Chapter 14: Terminal Server Network Load-Balancing Baseline

 

 

This chapter beginswith a brief overview of a Terminal Server Network Load-Balancing Baseline and then reviews Microsoft’s Network Load-Balancing technology. The chapter concludes with an example Terminal Server Network Load-Balancing Baseline.

 

A Terminal Server Network Load-Balancing Baseline defines an organization’s approved installation and configuration standards for Microsoft’s Network Load-Balancing for Terminal Servers. It is used by employees as an approved procedure to implement Load-Balancing in a Terminal Server environment.

 

Microsoft first released Network Load-Balancing (NLB) with Windows 2000 Server Enterprise edition. In the present day, it is included with each edition of Windows 2003 Server. Network Load-Balancing allows a group of servers to be configured as a load-balanced cluster with a single Virtual IP address (VIP). Users access the cluster with the DNS name associated with the Virtual IP address. All machines in the cluster respond in sequence to requests from the Virtual IP address and re-route the request to one of the servers in the Load-Balanced cluster. Network Load-Balancing provides high availability for a Terminal Server environment by evenly distributing user load across a Terminal Server farm. If a server in the cluster becomes unavailable, Network Load-Balancing will detect the unavailable server and direct new user connections to an available server in the cluster.

 

In order to set-up Network Load-Balancing, a minimum of two servers running Windows Server 2003 is required. Each server needs at least one network card and a single fixed IP address. Although using one adapter will work, for optimum performance Microsoft recommends two network adapters in each server: one network adapter mapped to the real IP Address and one mapped to the Virtual IP address.

 

List 14.1 shows the prerequisites and assumptions for the following Terminal Server Network Load-Balancing Configuration Baseline:

 

This next section will review the Load-Balancing cluster properties and provide an understanding of each setting used in the example baseline.

 

1.      A virtual IP address, subnet mask and the DNS cluster name.

2.      Decide between unicast or multicast cluster operation mode.

Note: Use unicast only if the Terminal Servers have two network cards and multicast mode if there is only one network adapter.

3.      Remote Control. Remote Control allows centralized management of a load-balanced cluster. Microsoft recommends not enabling Remote Control because it exposes known vulnerabilities to a cluster. If remote control is enabled, it isimportant to firewall the cluster to isolate the User Datagram Protocol (UDP) ports that facilitate the remote-control commands. By default, these are ports 1717 and 2504 at the cluster IP address.

4.      Host Parameters. The Host Priority identifier is a unique number assigned to each host in the cluster.

5.      Port Rules allows the configuration of how load-balancing works within the cluster. For a Terminal Server cluster, the setting will need to be changed from default.

 

The following Network Load-Balancing Configuration Baseline will show the procedure to configure Network Load-Balancing for a single Terminal Server. The procedure needs to be executed on each Terminal Server in the Load-Balanced cluster. The example baseline starts with a Purpose and Scope statement and then proceeds with the baseline configurations. This baseline is intended for informational purposes only.

 

The purpose of this baseline is to define standards for the installation and baseline configuration of Microsoft Network Load-Balancing for Terminal Servers. Before any servers are placed on the production network, standard processes will be executed to ensure that all servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use and disruptions in service.

 

This baseline is specifically for all Windows Terminal Servers in a load-balanced cluster on the internal network and will be reviewed in conjunction with the other IT infrastructure policies.

 

1.      Log on to the target Terminal Server as administrator. This server will be the first server in the cluster.

Note: This procedure will need to be executed on each Terminal Server in the cluster.

2.      From the Terminal Server desktop, click Start, click Run, type “nlbmgr.exe,” and then press Enter to access the Network Load-Balancing console.

3.      As shown in figure 1, in the left pane of the tree view, highlight the “Network Load Balance Clusters” node, right click it, and click the “New Cluster” menu item.

 

Figure 1

 

4.      From the Cluster Parameters window enter the “IP address” of the cluster (Virtual IP address), “subnet mask”, the “Full Internet Name” (the DNS name associated with the Virtual IP address), and select “Multicast.” Note: Do not enable remote control. Click Next to proceed.

5.      From the Cluster IP Address window click Next to proceed.

6.      From the Port Rules window highlight the default port rule and click Edit to proceed.

7.      As shown in Figure 2, in the Port range section, enter “3389” in the From and To area. In the Protocol section, select the “TCP” radio button. In the Filtering mode area, select the “Multiple host” radio button. Click OK to proceed.

 

Figure 2

 

8.      From the Port Rules window, click Next to proceed.

9.      From the connect window, enter the “FQDN” of the first server in the cluster in the Host text box and click connect. Once connected, the server will appear in the “Interfaces available for configuring a new cluster” area. Highlight the interface and click Next to proceed.

10. From the Host parameters window, enter the “IP address” and “subnet mask” of the Terminal Server. Accept the other defaults and click Finish to proceed.

11. As shown in Figure 3, the new cluster will be displayed.

 

Figure 3

 

1.      To add a host to the cluster, log on to the target Terminal Server as administrator. From the server desktop, click Start, click Run, type “nlbmgr.exe,” and then press Enter to access the Network Load Balancing Console. In the left pane of the tree view, highlight the Network Load Balancing Cluster node and click the “Connect to Existing” menu option.

2.      From the connect window, enter the “FQDN” of a server in the cluster in the Host text box and click connect. Once connected, the server will appear in the “Interfaces available for configuring a new cluster” area. Highlight the interface and click Next to proceed.

3.      The cluster will be displayed in the Network Load Balancing Console, as shown in Figure 4.

 

Figure 4

 

4.      As shown in Figure 5, in the left pane of the tree view, highlight and right click the cluster. From the menu click the “Add Host To Cluster” menu option.

 

Figure 5

 

5.      From the Connect window, enter the “NetBIOS” or “FQDN” of the desired Terminal Server in the Host text box and click the Connect button. Once the Terminal Server is discovered, highlight it and click Next to proceed.

6.      From the Host parameters window, enter the “IP address” and “subnet mask” of target Terminal Server. Click Finish to proceed. Note that the Priority number should automatically increment.

7.      As shown in Figure 6 the additional Terminal Server has been added to the cluster and the configurations have been saved.

 

Figure 6

 

8.      Exit the Network Load Balancing Console and log off the server.

 

This policy will be reviewed annually.

 

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Change Management Policy

 

 

This chapter discussed Network Load-Balancing followed with a Network Load-Balancing Configuration Baseline.

 

 

The next chapter will introduce system auditing and security monitoring a Terminal Server environment.