Configuring WNLB Server Failover
How to configure Terminal Server Failover using Windows Network Load Balancing Services (WNLB)
This article describes how to configure YSoft SafeQ to utilize Windows Network Load Balancing services for the Terminal Server (MFP with embedded terminal) failover.
Expected behavior:
Printer with embedded terminal is able to operate in case its parent node is not running.
Implementation:
In case of failure or shutdown of YSoft SafeQ Terminal Server service, NLB node is deregistered from cluster.
Description of the environment (Terminal Server failover using WNLB):
Chapters:
Environment requirements
MS Windows 2008 R2 servers (Standard or Enterprise) or newer
Properly configured and functional Windows Network Load Balancing cluster
At least one physical IP address for each member of WNLB cluster is reachable from client workstations (for print job delivery) and from other members of WNLB cluster (for cluster synchronization)
Shared virtual IP address of WNLB cluster is reachable from all MFPs and Network Card Readers on ports according to Network communication overview
Filtering mode (WNLB Manager > Cluster properties > Port Rules > Edit) is set to Multiple host with Affinity: Single + Timeout: 30minutes
If Network Card Reader (NCR) is used in the environment, filtering mode must be set to Single host and virtual IP of WNLB cluster configured in NCR.
In every host properties - initial host state is set to Stopped (Terminal Server will register host to WNLB once it is ready to accept connection from MFP)
Limitations
The described failover is available for CML cluster only (not for ORS)
If etcd quorum is lost then jobs on MFP with pull accounting (e.g. older Xerox devices) are not accounted during downtime of parent Terminal Server (they will be accounted after the Terminal Server recovery).
Print jobs stored on server that encountered failure are not available for print. Use parameter cluster-readSharedFolderJob and the spooler directory on a high-available shared location to make print jobs accessible even during the failure of one node.
Embedded terminal: Pull print based printers (e.g. older Xerox devices) might not show Jobs history after print (due to the fact that printer might be not connected to it its parent Terminal Server)
Samsung Embedded Terminal - devices can be installed only when a single NLB node is running (i.e. Status=Converged, other NLB nodes must be stopped) and device must be installed on the respective node.
Basic example of Network Load Balancing Services configuration
WARNING
Following example servers only as a basic demonstration of the WNLB configuration. It does not serve as a guideline for the implementation in the real environment. The implementation of the WNLB is not performed by Y Soft. Due to the nature of the Windows Network Loadbalancing, detailed analysis of the customer's network environment and the proper selection of the loadbalancing mode has to be done prior setting up the WNLB. Incorrect configuration of the WNLB may have severe impact on the overall performance of the local area network.
| Please note that this example applies to Windows Server 2008R2. List of steps might slightly differ in newer versions of Windows Server OS. | ||
1 | Install the NLB feature on all nodes including the management client
| ||
2 | Open NLB manager
| ||
3 | Create a new cluster
| ||
4 | In "Cluster properties" > "Port Rules" > "Edit" > set filtering mode to "Multiple host" with Affinity: Single + Timeout: 30minutes
| ||
5 | In every host properties - change initial host state to "Stopped" value (Terminal Server will start the host once it is ready to accept connection from printer) | ||
6 | List of ports used by NLB: Network communication overview | ||
7 | Example of running NLB Cluster:
| ||
8 | Windows 2008 R2 introduces a strong host model that does not allow different NICs to communicate with each other. For example, if a request comes in on the 2nd NIC and if there is no default gateway setup, then the IC will not use the 1st NIC to reply to the requests (even though there's a default gateway setup on that 1st NIC). To change that behavior and go back to the 2003 model, run these commands from the command prompt:
To verify that weakhostsend is enabled on both adapters run following command:
|
Configuring YSoft SafeQ for the proper WNLB usage
1 | Install YSoft SafeQ cluster on the IP address that is not used by WNLB (not the WNLB virtual IP, not the IP address used by WNLB adapter in case of unicast mode). |
2 | In YSoft SafeQ Web Interface go to System > Views > Advanced options > set enableNetworkLoadBalancer and operateWnlb properties to enabled. |
3 | Perform these steps on all YSoft SafeQ servers that are part of WNLB cluster: 3a. Set Terminal Server to use WNLB virtual IP address:
3b. Configure deregistration of the failed node from the WNLB cluster in case of a failure:
3c. Restart YSoft SafeQ Terminal Server and YSoft SafeQ CML services to apply the settings. |
4 | In case that failover/loa dbalancing for SHARP, Fuji Xerox, Toshiba, OKI or Konica Minolta Embedded Terminals is required, enable etcd:
4a. Log in to the SafeQ Web Interface on the master node with sufficient rights to administer printers (for example, "admin") 4b. Go to System > System settings, set enableEtcd property to enabled and s ave the configuration 4c. Restart YSoft SafeQ Terminal Server service on all members of the WNLB cluster See
Configuring etcd for more information if needed. |
5 | Reinstall embedded terminal on all devices that should be connected to WNLB cluster. |
Please note that usage of etcd is the preferred option now. If you do not configure etcd (enableEtcd is not enabled) but you use a shared folder for failover/loa dbalancing of SHARP , Fuji Xerox , Toshiba, OKI or Konica Minolta Embedded Terminals and want to continue using it - replace steps 4 with the following .
