Configuring Windows Network Load Balancing for Terminal Failover

This article describes how to configure YSoft SafeQ to utilize Windows Network Load Balancing (WNLB) services for the Terminal Server (an MFD with an embedded terminal) failover.

A Description of the Environment (Terminal Server Failover Using WNLB):

images/download/attachments/160483093/WNLB_DS_FAILOVER.png

Expected behavior:

A printer with an embedded terminal is able to operate if the node to which it was originally connected is not running.

Implementation:

In case of a failure or shutdown of the YSoft SafeQ Terminal Server service or SPOC service, the WNLB node is deregistered from the cluster.

Environment Requirements

  • MS Windows 2008 R2 servers (Standard or Enterprise) or newer

  • A properly configured and functional Windows Network Load Balancing cluster

    • At least one physical IP address for each member of the WNLB cluster reachable from client workstations (for print job delivery) and from other members of the WNLB cluster (for cluster synchronization).

    • A shared virtual IP address of the WNLB cluster reachable from all MFDs on ports according to Network Communication.

    • Filtering mode (WNLB Manager > Cluster properties > Port Rules > Edit) is set to Multiple host with Affinity: Single + Timeout: 30minutes.

      If Network Card Reader (NCR) is used in the environment, filtering mode must be set to Single host and virtual IP of WNLB cluster configured in NCR.


    • In all host properties - initial host state is set to Stopped (Terminal Server will register the host to the WNLB once it is ready to accept a connection from the MFD).

Limitations

  • If the etcd quorum is lost then jobs on an MFD with pull accounting are not accounted during the downtime of the Terminal Server node that was pulling them (they will be accounted after the Terminal Server node recovery).

  • Print jobs stored on the server that encountered the failure are not available for printing.

Best practices

All members of the WNLB cluster must reside on the same subnet.

NLB in unicast mode:

NLB in unicast mode is not compatible with WMware vMotion. If you need vMotion, use NLB in multicast mode instead. See https://kb.vmware.com/s/article/1573 for details.

  • Each computer has two network cards.

    • Two IP addresses per server and one additional clustered IP.

  • Make sure that the second network adapter (the adapter that is failed over via WNLB) has no gateway configured.

  • Make sure the network adapter with the gateway is at the top of adapters and bindings list (on versions prior to 2016, go to Control Panel > Network and Sharing Center > Change adapter settings > press F10 on the keyboard > Advanced > Advanced Settings > tab Adapters and Bindings; for 2016 and newer, use the adapter Metric to set the priority).

  • Some network monitoring tools (e.g., MAC spoofing prevention) may block the WNLB communication due to its nature (the MAC address is being masked).

  • VMware: All members of the NLB cluster must be running on the same ESX host (must be connected to the single Portgroup on the virtual switch).

  • VMware: Forged Transmit on the Portgroup is set to Accept.

  • VMware: Notify Switches Portgroup is set to No.

  • VMware: MAC Address Changes on the Portgroup is set to Accept.

NLB in multicast mode:

  • Manual entry of ARP records is required on routers:

    • since NLB packets are unconventional, meaning the IP address is Unicast while the MAC address of it is Multicast, switches and routers might drop NLB packets

    • an example of the command needed to add into switch:

      arp [NLB virtual IP] [cluster's multicast MAC] ARPA
arp 192.168.1.100 03-bf-c0-a8-01-64 ARPA

      The cluster’s multicast MAC address can be obtained from the Network Load Balancing Properties dialog box.

A Basic Example of a Network Load Balancing Services Configuration

The following example serves only as a basic demonstration of the WNLB configuration. It does not serve as a guideline for an implementation in a real environment. The implementation of the WNLB is not performed by Y Soft. Due to the nature of Windows Network Load Balancing, a detailed analysis of the customer's network environment and the proper selection of the load balancing mode has to be done prior to setting up the WNLB. Incorrect configuration of the WNLB may have a severe impact on the overall performance of the local area network.

Please note that this example applies to Windows Server 2008R2. The list of steps might differ slightly in newer versions of Windows Server OS.

