Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

ISA 2004: CARP Exclusions (and a tip for 2000)

In ISA 2004 Enterprise Edition, one of the new features that was added based on user feedback was the ability to exclude certain sites from the CARP treatment. I’ve expounded CARP’s virtues before in CARP and NLB.

The problem with CARP – or more specifically, the interaction of CARP with certain sites – is that any given “browsing session” may appear to come from multiple IP addresses. Because the IP address is used as a “key” by some sites (or worse, some form of security token), having lots of them when trying to talk to one of these sites is not a good thing.

CARP is usually a Good Thing, because of its simplicity and scale-out capabilities – turning it off means that your three-node cluster now potentially has three sets of the same data, one in each node’s cache, rather than one set of data that’s three caches big! Most sites work fine with CARP, but there are several that don’t.

ISA 2004 allows you to define exclusions, but if you’re using ISA 2000 and aren’t planning an upgrade (gasp!?), there’s a possibility I’ll throw out there – routing rules.

If you have an upstream ISP that offers a proxy service, throw the site you want to exclude into a Destination Set, and then add a routing rule that forces any traffic to that destination through an upstream proxy. Assuming the upstream proxy only has a single forward-facing IP address (*big* assumption), it might just work around the remote site’s CARP-unfriendliness.

If it doesn’t, there are other cunning ways of dealing with it