NLB cluster Port Rules

Creating Port Rules
When an NLB cluster is created, one general port rule is also created for the cluster. The
NLB cluster port rule or rules define what type of network traffic the cluster will loadbalance across the cluster nodes and how the connections will be managed. The Port Rules Filtering option defines how the traffic will be balanced across each individual node. As a best practice, limiting the allowed ports for the clustered IP addresses to only those needed by the cluster load-balanced applications can improve overall cluster performance and security. In an NLB cluster, because each node can answer for the clustered IP address, all inbound traffic is received and processed by each node. When a node receives the request, it either handles the request or drops the packet if another node has already established a session or responded to the initial request.

When an administrator discards the default NLB cluster port rule and creates a rule that only allows specific ports to the clustered IP address or addresses, plus an additional rule to block all other traffic destined for the cluster IP address, each cluster node can quickly eliminate and drop packets that do not meet the allow port rule and in effect improve network performance of the cluster. The security benefit of this configuration also removes any risk of attacks on any other port using the cluster IP address.



Port Rules Filtering Mode and Affinity
Within an NLB cluster port rule, the NLB administrator must configure the appropriate filtering mode. This allows the administrator to specify whether only one node or multiple nodes in the cluster can respond to requests from a single client throughout a session. There are three filtering modes: Single Host, Disable This Port Range, and Multiple Host.

Single Host Filtering Mode
The Single Host filtering mode ensures that all traffic sent to the cluster IP address that matches a port rule with this filtering mode enabled is handled exclusively in the cluster by one particular cluster node.

Disable This Port Range Filtering Mode
The Disable This Port Range filtering mode tells the cluster which ports are not active on the cluster IP address. Any traffic requests received on the cluster IP address that match a port rule with this filtering mode result in the network packets getting automatically discarded or dropped. Administrators should configure specific port rules and use this filter mode for ports and port ranges that do not need to be load-balanced across the cluster nodes.

Multiple Hosts Filtering Mode
The Multiple Host filtering mode is probably the most commonly used filtering mode and is also the default. This mode allows traffic to be handled by all the nodes in the cluster. When traffic is balanced across multiple nodes, the application requirements define how the Affinity mode should be set. There are three types of multiple host affinities:

» None—This affinity type can send unique clients’ requests to all the servers in the cluster during the entire span of the session. This can speed up server response times but is well suited only for serving static data to clients. This affinity type works well for general web browsing, read-only file data, and FTP servers.

» Network—This affinity type routes traffic from a particular class C address space to a single NLB cluster node. This mode is not used too often but can accommodate client sessions that use stateful applications and when different client requests are serviced by down-level proxy servers. This is a useful affinity type for companies that direct traffic from several remote offices, through proxies before connecting to the services, and/or applications managed by the port rules in the NLB cluster.

» Single—This affinity type is the most widely used. After the initial request is received by the cluster nodes from a particular client, that node will handle every request from that client until the session is completed. This affinity type can accommodate sessions that require stateful data such as an encrypted SSL web application or a Remote Desktop session. This is the default filtering mode on a port rule and is well suited to handle almost any NLB clustered service or application.

Source of Information : Sams - Windows Server 2008 R2 Unleashed (2010)