DOC

Windows SharePoint Services Network and Load Balancing Design

By Roger Graham,2014-04-14 01:52
7 views 0
To help maintain a high level of security, the domain controllers and severs This design and implementation help ensure that the Windows SharePoint

Microsoft Windows SharePoint Services Network and

    Load Balancing Design

    Microsoft Corporation

    Published: August 2003

    Authors: Microsoft Office Internet Platform and Operations Windows SharePoint Services Team Abstract

    This case study describes how the Microsoft Office Internet Platform and Operations group set up

    networking and load balancing to deploy Windows SharePoint Services (Beta) to host 15,000 external

    customer sites over an eight-month period of 99 percent availability an excellent result for beta code. Here they present their experience to help enterprise companies and Internet service providers (ISPs)

    design hosting solutions. It is the third of four technical white papers describing this deployment.

    ??Microsoft Windows Server 2003 White Paper

    The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

    This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE

    INFORMATION IN THIS DOCUMENT.

    Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

    Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

    Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

? 2003 Microsoft Corporation. All rights reserved.

    Microsoft, SharePoint, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

    ??Microsoft Windows Server 2003 White Paper Contents

    Introduction ............................................................................................................................... 1 Server Farm Basics ................................................................................................................... 2 Network Segmentation .............................................................................................................. 4 Internet Space Network............................................................................................................ 5 Front End Network ................................................................................................................... 6 Back End Network ................................................................................................................... 6 Load Balancing Design ............................................................................................................. 8 Choosing Solutions .................................................................................................................. 8 F5 BIG-IP Load Balancer Design and Implementation .............................................................. 8

    BIG-IP NAT/SNAT Configuration .......................................................................................... 9

    F5 BIG-IP Device Administration and Configuration .............................................................. 9 Opened Ports for Inbound and Outbound Traffic ...................................................................... 9 Load Balancing Virtual Servers, Pools, and Nodes ................................................................... 9 BIG-IP Monitoring of Front-End Web Servers and Server Health ............................................ 10 Summary ................................................................................................................................. 11 Related Links ........................................................................................................................... 12

    ??Microsoft Windows Server 2003 White Paper

    Introduction

    This white paper describes the way the Internet Platform and Operations group at Microsoft? Office

    configured the network and load balancing for a deployment of Microsoft Windows? SharePoint? Services (Beta) to host customer sites. This is the third of four papers that describe the Windows

    SharePoint Services (Beta) hosting experience.

    This white paper will briefly present the network structure and load balancing solution chosen for this

    Windows SharePoint Services deployment. The goals of this solution were to ensure high security,

    reliability, and availability, provide fault tolerance, and allocate enough network bandwidth for Microsoft

    SQL Server? operations. Over an eight-month period of hosting time, these goals were accomplished

    with 99 percent availability an excellent result for beta code.

    The configuration and best practices outlined in this paper may be of use to anyone deploying Windows

    SharePoint Services in a hosting scenario, for example, Internet service providers (ISPs) and enterprise

    companies.

    Microsoft Windows SharePoint Services Network and Load Balancing Design 1

    ??Microsoft Windows Server 2003 White Paper

    Server Farm Basics

    Figure 1 shows the diagram of the server farm and network set up by the Internet Platform and

    Operations group. The following sections will discuss the implementation of this Windows SharePoint

    Services server farm in more detail.

    Notes

    All Internet Protocol (IP) addresses in this paper are fictitious and are listed as examples only. The public IP

    address of the Internet Space network used in this paper is not the IP address of the actual deployment

    described. For the purpose of this paper, the IP address of the Internet Space network will be 200.100.1.0,

    the IP address of the Front End network will be 172.16.1.0, and the IP address of the Back End network will

    be 10.1.1.0.

The storage area network (SAN) is one physical unit, but is partitioned so that each of the two Microsoft

    SQL Server clusters uses distinct SAN partitions.

For details about the hardware and software used in this server farm, see the first white paper in this series,

    Microsoft Windows SharePoint Services Hosting Configuration and Experience at

    http://go.microsoft.com/fwlink/?linkid=18323&clcid=0x409.

    The following terms are used in this paper and may be unfamiliar to some users:

    ? Edge network A network that connects an Internet data center and a corporate network. ? NAT (Network Address Translation) An alias IP address that identifies a specific node managed by

    the BIG-IP controller to the external network.

    ? Predictive mode A dynamic load balancing mode that bases connection distribution on a combination

    of two factors: number of connections and response time. Servers that currently host the fewest

    connections and also have the fastest response times will be assigned more connections. Predictive

    mode also ranks server performance over time, and passes connection to servers that exhibit an

    improvement rather than a decline.

    ? SNAT (Secure Network Address Translation) A routable alias IP address that one or more nodes

    can use as a source IP address when making connections to hosts on the external network.

