you add the host to the cluster. The parameter specifies the host's network adapter that will use network load balancing in context of the current cluster.

Priority (Unique host ID) on the Host Parameters tab

This parameter specifies a unique ID for each host.

The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. You can override these priorities or provide load balancing for specific ranges of ports by specifying rules in the Port rules tab of the Network Load Balancing Properties dialog box.

If a new host joins the cluster and its priority conflicts with another host in the cluster, the host is not accepted as part of the cluster. The rest of the cluster will continue to handle the traffic as before. A message describing the problem is written to the Windows event log. For more information on error logging and cluster operations, see How Network Load Balancing works, Event logging, and Error detection and handling.

IP address on the Host Parameters tab

This parameter specifies this host's unique IP address used for network traffic not associated with the cluster (for example, Telnet access to a specific host within the cluster). It should be entered in standard Internet dotted notation (for example, w.x.y.z). This IP address is used to individually address each host in the cluster and hence should be unique for each host. The dedicated IP address should always be entered first in TCP/IP properties.

Network Load Balancing references the dedicated IP address only when a single network adapter is used to handle both client-to-cluster traffic and other network traffic that must go specifically to the dedicated IP address. Network Load Balancing ensures that all traffic to the dedicated IP address is unaffected by the Network Load Balancing current configuration, including:

  • When this host is running as part of the cluster

  • When Network Load Balancing is disabled due to parameter errors in the registry

Important

  • Typically, both the dedicated IP address and the cluster IP address, entered during setup in the Network Load Balancing Properties dialog box, must also be entered in the Internet Protocol (TCP/IP) Properties dialog box. Make sure that the addresses are the same in both places. However, if you are configuring a virtual private network (VPN) load balancing cluster, you should not configure the dedicated IP address. On a VPN, only the cluster IP address should be present on each of the cluster hosts.

  • The dedicated IP address must be a static IP address. It cannot be a DHCP address.

Subnet mask on the Host Parameters tab

This parameter denotes the subnet mask for the IP address specified. The mask is entered in standard Internet dotted notation (for example, 255.255.255.0).

Initial host state on the Host Parameters tab

This parameter specifies whether Network Load Balancing will start and whether the host will immediately join the cluster when the operating system is started. For example, you might want to start other services manually and in a specific order before starting Network Load Balancing. Hosts can be commanded to join and leave the cluster dynamically by using the start and stop commands in Network Load Balancing command-line control. If the Retain suspended state after computer starts check box is selected, when the host is shut down while in a suspended state, the host will remain suspended when Windows is started.

For more information on command-line control, see Managing Network Load Balancing from the command line.

Port rules

To maximize control of various types of TCP/IP traffic, you can set up port rules to control how each port's cluster network traffic is handled. The method by which a port's network traffic is handled is called its filtering mode. There are three possible filtering modes: Multiple hosts, Single host, and Disabled.

You can also specify that a filtering mode apply to a numerical range of ports. You do this by defining a port rule with a set of configuration parameters that define the filtering mode. Each rule consists of the following configuration parameters:

  • The virtual IP address that the rule should be applied.

  • The TCP or UDP port range for which this rule should be applied.

  • The protocols for which this rule should apply, including TCP, UDP, or both.

  • The filtering mode that specifies how the cluster handles traffic described by the port range and protocols.

In addition, you can select one of three options for client affinity: None, Single, and Class C. Single and Class C are used to ensure that all network traffic from a particular client be directed to the same cluster host. In order to allow Network Load Balancing to properly handle IP fragments, you should avoid using None when selecting UDP or Both for your protocol setting.

Important

  • The number and type of rules must be exactly the same for each host in the cluster.

  • You cannot add more than 32 port rules to a Network Load Balancing cluster.

  • If a host attempts to join the cluster with a different number of rules from the other hosts, it is not accepted as part of the cluster and the rest of the cluster continues to handle the traffic as before. At the same time, a message is entered into the Windows event log. When this happens, consult the event log to determine which host has a conflicting number of rules, resolve the conflict, and restart Network Load Balancing on this host.

  • The rules entered on each host in the cluster must have matching cluster IP addresses, port ranges, protocol types, and filtering modes.

    If Network Load Balancing detects an inconsistent rule among the hosts in the cluster, it records a message in the Windows event log. When this happens, consult the event log to determine the host in question and which rule is responsible for the problem, fix it, and restart Network Load Balancing on this host.

    For more information on error logging and cluster operations, see Error detection and handling and Event logging.

  • When using Network Load Balancing to load balance VPN traffic such as PPTP/GRE and IPSEC/L2TP, you must configure the port rules that govern the ports handling the VPN traffic (TCP port 1723 for PPTP and UDP port 500 for IPSEC) to use either Single or Class C affinity.

Note

  • By default, all cluster network traffic not governed by port rules is handled by the host with the highest host priority among the current members of the cluster. This single host handles all of the cluster network traffic, with another host taking over the traffic in the event that the highest priority host fails or goes offline. This default behavior ensures that Network Load Balancing does not affect cluster network traffic for ports that you do not specifically manage with the Network Load Balancing load-balancing mechanisms. It also provides high availability in the handling of your cluster network traffic.

The Port Rules tab shows only the summary of existing port rules. If you click Add or Edit, the following parameters will be available:

Parameter Description

Cluster IP address on the Add/Edit Port Rules dialog box

This parameter specifies the cluster IP address that the port rule should cover. If this parameter is left blank and All is selected instead, the port rule is a global port rule and will cover all cluster IP addresses associated with that particular Network Load Balancing cluster.

Note

  • If a cluster IP address is specified, the port rule overrides any conflicting global port rule for that particular cluster IP address.

