Using multiple network cards and IP addresses in one machine

[Marvin Miller]

Hi Folks;

I having an issue with one of my servers and I think I'm doing something
incorrectly.
The server has 2 NICs, one with a single IP address and the second with
multiple IP addresses - all in the same subnet. Client for Microsoft
Networks in installed on both NICs as well as File & Printer Sharing.

Both NICs have the same deafult gateway defined and the error I'm seeing is
that browsing from that machine is slow and the event log has errors like
this;

Event ID 4319:
A duplicate name has been detected on the TCP network. The IP address of the
machine that sent the message is in the data. Use nbtstat -n in a command
window to see which name is in the Conflict state.
Event ID: 8022
The browser was unable to retrieve a list of domains from the browser master
\\MAIL on the network
\Device\NetBT_Tcpip_{0DC04389-2D90-45FA-A3A2-29CE1F05524D}. The data is the
error code.

The rest of my network is working well and I suspect all the issues on this
machine are caused by my using both NICs. Does anything obviously wrong come
to mind?

Thanks!
Marvin

 

[Kurt]

The big question is Why do you have multiple IP addreses in the same subnet?
This is a definite no-no in the Windows world. Your computer will claim that
multiple addresses belong to the same computer, hence the duplicate name
error. And your routing table will be a mess with local addresses heading
out multiple virtual interfaces. TCP connections will have trouble because
the DNS name will resolve to one IP address, but your computer will be
attempting the connection on another. One IP address per computer per
subnet. If you need more bandwidth look into teaming NICs.

....kurt

 

[Marvin Miller]

Hi Kurt;

Thanks for the reply

What I've got is a web server behind ISA 2004 and that server has two NICs
and multiple sites on it. That's the reason for different IP addresses in
the same subnet - each is for a different site.

Your description of the problems caused by this is exactly what I'm seeing
In a case like this how would you do it - put the other NIC on a
different subnet?

Thanks;
Marvin

 

[Richard G. Harper]

Personally, I would remove all the network cards but one and use either DNS
aliases or IIS virtual web sites to handle the multiple site issues.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Phillip Windell]

What I've got is a web server behind ISA 2004 and that server has two NICs
and multiple sites on it. That's the reason for different IP addresses in
the same subnet - each is for a different site.

Your description of the problems caused by this is exactly what I'm seeing
In a case like this how would you do it - put the other NIC on a
different subnet?

You don't put it on a different subnet in this case.
You don't use two nics to start with.
You assign all the IP#s from the same subnet on the same Nic.

With ISA you can publish all those sites using one IP# and one port. Sites
are distinguished by the URL that is used.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Marvin Miller]

Hi Phillip;

Understood. The problem is that I need two FTP sites running on that
machine. That's what originally prompted me to enable both NICs. The web
publishing side seems less problematic then the FTP side - no doubt due to
the limitations of the protocol.

At any rate, that's the actual reason for activating both NIC's in the
server. What to do now?

Thanks everyone ~ I'm learning a lot in this thread

What I've got is a web server behind ISA 2004 and that server has two NICs
and multiple sites on it. That's the reason for different IP addresses in
the same subnet - each is for a different site.

Your description of the problems caused by this is exactly what I'm seeing
In a case like this how would you do it - put the other NIC on a
different subnet?

You don't put it on a different subnet in this case.
You don't use two nics to start with.
You assign all the IP#s from the same subnet on the same Nic.

With ISA you can publish all those sites using one IP# and one port. Sites
are distinguished by the URL that is used.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

Understood. The problem is that I need two FTP sites running on that
machine. That's what originally prompted me to enable both NICs. The web
publishing side seems less problematic then the FTP side - no doubt due to
the limitations of the protocol.

Ok. HTTP is done with "Web Publishing",...FTP is done with "Server
Publishing". They are two different types of Publishing and,...well,..they
just work differently.

At any rate, that's the actual reason for activating both NIC's in the
server. What to do now?

1. Remove the IP#s from the "second".
2. Add them to the original Nic. They should all be on one nic now.
3. Disable the nic that has no numbers.
4. Move the active Nic to the Top of the priority list in:
Properties of Net'Places -->
"Advanced" from the Top Menu -->
"Advanced Settings" from the Dropdown Menu-->
Use the side arrow in the upper box to move the Nic to the top
5. Bind the FTP sites to the particular IP# they are supposed to use.
6. Now perform your "Publishing" on the ISA.

Don't under-estimate what a single Nic can do on a fully Switched and
properly segmented network. You would have to try really really really
really hard to overwhelm it.

The reason for two nics in a machine would be under one of these conditions:
1. The machine is being used as a LAN Router
2. The machine is being build as a Firewall or Proxy
3. The Nics are being merged together using a feature called "Nic
Teaming"
4. A dead-end "stub" segment is created for runing tape backups.
None of these fit your situation.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Marvin Miller]

Hi Philip;

Thank you again for an excellent thread - I'm learning some important things
here and I like it
I haven't had a chance to implement these changes yet but I know that this
is the pattern I've been looking for.

