Share via


Installing and Configuring Microsoft iSCSI Initiator

Applies To: Windows Server 2008 R2, Windows Server 2012

Microsoft iSCSI Initiator is installed natively on Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista. On these operating systems, no installation steps are required.

Note

Booting a computer by using the Microsoft iSCSI Boot Initiator is supported in Windows Server operating systems only.

For information about how to install Microsoft iSCSI Initiator on Windows Server 2003 or Windows XP, see Microsoft iSCSI Initiator Version 2.08 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=44352).

Security

Microsoft iSCSI Initiator supports using and configuring Challenge Handshake Authentication Protocol (CHAP) and Internet Protocol security (IPsec). All supported iSCSI HBAs also support CHAP; however, some may not support IPsec.

CHAP

CHAP is a protocol that is used to authenticate the peer of a connection. It is based on the peer sharing a password or secret. Microsoft iSCSI Initiator supports one-way and mutual CHAP. The usage model that is assumed by Microsoft iSCSI Initiator is that each target can have its own unique CHAP secret for one-way CHAP, and the initiator has a single secret for mutual CHAP with all targets. Microsoft iSCSI Initiator can persist the target CHAP secret for each target by using the iscsicli command AddTarget.

The secret is encrypted before persisting to restrict access to only the Microsoft iSCSI Initiator service. If the target secret is persisted, it does not need to pass on every logon attempt. Alternatively, a management application such as the graphical user interface in Microsoft iSCSI Initiator can pass the target CHAP secret at each logon attempt. For persistent targets, the target CHAP secret is persisted with the other information that is used to log on to the target. The target CHAP secret for each persistent target that is assigned to the kernel-mode driver in Microsoft iSCSI Initiator is also encrypted before it is persisted.

CHAP requires that Microsoft iSCSI Initiator has a user name and secret to operate. The CHAP user name is typically passed to the target, and then the target finds the secret for that user name in its private table. By default, Microsoft iSCSI Initiator uses the iSCSI qualified name (IQN) as the CHAP user name. This can be overridden by passing a CHAP user name to the logon request. Note that the kernel-mode driver in Microsoft iSCSI Initiator has a limit of 223 characters for the CHAP user name.

For more information about CHAP, see the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=159074.

IPsec

IPsec is a protocol that provides authentication and data encryption at the IP packet layer. The Internet Key Exchange (IKE) protocol is used between peers to allow the peers to authenticate each other and negotiate the packet encryption and authentication mechanisms to be used for the connection.

Because Microsoft iSCSI Initiator uses the Windows TCP/IP stack, it can use all of the functionality that is available in the Windows TCP/IP stack. For authentication, this includes preshared keys, Kerberos protocol, and certificates. Active Directory is used to distribute the IPsec filters to computers running Microsoft iSCSI Initiator. 3DES and HMAC-SHA1 are supported, in addition to tunnel and transport modes.

Because iSCSI HBA has a TCP/IP stack embedded in the adapter, the iSCSI HBA can implement IPsec and IKE, so the functionality that is available on the iSCSI HBA may vary. At a minimum, it supports preshared keys and 3DES and HMAC-SHA1. Microsoft iSCSI Initiator has a common API that is used to configure IPsec for Microsoft iSCSI Initiator and iSCSI HBA.

For more information about IPsec, see the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=159075.

Microsoft iSCSI Initiator best practices

The following best practices are recommended for your Microsoft iSCSI Initiator configuration:

  • Deploy on a fast network (a GigE or faster network).

  • Ensure physical security.

  • Use strong passwords for all accounts.

  • Use CHAP authentication because it ensures that each host has its own password. Mutual CHAP authentication is also recommended.

  • Use iSNS to discover and manage access to iSCSI targets.

Note

Use Microsoft MultiPath IO (MPIO) to manage multiple paths to iSCSI storage. Microsoft does not support teaming on network adapters that are used to connect to iSCSI-based storage devices. This is because the teaming software that is used in these types of configurations is not owned by Microsoft, and it is considered to be a non-Microsoft product. If you have an issue with network adapter teaming, contact your network adapter vendor for support. If you have contacted Microsoft Support, and they determine that teaming is the source of your problem, you might be required to remove the teaming from the configuration and/or contact the provider of the teaming software.

Storage array performance best practices

You should ensure that your storage array is optimized for the best performance for your workload. We recommend that you choose iSCSI arrays that include RAID functionality and cache. When you are configuring versions of Microsoft Exchange Server with other I/O applications that are sensitive to latency, it is especially important to keep the Microsoft Exchange Server disks in a separate pool on the array. For more information and best practices for using Exchange Server with iSCSI, see the Microsoft Exchange Solution Reviewed Program (https://go.microsoft.com/fwlink/?LinkId=154595).

For applications that do not have low latency or high IOPS requirements, storage networks for Microsoft iSCSI Initiator can be implemented over SAN or WAN links, which allow global distribution. Microsoft iSCSI Initiator eliminates the conventional boundaries of storage networking, enabling businesses to access data world-wide, and helps ensure the most robust disaster protection possible. To maximize performance, we recommend that you use iSCSI on a network that is dedicated for iSCSI traffic.

