Frank DeRienzo, MBA
Principal Technical Support Engineer
Macromedia, Inc.

Many customers are using Network Address Translation (NAT) on their firewall either as a security precaution or as a means of conserving pubic IP addresses. NAT segregates internal and external resources and facilitates extra control and monitoring of Web traffic. If you're using NAT and have placed your ColdFusion or JRun servers on the inside of your firewall, but you want to place those servers into a cluster, then read on. This article will explain how to build a JRun or ColdFusion cluster behind a NAT firewall.

The following procedure is example based. Picture two web servers: www1.company.com and www2.company.com with a DNS round-robin name of www.company.com. In direct contrast with the less stable technique of using multi-homed servers, each of the server names will correspond to both external and internal IP addresses configured on internal and external means of name resolution while the round robin name will only be configured externally. The following illustration should bring this to life:

1. You you may cluster Cold Fusion Enterprise or JRun4 behind a NAT firewall. If you are running an ealier version of JRun, make certain it is the enterprise version and is at least version 3.01 or later.
2. Do not create a cluster until the source of name-resolution is correctly configured both internally and externally. If a cluster is already up with improper name resolution or a cluster has been up in any form with improper name resolution and subsequently deleted, run the ClusterCATS server administrator RESET option: Start – Programs – Cfusion or JRun or ClusterCATS – ClusterCATS Server Administrator – Advanced – RESET. Run this twice on each server.
3. Make certain that the addresses you are translating (the ones corresponding to the outside DNS, but not the round-robin entries) have both forward and reverse DNS entries corresponding to Fully Qualified Host Names (FQHNs). Modify DNS accordingly.
4. Make certain that the internal addresses -- those addresses already translated by the firewall and corresponding to the internal servers -- have both forward and reverse DNS entries corresponding to FQHNs. Again, modify DNS accordingly. Note: If there is no internal DNS server available, you may use hosts files as the internal source of name resolution.
5. Make sure that the internal names match the external names. The difference between the external FQHNs and the internal FQHNs should be the IP addresses. For example, examine the DNS entries for the following two-server cluster:

EXTERNAL - Two FQHNs (forward & reverse) and two Round-Robin Entries (forward only):
www1.company.com 205.205.205.10
205.205.205.10 www1.company.com
www2.company.com 205.205.205.20
205.205.205.20 www2.company.com
www.company.com 205.205.205.10
www.company.com 205.205.205.20

INTERNAL - Two FQHNs (forward & reverse) with different IP addresses::
www1.company.com 192.168.0.10
192.168.0.10 www1.company.com
www2.company.com 192.168.0.20
192.168.0.20 www2.company.com

Note: Do not set up internal Round-Robin.

Note Also: Static IP addresses are recommended in lieu of dynamic IP address when clustering behind any load-balancing or translating hardware.

6. Test name resolution using the tools. Along with ClusterCATS, you have installed some additional tools that are helpful to confirm and troubleshoot your configuration. Use these tools and look for any error messages in the feedback.

Diagnostic tools used to verify your configuration:

Use hostinfo to verify DNS name resolution:

c:>Program Files\ClusterCATS\program> hostinfo IP address
c:>cfusion\brighttiger\program> hostinfo hostname

And also btcfgchk to verify your configuration:

c:>Program Files\ClusterCATS\program> btcfgchk IP address
c:>Program Files\ClusterCATS\program> btcfgchk hostname

Note: In CF5.0, the tools are in cfusion\CFAM\Program

Diagnostic tools in the Microsoft TCP/IP protocol suite:

Use ping to check the addresses and host names:
c:>ping destination IP address
c::>ping hostname

Use nslookup two ways to verify DNS entries:
c:>nslookup IP address
c:>nslookup hostname

Use ipconfig to verify the status of the IP-stack on both servers
c:>ipconfig/all

If name resolution is correct, then go on to check the following:

7. Create the cluster using the Cluster Creation Wizard; Enter the FQHN for each server in the cluster and its maintenance address etc.
8. Enter the external Round-Robin name and the external Web site IP addresses (comma-separated) in the Web site alias field in ClusterCATS explorer: Start – Programs – Cfusion or JRun or ClusterCATS – ClusterCATS Explorer – right-click on the cluster – configure – administration – load balance – Web site alias www.company.com,205.205.205.10,205.205.205.20 (from example above). Failure to enter these will result in slowed performance.
9. Test fail-over by rebooting either server and trying to hit either server with a browser while it is down. Hit the round robin name and test the ability to serve. Note that if you are using static IP addresses with ClusterCATS failover, the failing server will encounter an IP conflict upon recovery and reboot to reclaim its address.