  1. Install the NLB feature on all nodes including the management client

    1. dism /online /enable-feature /featurename:NetworkLoadBalancingFullServer
    2. dism /online /enable-feature /featurename:NetworkLoadBalancingManagementClient

  2. Open NLB manager

    1. nlbmgr.exe

  3. Create a new cluster

    1. Connect to first node and select the NIC to be clustered

      1. In unicast mode we usually use first NIC for standard network communication and its IP address shall be used during SafeQ installation

      2. The second NIC shall be used purely for NLB clustering and you shall not use it for anything else

    2. Enter clustered IP

    3. Enter cluster name and choose multicast or unicast mode (depends on your network configuration), finish the wizard

    4. Select Add host to cluster on cluster

    5. Connect to second node and select the NIC to be clustered. Finish the wizard.

    6. Both nodes should be in "converged" status

  4. In Cluster properties > Port Rules > Edit set filtering mode to Multiple host with Affinity: Single + Timeout: 30minutes

  5. In every host properties - change initial host state to Stopped value (Terminal Server will start the host once it is ready to accept connection from printer)

  6. List of ports used by NLB: Network Communication

  7. Example of running NLB Cluster:

    images/download/attachments/160483093/example_NLB_configuration.png

  8. Windows 2008 R2 introduces a strong host model that does not allow different NICs to communicate with each other. For example, if a request comes in on the 2nd NIC and if there is no default gateway setup, then the IC will not use the 1st NIC to reply to the requests (even though there is a default gateway setup on that 1st NIC).

    1. To change that behavior and go back to the 2003 model (weakhost), run these commands from the command prompt:

      "Local Area Connection 2" is the name of the clustered network interface

      1. netsh interface ipv4 set interface "Local Area Connection 2" weakhostsend=enable

      2. To verify that weakhostsend is enabled on both adapters run following command:

        netsh interface ipv4 show interfaces level=verbose | findstr /R /i "interface weak.host.sends"

    2. To improve the security, add the static routes for outgoing data for the NLB adapter instead of using the weakhost. For example the WNLB adapter is part of 10.0.11.xx subnet and it has a network connectivity to gateway at 10.0.11.1; but as mentioned above, gateway is not configured on the NLB adapter. To keep the stronghost model active and to be able to communicate with MFPs in a different subnet 10.20.xx.xx, we can add a static route on WNLB adapter as:

      route add -p 10.20.0.0 mask 255.255.0.0 10.0.11.1

      1. The usage of netsh command is even better while static route is added to the WNLB adapter only.

        "Local Area Connection 2" is the name of the clustered network interface

        netsh interface ipv4 add route 10.20.0.0/16 "Local Area Connection 2" 10.0.11.1

Configuring YSoft SafeQ for Correct WNLB usage

  1. Install YSoft SafeQ cluster on the IP address that is not used by WNLB (not the WNLB virtual IP, not the IP address used by WNLB adapter in case of unicast mode).

  2. In YSoft SafeQ management interface go to System > Configuration > set enableNetworkLoadBalancer and operateWnlb properties to enabled.

  3. Perform these steps on all YSoft SafeQ servers that are part of WNLB cluster:

    1. Set Terminal Server to use WNLB virtual IP address:

      1. edit file <SafeQ_dir>\SPOC\terminalserver\TerminalServer.exe.config

      2. set WNLB virtual IP address in the networkAddress parameter

      3. into the AppSettings section of the config file add new scanServerIp parameter and set it to the physical IP address of the local TS node

        <add key="scanServerIp" value="physical_IP_address" />


    2. Configure de-registration of the failed node from the WNLB cluster in case of a failure:

      1. Open properties of YSoft SafeQ Terminal Server service (via services.msc) > go to Recovery tab > set the following configuration:

        1. First failure: Run a Program

        2. Program: nlb.exe

        3. Parameters: stop

        4. Repeat steps 1.-3. also for YSoft SafeQ Spooler Controller service

          images/download/attachments/160483093/SPOC_properties.png

    3. Restart YSoft SafeQ Spooler Controller and YSoft SafeQ Terminal Server services to apply the settings.

  4. Configure YSoft SafeQ regarding Configuring YSoft SafeQ for Network-level Terminal Failover.

  5. Reinstall embedded terminal on all devices that should be connected to WNLB cluster.

  6. Test of functionality

    1. Try to stop Terminal Server service > WNLB manager shows Stopped state on the node where Terminal Server was stopped (change can take up to one minute)

    2. Try to start Terminal Server service > WNLB manager shows Started state on the node where Terminal Server was started (change can take up to one minute)

    3. It is possible to authenticate on MFP when just one node shows "Converged" state

Resources and further reading