Follow the vendors’ best practice guidelines for storage arrays to configure Microsoft iSCSI Initiator timeouts.

Security best practices

The protocol in Microsoft iSCSI Initiator was implemented with security in mind. In addition to segregating iSCSI SANs from LAN traffic, the following security methods are available by using Microsoft iSCSI Initiator:

  • One-way and mutual CHAP

  • IPsec

  • Access Control

Access Control to a specific LUN is configured on the iSCSI target from the Windows host prior to logon. This is also referred to as LUN masking.

Microsoft iSCSI Initiator supports one-way and mutual CHAP, in addition to IPsec. In accordance with iSCSI standards, IPsec is used for encryption and CHAP for authentication. Key exchange for encrypted communication is provided with the Windows Internet Key Exchange Security features. Microsoft iSCSI Initiator has a common API that can be used to configure the initiator and the iSCSI HBAs.

Networking best practices

The following best practices are recommended for networking when you use Microsoft iSCSI Initiator:

  • Use nonblocking switches, and set Configure Network Port Speed to a specific value rather than allowing speed negotiation.

  • Disable the unicast storm control. Most switches have unicast storm control disabled by default. If your switch has unicast storm control enabled, you should disable it on the ports that are connected to Microsoft iSCSI Initiator hosts and targets to avoid packet loss.

  • Use MPIO to manage multiple network connections to the storage in Microsoft iSCSI Initiator. This provides additional redundancy and fault tolerance on Windows Server operating systems.

Note

Microsoft does not support the use of both MPIO and MCS connections to the same device. Use either MPIO or MCS to manage paths to storage and load balance policies.

  • Enable flow control on network switches and adapters. Flow control ensures that a receiver can pace the sender’s speed, and it is important in avoiding data loss.

  • Turn off the spanning tree algorithm for detecting loops. Loop detection introduces a delay in creating a port that can become usable for data transfer, and it can lead to application timeouts.

  • Segregate SAN and LAN traffic. SAN interfaces in Microsoft iSCSI Initiator should be separated from other corporate network traffic (LAN). Servers should use dedicated network adapters for SAN traffic. Deploying traffic for Microsoft iSCSI Initiator on a separate network or networks helps minimize network congestion and latency. Additionally, traffic for Microsoft iSCSI Initiator is more secure when SAN and LAN traffic can be separated by using port-based virtual local area networks (VLANs) or physically separate networks.

  • Configure additional paths for high availability. Use MPIO or multiple connections per session (MCS) with additional network adapters in the server. This creates additional connections to the storage array in Microsoft iSCSI Initiator through redundant Ethernet switch fabrics.

  • Unbind File and Print Sharing from the Microsoft iSCSI Initiator network adapters that connect only to the Microsoft iSCSI Initiator SAN.

  • Use an Ethernet connection that is a gigabit or faster for high-speed access to storage. Congested or lower-speed networks can cause latency issues that disrupt access between Microsoft iSCSI Initiator and applications for devices that are connected through Microsoft iSCSI Initiator. In many cases, a properly designed IP SAN can deliver better performance than internal hard disk drives. Microsoft iSCSI Initiator is suitable for WAN and lower-speed implementations, including replication where latency and bandwidth are not a concern.

  • Use server-class network adapters. We recommend that you use network adapters that are designed for enterprise networking and storage applications.

  • Use CAT-6-rated cables for gigabit network infrastructures. For 10-gigabit implementations, CAT-6a or CAT-7 cable is usually required for use with distances over 55 meters.

  • Use Jumbo Frames if your network infrastructure supports them. Jumbo Frames can be used to allow more data to be transferred with each Ethernet transaction and reduce the number of frames. This larger frame size reduces the overhead on your servers and iSCSI targets. For end-to-end support, each device in the network needs to support Jumbo Frames, including the network adapter and Ethernet switches.

Networking hardware best practices

In a server environment where uptime and redundancy are required, we recommend that you configure multiple network cards to allow redundancy in server environments. This section discusses network connections that typically have differing management requirements:

iSCSI network connection   The iSCSI data network is typically connected to a different network segment than the network that is used for client access. To provide redundancy for this connection, we recommend two or more ports on two network adapters. These connections should be managed by MPIO to provide redundancy of the connections, and depending on the configuration, increased throughput.

Client access network   The client access network is a network port that uses a network segment that is dedicated for client access to the server. For example, clients use this network to connect to a file server, Exchange Server, or SQL Server. For network adapter port redundancy, network adapter teaming can be employed to provide redundancy across two or more network ports, and in some configurations, increased throughput.

Management network   A management network is typically an isolated network segment that is used for server management. In some configurations, this can also be used for backup jobs to avoid impacting the data or client access networks.

In addition to the three network types that are described in the previous paragraphs, in the case of a Windows Server Failover Cluster (WSFC) configuration, an additional network is needed for cluster heartbeat traffic. This network is dedicated for cluster heartbeat traffic, and it is not used for any of the other types of traffic defined previously.

An example configuration is shown in the following table:

Server Configuration Recommendation

Stand-alone server (non-clustered)

Six network ports across a minimum of two cards.

