IT MAY NOT WORK THE WAY YOU THINK IT SHOULD

So for years with windows 2003 it was very common to add additional IP’s to a NIC. This was very common with Web servers. If you wanted to host multiple sites with different SSL requirements it was very common. many times one a web server you can just use host headers for multiple websites with out SSL requirements. But in those odd cases mulitiple IP’s were used on the same nic.

We did it with OCS on the edge server. And many other servers. With Exchange 2010 it is now an option to deploy OWA as part of a Second IIS Web directory to maintain FBA internally when using TMG. This would require a Second IP on the NIC for this to work properly.

However we have found out some new information. it is not really new. it has been this way since 2008 released. Both Joe Dix, and Shawn Kirkpatrick have run into this. And I want to thank them for providing me the information for this blog.

here is the article that explains the behavior

http://blogs.technet.com/b/networking/archive/2009/04/24/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx

In windows 2003 if you added a Second IP it always used the Primary IP (first one in the list) as the primary IP. if an application called for ANY ip to be used it would always use the primary or first one in the list.

In windows 2008 this all Changed, Now it uses an algorithm to determine which IP to use. This means that you may have strange behavior where traffic comes from the wrong IP. or at least what you think is the wrong IP.

Rule 1 Prefer same address (applies)
Rule 2 Prefer appropriate scope (applies)
Rule 3 Avoid deprecated addresses (applies)
Rule 4 – Prefer home addresses – does not apply to IP v4
Rule 5 Prefer outgoing Interfaces (applies)
Rule 6 Prefer matching label – does not apply to IP v4
Rule 7 Prefer public addresses – does not apply to IP v4
Rule 8a: Use longest matching prefix with the next hop IP address. (not in RFC!)
“If CommonPrefixLen(SA, D) > CommonPrefixLen(SB, D), then prefer SA. Similarly, if
CommonPrefixLen(SB, D) > CommonPrefixLen(SA, D), then prefer SB. ”
This says that the IP with the most high order bits that match the destination of
the next hop will be used.
Note: Rule 8 – Use longest matching Prefix is similar to rule 8a except the match
is with the destination IP address rather than the next hop IP address.

So let me give you an Example

1 CAS\HT server with a second website added because TMG is in place and Customer wants FBA and all traffic to stay internal and is not willing to use the inside interface on TMG for internal OWA traffic.

CAS 1 NIC

192.168.12.5

192.168.12.6

gateway 192.168.12.1

In this case all seems to work just fine. HT will send email out via the .5 address, web traffic will use what is specified in IIS.

So what happens if my config is this

CAS 1 NIC

192.168.12.5

192.168.12.6

Gateway 192.168.12.254

in this case the HT will use 192.168.12.6 as the sending ip for SMTP based on the above algorithm. Which is not what most people would expect. There are a lot more variables that can affect this if they have a spam filter that is on the same subnet as the servers which would make it the next hop instead of the gateway, Depending on it’s IP then this could happen differently.

so how do you stop this behavior. SkipAsSource

you have to apply one of the following patch’s depending on which version of 2008 you are working with.

then you have to add the Second IP with NETSH with the skipassource flag set. This can only be set when you add the IP. So if it is already there then you have to remove it and use NETSH to add it with the flag set. See below.

SkipAsSource

There is a new twist in the source IP selection process.

Note: There are two variants of the below mentioned hotfix; one for Windows Vista / Windows Server 2008 and one for Windows 7 / Windows Server 2008 R2.

975808 All IP addresses are registered on the DNS servers when the IP addresses are assigned to one network adapter on a computer that is running Windows Server 2008 SP2 or Windows Vista SP2

2386184 IP addresses are still registered on the DNS servers even if the IP addresses are not used for outgoing traffic on a computer that is running Windows 7 or Windows Server 2008 R2

After you install the hotfix discussed above, you can create IP version 4 (IPv4) addresses or IP version 6 (IPv6) addresses by using the netsh command together with the new “skipassource” flag. By using this flag, the added new addresses are not used for outgoing packets unless explicitly set for use by outgoing packets.

Note: This command only works when adding an address you can’t apply it to an address already on the machine. You would need to remove it and add it again.