    Microsoft Windows SharePoint Services Network and Load Balancing Design 2

    ??Microsoft Windows Server 2003 White Paper Figure 1: Server Farm Configuration

    1 Public DNS servers 9 SQL Server server 1 18 Backup tape device 2 Internet 10 SQL Server server 2 19 HTML transformation server 3 Router (Cisco Systems) 11 SQL Server server 3 20 Imaging and installation server

    (Altiris deployment server) 4 Load balancer (F5 Networks BIG-IP) 12 SQL Server server 4

    21 Router (Cisco Systems) 5 Load balancer (F5 Networks BIG-IP) 13 SAN unit (Hewlett Packard)

    22 Edge network6 Front-end Web server farm (six 14 Active Directory domain controller 1

    servers) 15 Active Directory domain controller 2

    7 SMTP and DNS server 16 MOM server

    8 Terminal services, debugging, and 17 Backup server (Veritas software) administration server

    Microsoft Windows SharePoint Services Network and Load Balancing Design 3

    ??Microsoft Windows Server 2003 White Paper

    Network Segmentation

    As shown in Figure 1, the network of this deployment consists of three segments: ? Internet Space network

    ? Front End network

    ? Back End network

    The Internet Space network provides Internet access and uses registered domain names and public network addresses. A Cisco Systems router and a pair of fail-over F5 BIG-IP controllers connect this network segment to the rest of the network.

    The BIG-IP controllers are also members of the Front End network, where front-end Web servers running Windows SharePoint Services, the Simple Mail Transfer Protocol (SMTP) and Domain Name System (DNS) server, and the terminal services, debugging, and administration server reside. All servers in the Front End segment have Internet access. Because F5 BIG-IP controllers have Network Address Translation (NAT) functionality, the Front End network servers are configured to use private Internet addresses and to use NAT to access the Internet.

    Two 100 megabits per second (Mbps) network interface cards (NICs) are used for each server connected to the Front End network. It is recommended that you switch to the 100 Mbps/duplex NIC setting to ensure that each server uses 100 Mbps.

    The SQL Server clusters, domain controllers, Microsoft Operations Manager (MOM) server, backup server, and imaging and installation server reside on the Back End network and are connected to a Cisco switch. Each server running SQL Server has a 1 gigabit per second (Gbps) NIC connected to the Back End network to ensure that SQL Server operations have enough bandwidth. The front-end Web servers and SMTP and DNS server are dual-homed to both the Front End and Back End networks. The Back End network carries authentication and data storage traffic. To help maintain a high level of security, the domain controllers and severs running SQL Server do not have Internet access, and the Back End network uses private IP addresses. With additional routing control, the Back End network can be connected to an edge network for managing servers.

    The Cisco Systems router is configured with an IP access list to allow only pre-defined incoming Hypertext Transfer Protocol (HTTP) and Secure Sockets Layer (SSL) requests. To be more secure, you can connect the Front End and Back End network by using a router or firewall, instead of using dual-homed servers across the two networks. If you use a router or firewall, the following ports should be open between the Front End and Back End networks:

    ? Microsoft Directory Service traffic (Transmission Control Protocol (TCP) Port 445, User Datagram

    Protocol (UDP) Port 445)

    ? Kerberos authentication protocol (TCP Port 88, UDP Port 88)

    ? Lightweight Directory Access Protocol (LDAP) PING (UDP Port 389)

    ? Domain Name System (DNS) (TCP Port 53, UDP Port 53)

    ? SQL Server (TCP Port 1433; open on the Back End network only)

    Microsoft Windows SharePoint Services Network and Load Balancing Design 4

    ??Microsoft Windows Server 2003 White Paper

    For more information about controlling ports, refer to the documentation for your router or firewall hardware and software.

    For more security, install a firewall in front of the Internet Space network to granularly control the traffic to your site. Ports 80 and 443 must be open on that firewall.

    For the private Internet network addresses allocation, see RFC 1918.

    Internet Space Network

    To conserve Internet IP addresses, the Internet Platform and Operations group used a subnet of class 4C network with a net mask of 28 bits, which provided four host address bits and 14 (2-2) usable public

    registered addresses.

    All IP addresses in this paper are fictitious and are listed as examples only; they are not the actual addresses used in this deployment. For the purposes of this paper, the following are IP addresses in the Internet Space network:

    ? Network: 200.100.1.0

    ? Subnet mask: 255.255.255.240

    ? Subnet number: 200.100.1.16

    ? Subnet broadcast address: 200.100.1.31

    ? Available network addresses: 200.100.1.17 - 200.100.1.30

    The network address assignment is as follows:

    ? Cisco Router Internal Interface: 200.100.1.17

    ? NAT Public IP: 200.100.1.18

    ? BIG-IP External Virtual IP (VIP): 200.100.1.19

    ? BIG-IP External Dedicated IP (DIP) 1: 200.100.1.20

    ? BIG-IP External DIP 2: 200.100.1.21

    ? HTTP VIP: 200.100.1.22

    The pair of F5 BIG-IP controllers forms a fail-over cluster, so they need a VIP in addition to the DIPs on each of their NICs.