Configure two ports for client access (by using network teaming) and two ports for iSCSI connectivity to storage (by using MPIO for redundancy).

Configure one network interface for system management and one for system backups.

Windows Server Failover Cluster

Six network ports across a minimum of three network adapters.

Configure the same as above, plus add at least one port that is dedicated for cluster heartbeat traffic.

Where possible, network adapter ports should be connected to different network switches to allow for redundancy if there are issues with a network switch, as shown in the following figure:

 

 

Figure 3   Network switch redundancy

The previous figure depicts a network hardware configuration with a basic level of redundancy. In scenarios where greater levels of fault tolerance are required, additional connections can be configured, as shown in the following figure. The green and blue lines represent additional levels of network fault tolerance.

 

 

Figure 4   Hardware configuration with additional connections

Enabling iSNS traffic through the firewall

Allowing the use of an Internet Storage Name Service (iSNS) server through the firewall is possible directly from the iSCSICLI command-line utility. However, you can still controll it through the Windows Firewall with Advanced Security, if desired.

To enable iSNS traffic for use with Microsoft iSCSI Initiator Use the following command to enable iSNS traffic through the firewall. This allows you to use an iSNS server with the local Microsoft iSCSI Initiator:

iscsicli FirewallExemptiSNSServer

Connecting to an iSCSI target device

Complete the following procedure to establish a connection from the client computer that is using Microsoft iSCSI Initiator to an iSCSI target device by using the Quick Connect feature.

Note

The Quick Connect feature does not support advanced connection types, such as MPIO connections, CHAP, IPsec, or MCS. This feature is used to quickly create a connection to a target device when advanced settings (such as support for MPIO and MCS or for security features) are not needed. For information about these types of connections, see Connecting to an iSCSI target by using advanced settings later in this document.

To connect to an iSCSI target device by using Quick Connect

  1. Click Start, type iSCSI in Start Search, and then under Programs, click iSCSI Initiator.

  2. On the User Account Control page, click Continue.

  3. If this is the first time that you have launched Microsoft iSCSI Initiator, you receive a prompt that says the Microsoft iSCSI service is not running. You must start the service for Microsoft iSCSI Initiator to run correctly. Click Yes to start the service. The Microsoft iSCSI Initiator Properties dialog box opens, and the Targets tab is displayed.

  4. On the Targets tab, type the name or the IP address of the target device in the Quick Connect text box, and then click Quick Connect. The Quick Connect dialog box is displayed.

  5. If multiple targets are available at the target portal that is specified, a list is displayed. Click the desired target, and then click Connect.

Note

If only one target is available, it is automatically connected.

  1. Click Done.

Note

If the hard disk drive was previously formatted, it is now accessible and ready to use. If it was not previously formatted, you must format it and assign a drive letter before using the device.

To format the hard disk drive

  1. Click Start, type diskmgmt.msc in Start Search, and then under Programs, click diskmgmt.

  2. On the User Account Control page, click Continue. The Disk Management console is displayed.

  3. If the hard disk drive has not been previously used, you are prompted to initialize it. Click MBR (Master Boot Record), and then click OK. In the Disk Management console, the connected disk for Microsoft iSCSI Initiator is displayed.

  4. Right-click the hard disk drive, and then click New Simple Volume. The New Simple Volume Wizard is displayed.

  5. On the Welcome page, click Next.

  6. On the Specify Volume Size page, enter the simple volume size, and then click Next.

  7. On the Assign Drive Letter or Path page, click the drive (for example, drive D) that you want to use, and then click Next.

  8. On the Format Partition page, type the desired new partition name, and then click Next.

  9. On the Completing the New Simple Volume page, review the summary details for the new partition, and then click Finish.

  10. To access the new partition when the formatting process completes, in the Disk Management console, right-click the partition, and then click Open. Or you can use My computer to access the new partition that is connected through Microsoft iSCSI Initiator.

Connecting to an iSCSI target by using advanced settings

For advanced connections to iSCSI target devices, such as those that require the following features, it is not possible to connect to the devices by using Quick Connect:

  • MPIO

  • Multiple connections per session (MCS)

  • CHAP, IPsec, or RADIUS security

  • Connections that require specific TCP ports, or those that require selecting a specific network adapter

To make an advanced connection

  1. Click Start, type iSCSI in Start Search, and then under Programs, click iSCSI Initiator.

  2. On the User Account Control page, click Continue.

  3. If this is the first time that you have launched Microsoft iSCSI Initiator, you receive a prompt that says the Microsoft iSCSI service is not running. You must start the service for Microsoft iSCSI Initiator to run correctly. Click Yes to start the service. The Microsoft iSCSI Initiator Properties dialog box opens, and the Targets tab is displayed.

  4. Click the Discovery tab.

  5. To add the target portal, click Discover Portal, and then in the Discover Portal dialog box, type the IP address or name of the target portal to connect to. If desired, you can also type an alternate TCP port to be used for the connection.

Note

To enter additional settings, such as the outbound IP address (when you are using multiple network adapters), and security settings (such as CHAP and RADIUS), click Advanced.

  1. Click OK.