load balancer, SNAT, DNAT or both? RRS feed

  • Question


    In trying to help the team get an OCS 2007 deployment setup, the network team was asked the question whether the load balancer (CSS) would do SNAT or DNAT.  Source NAT or Destination NAT.  Those are kind of generic terms, and there isn't much guidance given. 


    The lack of detail seems odd because the question is asked at installation, and the documentation indicates you should not change it afterwards, so you better get it right because there will be problems if you don't.  Then they leave you hanging...  so what do they really mean by SNAT and DNAT in context of a scenario like ours (which we have to think is very common)?


    The confusion comes in because from a network perspective, the load balancer here is going to do BOTH.  The app seems to want the answer as an 'either or' and does not allow 'both'.  Nobody on the network or apps teams is junior or entry level here but we don't get it.


    Our scenario has the LB has to do source (client) NAT.  So the LB is substituting it's own IP in place of the clients when it forwards the packet to the Front End servers.  Just FYI why this is needed in some cases - This is necessary so the FE servers reply to the LB - the FE server sees the source IP as the LB itself and replies accordingly.  That way the FE does not reply (route) directly back to the client- if the reply bypasses the LB on the return path the client is expected to  drop the packet (because the client sent the request to the LB and expects the reply to come from the LB's IP address not somebody else).  That is called asynchronous routing, or often "direct server return" by the LB folks.  If the FE cannot reach the client IP in any way except routing back through the LB you don't need to do it this way.  Such as the LB is the default gateway for your FE or webserver.


    So, the usual setup I think:  PC to LB, LB to FE ... and replies go back FE to LB, LB to PC.


    PC is say subnet 1

    LB VIP is subnet 2

    FE's are subnet 3


    Between client and LB = neither source nor destination is changed, both original (from the client perspective).


    Between the LB and the FE =  the original source (client) IP is NAT'd to the LB IP.  SNAT, right? 

    Also between the LB and the FE = the original destination IP (LB VIP) was NAT'd to whichever FE server is load balanced to.  DNAT, no? 


    The client PC and the FE server never see the others IP address.  So both source and destination IP have been changed when the packet reaches the FE server.  That is what some networking people call double NAT, or source NAT AND destination NAT.  Or is there some other perspective?  I know it's possible for some special gear for the LB VIP to be on the same subnet as the FE server (say both on subnet 2), and that might avoid DNAT... but that can't be the assumption for a normal install.


    We are guessing MS has some server-centric perspective, and we are guessing their idea of DNAT is different, but we don't get how.  I hate guessing.  I want to know.


    We have not found ay articles, KB's, or whitepapers that explain this in any helpful way.  The MS Technical Reference does not get specific enough to indicate an answer, it just assumes you know what they are thinking by using generic terminology.  It alludes to "availability problems" if DNAT is used but does not give any details.


    This seems to be a KEY decision and it must be made depending on what are going to be varying customer environments. 


    Can anyone explain the difference in the context of what OCS is looking for? 


    Thursday, March 20, 2008 1:52 PM

All replies


    Hi Brown,


    I was wondering if you ever managed to get an awnser to your question. We are running into the same problem, do we need SNAT or DNAT?





    Friday, July 25, 2008 6:33 AM
  • This is taken directly from the OCS 2007 Enterprise Deployment Planning Guide, in case you haven't already looked there:


    • Using a load balancer in SNAT mode is recommended for ease of deployment, however be aware each SNAT IP address on the load balancer limits the maximum number of simultaneous connections to 65,000. If you deploy load balancer in SNAT mode, ensure you configure a minimum of one SNAT IP address for each group of 65,000 users. (The open number of connections generally corresponds to the number of active users.) For example, in a deployment supporting 100,000 users, you would configure two SNAT IP addresses.
    • If you use a DNAT (destination network address translation) load balancer for your Enterprise pools, the following is required:
      • Each pool must reside in a distinct IP subnet from other pools, because the Front End Servers in each pool must reside in this distinct IP subnet.
      • For a pool in the expanded configuration, only the Front End Servers must be placed in this distinct IP subnet. All other roles – the Web Conferencing, A/V Conferencing, and Web Components Servers – must reside outside the distinct IP subnet for the Front End Servers. There is no additional restriction on how these other roles can be placed on the network.
    Friday, July 25, 2008 2:59 PM
  • Hi Jeff,

    I've seen that piece in the planning guide, but it doesnt give any technical background, which i would really love to have so i can make a solid design decision on this! (like why does the front end role have to be sperated form the other roles and hhave its own ip subnet?)

    Kind regards,
    Friday, July 25, 2008 3:57 PM
  • I agree that in the LB situation you are really doing SNAT and DNAT. Even more confusing, if the LB is also the router for the FE's, you don't even need to do SNAT and that makes your IIS logs better (real client IP's in them).

    The OCS tech reference has this statement: "If a load balancer for a pool is configured to operate in DNAT mode, connections from member servers in the pool will be redirected to the local host." To me, this is the heart of the confusion ... what they are getting at with that statement.
    Thursday, January 15, 2009 12:41 AM
  • I just thought of one more thing. The A/V traffic goes to the FE's directly, without translation. So, even though your chat 5061 traffic goes to the VIP, the A/V traffic goes directly to one of the FE's actual IP address, not the VIP. Hence, you can't DNAT that.
    Saturday, January 17, 2009 2:49 PM
  • It is funny to see that others are looking for the answer for this S/DNAT question. I got reply from network team also, that MS seems thinking NAT in different ways than normal network people.

    As brownj00 wrote his message we feel and our network teams feels that we are using SNAT and DNAT at the same time. But have you read the R2 requirements... DNAT is not supported anymore ! :)

    How so simple thing can be so hard to understand.

    And about James Risto's last comment, the DNAT is not only for AV server, but also Web Conferencing.


    Wednesday, January 21, 2009 10:33 PM
  • We are using SNAT.  If you run the BPA on R1 it will tell you that it is not recommended.  Yes, with R2 the BPA will want to reach out and @#$#@ smack you :)
    Monday, January 26, 2009 10:06 PM