4a. create a network share (for example path \\<server>\DeviceConfigurationData
).
Network share must be a high-available location.
Account(s) running Terminal Server service on all members of the WNLB cluster must have
full privileges for this location.
4b. stop YSoft SafeQ Terminal Server service on all members of the WNLB cluster
4c.
on all members of the WNLB cluster edit TerminalServer.exe.config located in <safeq_dir>\terminalserver. I
n the <appSettings> section add key SharedLocation:
<add key="SharedLocation" value="path" /> (for example <add key="SharedLocation" value="\\<server>\DeviceConfigurationData" /> )
4d. start YSoft SafeQ Terminal Server service on all members of the WNLB cluster
Test of functionality
Perform following tests for all members of the WNLB cluster:
Try to stop Terminal Server service -> WNLB manager shows Stopped state on the node where Terminal Server was stopped (change can take up to one minute)
Try to start Terminal Server service -> WNLB manager shows Started state on the node where Terminal Server was started (change can take up to one minute)
It is possible to authenticate on MFP when just one node shows "Converged" state
It may take up to 2 minutes for the Terminal Server to fully initiate. Thus the authentication on the recently started Terminal Server may fail within 2 minutes from the start.
Manual rebalancing of printers in case that one YSoft SafeQ server fails
This topic applies only to printers with pull accounting (e.g. old Xerox devices).
When one of the cluster members fails and it is not possible to quickly recover from failure, it is recommended to rebalance devices between CML nodes to restore proper pull accounting.
1 | Go to Devices > Actions > Rebalance devices among CML nodes |
2 | Check list of devices in YSoft SafeQ web interface - all printer were moved to running CML nodes (you may need to display column "Terminal Server ID" in the device list to see which server is responsible for particular devices) |
3 | Rebalance devices again once the failed cluster member is back online node |
Best practices
If all members of the WNLB cluster are in same subnet you might use unicast mode.
If the members of WNLB cluster are not in same subnet, multicast mode shall be used.
When planning the use of WNLB, it is advised to replace all NCR with USB readers (otherwise "Single host" affinity is a must and this causes that only failover is done, loadbalancing is not made and only one CML node is utilized at a time).
NLB in unicast mode
Each computer has two network cards
Two IP addresses per server and one additional clustered IP
Make sure that the second network adapter (the adapter that is failovered via WNLB) has no gateway configured.
Make sure the network adapter with the gateway is on the top of adapters and bindings list (on versions prior 2016 go to Control Panel -> Network and Sharing Center -> Change adapter settings -> press F10 on keyboard > Advanced -> Advanced Settings -> tab Adapters and Bindings; in 2016 and newer use adapter Metric to set priority)
To improve the security, add the static routes for outgoing data for the NLB adapter instead of using the weakhost. For example the WNLB adapter is part of 10.0.11.xx subnet and it has a network connectivity to gateway at 10.0.11.1; but as mentioned above, gateway is not configured on the NLB adapter. To keep the stronghost model active and to be able to communicate with MFPs in a different subnet 10.20.xx.xx, we can add a static route on WNLB adapter as "route add -p 10.20.0.0 mask 255.255.0.0 10.0.11.1".
The usage of netsh command is even better while static route is added to the WNLB adapter only.
Example of command to add static route on WNLB adapter with interface name "WNLB": netsh interface ipv4 add route 10.20.0.0/8 "WNLB" 10.0.11.1
Some network monitoring tools (e.g. MAC spoofing prevention) may block the WNLB communication due to its nature (MAC address is being masked)
VMware: All members of the NLB cluster must be running on the same ESX host (must be connected to the single portgroup on the virtual switch)
VMware: Forged Transmit on the Portgroup is set to Accept.
VMware: Notify Switches Portgroup is set to No.
VMware: MAC Address Changes on the Portgroup is set to Accept.
NLB in multicast mode
Manual entry of ARP records is required on routers:
since NLB packets are unconventional, meaning the IP address is Unicast while the MAC address of it is Multicast, switches and routers might drop NLB packets
example of command needed to add into switch: arp 192.168.1.100 03bf.c0a8.0164 ARPA