If you could, I'd appreciate it if you would keep an eye on this thread as
I'll be implementing some of these changes over the next few days

Thanks!
Marvin

Understood. The problem is that I need two FTP sites running on that
machine. That's what originally prompted me to enable both NICs. The web
publishing side seems less problematic then the FTP side - no doubt due to
the limitations of the protocol.

Ok. HTTP is done with "Web Publishing",...FTP is done with "Server
Publishing". They are two different types of Publishing and,...well,..they
just work differently.

At any rate, that's the actual reason for activating both NIC's in the
server. What to do now?

1. Remove the IP#s from the "second".
2. Add them to the original Nic. They should all be on one nic now.
3. Disable the nic that has no numbers.
4. Move the active Nic to the Top of the priority list in:
Properties of Net'Places -->
"Advanced" from the Top Menu -->
"Advanced Settings" from the Dropdown Menu-->
Use the side arrow in the upper box to move the Nic to the top
5. Bind the FTP sites to the particular IP# they are supposed to use.
6. Now perform your "Publishing" on the ISA.

Don't under-estimate what a single Nic can do on a fully Switched and
properly segmented network. You would have to try really really really
really hard to overwhelm it.

The reason for two nics in a machine would be under one of these conditions:
1. The machine is being used as a LAN Router
2. The machine is being build as a Firewall or Proxy
3. The Nics are being merged together using a feature called "Nic
Teaming"
4. A dead-end "stub" segment is created for runing tape backups.
None of these fit your situation.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

Thank you!
I'll keep an eye on it. But if it goes too many days I may forget
things,...I'm getting older by the second

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Hi Philip;

Thank you again for an excellent thread - I'm learning some important
things
here and I like it
I haven't had a chance to implement these changes yet but I know that this
is the pattern I've been looking for.

If you could, I'd appreciate it if you would keep an eye on this thread as
I'll be implementing some of these changes over the next few days

Thanks!
Marvin

Understood. The problem is that I need two FTP sites running on that
machine. That's what originally prompted me to enable both NICs. The
web
publishing side seems less problematic then the FTP side - no doubt due to
the limitations of the protocol.

Ok. HTTP is done with "Web Publishing",...FTP is done with "Server
Publishing". They are two different types of Publishing and,...well,..they
just work differently.

At any rate, that's the actual reason for activating both NIC's in the
server. What to do now?

1. Remove the IP#s from the "second".
2. Add them to the original Nic. They should all be on one nic now.
3. Disable the nic that has no numbers.
4. Move the active Nic to the Top of the priority list in:
Properties of Net'Places -->
"Advanced" from the Top Menu -->
"Advanced Settings" from the Dropdown Menu-->
Use the side arrow in the upper box to move the Nic to the top
5. Bind the FTP sites to the particular IP# they are supposed to use.
6. Now perform your "Publishing" on the ISA.

Don't under-estimate what a single Nic can do on a fully Switched and
properly segmented network. You would have to try really really really
really hard to overwhelm it.

The reason for two nics in a machine would be under one of these conditions:
1. The machine is being used as a LAN Router
2. The machine is being build as a Firewall or Proxy
3. The Nics are being merged together using a feature called "Nic
Teaming"
4. A dead-end "stub" segment is created for runing tape backups.
None of these fit your situation.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Marvin Miller]

Hi Phillip;

I thought I'd better make hay while the sun is shining - or before you get
any older :-0)

I moved the IP's from the second NIC to the first and re-configured all the
sites and everything on the http side is perfect I also disabled the
second NIC and ensured the the first one was listed first in the binding
order - so that side of things is all done

I'm now looking at the FTP side of things. Correct me if I'm wrong but don't
you have to have one external IP address for every internal ftp site?

My thoughts on this were that you have to server publish FTP which means
that you need a valid external IP for each internal ftp site.

What are your thoughts on the best way to publish several FTP sites behind
ISA?

Thanks a million - things are flying and I'm almost there.....

Best!
Marvin

Thank you!
I'll keep an eye on it. But if it goes too many days I may forget
things,...I'm getting older by the second

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Hi Philip;

Thank you again for an excellent thread - I'm learning some important
things
here and I like it
I haven't had a chance to implement these changes yet but I know that this
is the pattern I've been looking for.

If you could, I'd appreciate it if you would keep an eye on this thread as
I'll be implementing some of these changes over the next few days

Thanks!
Marvin

Understood. The problem is that I need two FTP sites running on that
machine. That's what originally prompted me to enable both NICs. The
web
publishing side seems less problematic then the FTP side - no doubt

due
to

the limitations of the protocol.

Ok. HTTP is done with "Web Publishing",...FTP is done with "Server
Publishing". They are two different types of Publishing and,...well,..they
just work differently.

At any rate, that's the actual reason for activating both NIC's in the
server. What to do now?

1. Remove the IP#s from the "second".
2. Add them to the original Nic. They should all be on one nic now.
3. Disable the nic that has no numbers.
4. Move the active Nic to the Top of the priority list in:
Properties of Net'Places -->
"Advanced" from the Top Menu -->
"Advanced Settings" from the Dropdown Menu-->
Use the side arrow in the upper box to move the Nic to the top
5. Bind the FTP sites to the particular IP# they are supposed to use.
6. Now perform your "Publishing" on the ISA.