Port range on the Add/Edit Port Rules dialog box

This parameter specifies the TCP/UDP port range that a port rule should cover. Port numbers in a range of 0 to 65,535 are currently supported. The default port range is 0 to 65,535.

Note

  • Rules for a single port are encoded as a range having the same starting and ending port numbers.

Protocols on the Add/Edit Port Rules dialog box

This parameter lets you choose the specific TCP/IP protocol that a port rule should cover: TCP, UDP, or both. Only the network traffic for the specified protocol is affected by the rule. Traffic not affected by the port rule is handled by the default host.

Filtering mode on the Add/Edit Port Rules dialog box

  • Multiple hosts. This parameter specifies that multiple hosts in the cluster handle network traffic for the associated port rule. This filtering mode provides scaled performance in addition to fault tolerance by distributing the network load among multiple hosts. You can specify that the load be equally distributed among the hosts or that each host handle a specified load weight.

  • Single host. This parameter specifies that network traffic for the associated port rule be handled by a single host in the cluster according to the specified handling priority. This filtering mode provides port specific fault tolerance for the handling of network traffic.

  • Disable this port range. This parameter specifies that all network traffic for the associated port rule be blocked. In this case, the Network Load Balancing driver filters all corresponding network packets or datagrams. This filtering mode lets you block network traffic addressed to a specific range of ports.

Affinity on the Add/Edit Port Rules dialog box

This parameter is applicable only for Multiple host filtering mode.

  • The None option specifies that multiple connections from the same client IP address can be handled by different cluster hosts (no client affinity). In order to allow Network Load Balancing to properly handle IP fragments, you should avoid using None when selecting UDP or Both for your protocol setting.

  • The Single option specifies that Network Load Balancing should direct multiple requests from the same client IP address to the same cluster host. This is the default setting for affinity.

    You can optionally modify Network Load Balancing client affinity to direct all client requests from a TCP/IP Class C address range (instead of a single IP address) to a single cluster host by enabling the Class C option instead of the Single option. This feature ensures that clients that use multiple proxy servers to access the cluster can have their TCP connections directed to the same cluster host. The use of multiple proxy servers at the client's site causes requests from a single client to appear to originate from different computers. Assuming that all of the client's proxy servers are located within the same Class C address range, enabling the Class C option ensures that client sessions are properly handled. If you do not need this capability, use the Single option instead to maximize scaled performance when using client affinity.

  • Class C affinity specifies that Network Load Balancing direct multiple requests from the same TCP/IP Class C address range to the same cluster host.

    Enabling Class C affinity instead of Single affinity ensures that clients that use multiple proxy servers to access the cluster have their TCP connections directed to the same cluster host. The use of multiple proxy servers at the client's site causes requests from a single client to appear to originate from different computers. Assuming that all of the client's proxy servers are located within the same Class C address range, Class C affinity ensures that client sessions are properly handled. If you do not need this capability, use Single affinity instead to maximize scaled performance.

    Enabling either Single or Class C affinity ensures that only one cluster host handles all connections that are part of the same client session. This is important if the server application running on the cluster host maintains session state (such as "server cookies") between connections.

    At the same time, it is important to realize that this does not preserve session state with back-end databases in which many different transactions are occurring involving many different computers. Once the connection is ended, session state also ends.

    Disabling affinity allows for improved load balancing because it allows multiple connections from the same client to be handled concurrently by different cluster hosts. To maximize scaled performance, disable client affinity (using the None option) when it is not needed. However, in order to allow Network Load Balancing to properly handle IP fragments, you should avoid using None when selecting UDP or Both for your protocol setting.

    Important

    • When using Network Load Balancing to load balance VPN traffic such as PPTP/GRE and IPSEC/L2TP, you must configure the port rules that govern the ports handling the VPN traffic (TCP port 1723 for PPTP and UDP port 500 for IPSEC) to use either Single or Class C affinity.

Load Weight on the Add/Edit Port Rules dialog box

This parameter is applicable only for Multiple host filtering mode. You can configure this parameter only when you open the port rules dialog box through Host Properties. This parameter is not configurable when you open the port rules dialog box through Cluster Properties.

When using Multiple hosts filtering mode, this parameter specifies the relative amount of load-balanced network traffic that this host should handle for the associated port rule. Allowed values range from 0 (zero) to 100. To prevent a host from handling any network traffic, set the load weight to 0 (zero).

The actual fraction of traffic handled by each host is computed as the local load weight divided by the sum of all load weights across the cluster.

You can specify different load weights for each host in the cluster by using the Load weight parameter. You can specify that all hosts distribute the network load equally by using the Equal load distribution parameter instead of the Load weight parameter.

Handling priority on the Add/Edit Port Rules dialog box

This parameter is applicable only for Single host filtering mode. You can configure this parameter only when you open the port rules dialog box through Host Properties. This parameter is not available when you open the port rules dialog box through Cluster Properties

When Single host filtering mode is being used, this parameter specifies the local host's priority for handling the networking traffic for the associated port rule. The host with the highest handling priority (lowest numerical value) for this rule among the current members of the cluster will handle all of the traffic for this rule. The allowed values range from 1, the highest priority, to the maximum number of hosts allowed (32). This value must be unique for all hosts in the cluster.

Although this parameter is displayed in the Defined port rules list, you configure this parameter on the Host Parameters tab.

Notes

  • The parameters set in the Network Load Balancing Properties dialog box are recorded in the registry.

  • Changes to Network Load Balancing parameters are applied when you click OK in the Network Load Balancing Properties dialog box. Clicking OK stops Network Load Balancing (if it is running), reloads the parameters, and then restarts cluster operations.

  • WLBS stands for Windows NT Load Balancing Service, the former name of Network Load Balancing in Windows NT 4.0. For reasons of backward compatibility, WLBS continues to be used in certain instances.