    A VIP is created for the HTTP traffic for load balancing Web traffic to the front-end Web servers in the Front End network. The Internet Platform and Operations group registered a wildcard DNS entry with the Public DNS server for iponet.net zone so that all sites resolve to the same IP address: *.stsbeta.iponet.net resolves to 200.100.1.22

    The NAT solution saves public IP addresses and provides an extra level of protection because the servers running Windows SharePoint Services are not exposed to the Internet directly. To further secure the network, the Internet Platform and Operations group applied an outbound IP access list on the Fast Ethernet Interface of the Cisco Systems router to allow only incoming HTTP and SSL (HTTPS) traffic.

    Microsoft Windows SharePoint Services Network and Load Balancing Design 5

    ??Microsoft Windows Server 2003 White Paper

    Note The traffic coming from the Internet to the network goes through the router before it gets to the

    network, so this access control list must be applied to outbound traffic.

    The following is an example of an IP access list that allows only HTTP and SSL traffic into the network. Example IP access list

    ip access-list extended EXAMPLE

    permit tcp any any gt 1023 established

    permit tcp any host 200.100.1.22 eq 80

    permit tcp any host 200.100.1.22 eq 443

    Front End Network

    The six front-end Web servers, SMTP and DNS server, and an administration tools server make up the Front End network. The BIG-IP controllers also belong to the Front End network as well as to the Internet Space network.

    The Internet Platform and Operations group used a private Class C network 172.16.1.0/24 on the Front End network. Because it was private, it was not divided into subnets.

    ? Network: 172.16.1.0

    ? Subnet mask: 255.255.255.0

    ? Subnet broadcast address: 172.16.1.255

    ? Available network addresses: 172.16.1.1 to 172.16.1.254

    The network address assignment is as follows:

    ? BIG-IP Internal VIP: 172.16.1.2

    ? BIG-IP Internal DIP 1: 172.16.1.3

    ? BIG-IP Internal DIP 2: 172.16.1.4

    ? SMTP and DNS server Front End IP: 172.16.1.5

    ? Front-end Web servers Front End IPs: 172.16.1.101 to 172.16.1.106

    ? Terminal services, debugging, and administration tools server Front End IP: 172.16.1.107 Again, because the pair of BIG-IP controllers forms a fail-over cluster, they require an internal VIP. An NAT Internal IP is used as the default gateway on the IP configurations of the other servers for configuring NAT on BIG-IP.

    All servers are configured to use the domain controllers on the Back End network as DNS servers. However, the Back End servers have no Internet access, and so can’t resolve Internet DNS names. To

    resolve this problem, the Internet Platform and Operations group set up DNS service in the Front End network and configured the Back End domain controllers to forward Internet DNS resolution requests to this DNS server in the Front End network.

    Back End Network

    The back end servers include SQL Server clusters (four servers in two clusters), two Microsoft Windows 2000 Active Directory domain controllers, a MOM monitoring server, an imaging and Microsoft Windows SharePoint Services Network and Load Balancing Design 6

    ??Microsoft Windows Server 2003 White Paper

    installation server, a backup server, and an HTML transformation server. These servers form a private network and do not have direct Internet access, so the Back End network is private. All Front End servers are also dual-homed on the Back End network. To be more secure, you can use a router or firewall to connect Front End and Back End networks. The Back End network uses the following IP addresses:

    ? Network: 10.1.1.0

    ? Subnet mask: 255.255.255. 0

    ? Subnet broadcast address: 10.1.1.255

    ? Available network addresses: 10.1.1.1 to 10.1.1.254

    The network address assignment is as follows:

    ? Domain controller 1: 10.1.1.1

    ? Domain controller 2: 10.1.1.2

    ? MOM server: 10.1.1.3

    ? HTML transformation server: 10.1.1.4

    ? Imaging and installation server: 10.1.1.5

    ? Servers running SQL Server: 10.1.1.6 to 10.1.1.9

    ? SQL Server cluster 1: 10.1.1.10

    ? SQL Server cluster 2: 10.1.1.11

    ? SQL Server virtual server 1: 10.1.1.12

    ? SQL Server virtual server 2: 10.1.1.13

    ? SAN controller 1: 10.1.1.14

    ? SAN controller 2: 10.1.1.15

    ? SMTP and DNS server Back End IP: 10.1.1.16

    ? Backup server IP: 10.1.1.17

    ? Front-end Web server Back End IPs: 10.1.1.101 to 10.1.1.106

    ? DHCP Scope: 10.1.1.120 to 10.1.1.150

    All IP addresses in this paper are fictitious.

    Microsoft Windows SharePoint Services Network and Load Balancing Design 7

Report this document

For any questions or suggestions please email
cust-service@docsford.com