Don't under-estimate what a single Nic can do on a fully Switched and
properly segmented network. You would have to try really really really
really hard to overwhelm it.

The reason for two nics in a machine would be under one of these conditions:
1. The machine is being used as a LAN Router
2. The machine is being build as a Firewall or Proxy
3. The Nics are being merged together using a feature called "Nic
Teaming"
4. A dead-end "stub" segment is created for runing tape backups.
None of these fit your situation.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004

http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

I'm now looking at the FTP side of things. Correct me if I'm wrong but
don't
you have to have one external IP address for every internal ftp site?

My thoughts on this were that you have to server publish FTP which means
that you need a valid external IP for each internal ftp site.

Yes. With FTP that is the cleanest way to do it. There are methods of
monkeying with ports, but having distinct IP#s is the best. On the LAN side
that is why you were to move all those LAN IP#s to the one Nic. You then you
go to the Properties of each FTP Site and set the IP# it is bound to to be
the IP# you want. You said you did that with HTTP, ...but you need to do it
with the FTP Sites too.

Then you need multiple Public IP#s to match the at least number of Sites you
need to publish and bind these to the external Nic of The ISA. Then use
"Server Publishing" in ISA to Publish the FTP sites from the selected Public
IP# to the selected LAN IP# using the predefined Protocol in ISA refered to
as "FTP Server" (not the regular FTP). The ISA's own built in help should
give all the information you need to perform the Publishing.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Marvin Miller]

Thanks Phillip !!

We seem to have gotten most everything straightened out

There's zero errors on the webserver's event viewer
The mail server (Exchange 2000) only has the standard errors in the event
viewer on startup (the ones that can't be gotten rid of)
My workstation has zero errors in the event viewer
The network, both internally and externally is working pretty much perfect


I learned a lot from the posts in this thread so thanks to everyone for
helping! I'm miles ahead of where I was

I do still have a couple of small straggler issues left that I'm wondering
if you might be able to help with (while I've got yer ear).

On the ISA 2004 Server (with all updates and a very recent clean install)
I'm still seeing one error on startup in the Event Viewer. It seems to be
related to Performance Counters and in fact no all of the ISA-specific
performance counters seem to work.

The error is;

Event ID 35 - WinMgmt

WMI ADAP was unable to load the W3Proxy performance library because it
returned invalid data: 0x0

It only occurs once on startup but as I mentioned, not all of the
performance counters for ISA seem to work.

I tried running;

winmgmt /clearadap
as well as;
winmgmt /resyncperf -p XXX (Where XXX is the PID of the WIM process)

but still no joy :-(

Have you run into that one before?

As always, Thanks!
Marvin

I'm now looking at the FTP side of things. Correct me if I'm wrong but
don't
you have to have one external IP address for every internal ftp site?

My thoughts on this were that you have to server publish FTP which means
that you need a valid external IP for each internal ftp site.

Yes. With FTP that is the cleanest way to do it. There are methods of
monkeying with ports, but having distinct IP#s is the best. On the LAN side
that is why you were to move all those LAN IP#s to the one Nic. You then you
go to the Properties of each FTP Site and set the IP# it is bound to to be
the IP# you want. You said you did that with HTTP, ...but you need to do it
with the FTP Sites too.

Then you need multiple Public IP#s to match the at least number of Sites you
need to publish and bind these to the external Nic of The ISA. Then use
"Server Publishing" in ISA to Publish the FTP sites from the selected Public
IP# to the selected LAN IP# using the predefined Protocol in ISA refered to
as "FTP Server" (not the regular FTP). The ISA's own built in help should
give all the information you need to perform the Publishing.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

On the ISA 2004 Server (with all updates and a very recent clean install)
I'm still seeing one error on startup in the Event Viewer. It seems to be
related to Performance Counters and in fact no all of the ISA-specific
performance counters seem to work.

The error is;

Event ID 35 - WinMgmt

WMI ADAP was unable to load the W3Proxy performance library because it
returned invalid data: 0x0

I can't help with that one. Maybe one of the other guys will know about
that. With some of that stuff you almost have to call MS Support.

 

[Phillip Windell]

The error is;

Event ID 35 - WinMgmt

WMI ADAP was unable to load the W3Proxy performance library because it
returned invalid data: 0x0

You might try going to www.isaserver.org and go into the web forums on the
site and ask about it there. My buddy Tom Shinder that wrote the ISA books
hangs out there and may have an answer. There are several other real
knowledgable guys in there too and they all know each other pretty well both
"in person" and on the web. If Tom responds, tell him I sent you.

 

[Marvin Miller]

Thanks Phillip - been there and done that To date no response and it's
been a while so I guess it's a problem I'll have to live with.

Best & Thanks for all your help - it made my network pretty tidy
Marvin

 

[Phillip Windell]

Very good sir!
Good luck with it.