Microsoft IIS Deployment Guide PDF

Load Balancing Microsoft IIS
Deployment Guide
v1.4.1
Copyright 2014 Loadbalancer.org, Inc.
1

Table of Contents
About tis Guide............................................................................................................................................... 4
Appliances Supported....................................................................................................................................... 4
Microsoft IIS Soft!are "ersions Supported....................................................................................................... 4
Loadbalancer.org Soft!are "ersions Supported............................................................................................... 4
Microsoft Internet Information Services #IIS$..................................................................................................... %
Load Balancing IIS............................................................................................................................................ %
&e Basics................................................................................................................................................... %
Saring te Load.................................................................................................................................... %
'roviding (esilience .............................................................................................................................. %
IIS Server )ealt*cec+s........................................................................................................................ %
'orts , 'rotocols.................................................................................................................................... %
SSL , -ertificates................................................................................................................................... .
'ersistence #a+a Server Affinity$............................................................................................................. .
Deployment Arcitecture................................................................................................................................... /
Load Balancer Deployment Metods................................................................................................................ 0
Layer 4......................................................................................................................................................... 0
D( Mode #a+a Direct Server (eturn$...................................................................................................... 0
1et!or+ Address &ranslation #1A& Mode$.............................................................................................. 2
Layer /....................................................................................................................................................... 13
Source 1et!or+ Address &ranslation #)A'ro4y$.................................................................................. 13
Loadbalancer.org (ecommended Metod................................................................................................. 13
Loadbalancer.org Appliance 5 te Basics....................................................................................................... 11
1et!or+ -onfiguration................................................................................................................................ 11
Accessing te 6eb 7ser Interface #67I$.................................................................................................. 18
-lustered 'air -onfiguration...................................................................................................................... 19
Implementing IIS using Layer 4 D( Mode...................................................................................................... 14
:vervie!.................................................................................................................................................... 14
Load Balancer -onfiguration..................................................................................................................... 14
-onfigure te 1et!or+ Interface........................................................................................................... 14
-onfigure te "irtual Service #"I'$....................................................................................................... 14
-onfigure te (eal Servers #(I's$....................................................................................................... 1%
IIS Server -onfiguration............................................................................................................................ 1.
Solve te ;A(' 'roblem;....................................................................................................................... 1.
-onfigure IIS Bindings.......................................................................................................................... 1.
D( Mode 5 <ey 'oints.............................................................................................................................. 1/
Implementing IIS using Layer 4 1A& Mode..................................................................................................... 10
:vervie!.................................................................................................................................................... 10
Load Balancer -onfiguration..................................................................................................................... 10
-onfigure te 1et!or+ Interfaces......................................................................................................... 10
-onfigure te (eal Servers #(I's$....................................................................................................... 83
IIS Server -onfiguration............................................................................................................................ 81
Default Gate!ay................................................................................................................................... 81
1A& Mode 5 <ey 'oints............................................................................................................................. 81
Implementing IIS using Layer / S1A& #)A'ro4y$ Mode................................................................................. 88
:vervie!.................................................................................................................................................... 88
Load Balancer -onfiguration #single*arm e4ample$................................................................................... 88
-onfigure te 1et!or+ Interface........................................................................................................... 88
-onfigure te (eal Servers #(I's$....................................................................................................... 89
8
IIS Server -onfiguration............................................................................................................................ 84
)A'ro4y 5 <ey 'oints............................................................................................................................... 84
Additional -onfiguration :ptions , Settings................................................................................................... 8%
SSL -ertificates......................................................................................................................................... 8%
1 5 Installed on te IIS Servers............................................................................................................. 8%
8 5 Installed on te Load balancer #a+a SSL off*loading$.....................................................................80
Grouping Multiple 'orts on a Single "irtual Service #"I'$......................................................................... 94
Layer 4 5 7sing =ire!all Mar+s............................................................................................................. 94
Layer / 5 By Defining Multiple 'orts..................................................................................................... 94
(eal Server #IIS$ )ealt -ec+s................................................................................................................ 9%
Layer 4.................................................................................................................................................. 9%
Layer /.................................................................................................................................................. 9%
7sing Server =eedbac+ Agents................................................................................................................. 9.
6indo!s Agent..................................................................................................................................... 9.
Load Balancer &ransparency..................................................................................................................... 92
Layer 4 5 D( , 1A& Mode................................................................................................................... 92
Layer / 5 &'ro4y.................................................................................................................................. 92
Layer / 5 >*=or!arded*=or )eaders.................................................................................................... 92
&esting , "alidation......................................................................................................................................... 43
Monitoring.................................................................................................................................................. 43
Layer 4.................................................................................................................................................. 43
Layer /.................................................................................................................................................. 43
&ecnical Support........................................................................................................................................... 41
-onclusion...................................................................................................................................................... 41
Appendi4......................................................................................................................................................... 48
1 5 -lustered 'air -onfiguration 5 Adding a Slave 7nit............................................................................. 48
8 5 -ompany -ontact Information............................................................................................................. 49
9
About this Guide
&is guide details te configuration of Loadbalancer.org appliances for deployment !it Microsoft Internet
Information Services #IIS$.
=or an introduction on setting up te appliance as !ell as more tecnical information? please also refer to our
@uic+*start guides and full administration manuals !ic are available at te follo!ing lin+sA
Buic+start guideA ttpACC!!!.loadbalancer.orgCpdfC@uic+startguideLBv/.pdf
Administration manualA ttpACC!!!.loadbalancer.orgCpdfCloadbalanceradministrationv/.pdf
Appliances Supported
All our products can be used !it IIS. &e complete list of models is so!n belo!A
D Enterprise (1.
D Enterprise
D Enterprise MA>
D Enterprise 13G
D Enterprise (983
D Enterprise "A
D Enterprise "A (1.
=or a full specification comparison of tese models please refer toA ttpACC!!!.loadbalancer.orgCmatri4.pp
Microsoft IIS Software Versions Supported
D Microsoft IIS 5 all versions
Loadbalancer.org Software Versions Supported
D v/.9.8 and later
N.B. this guide includes configuration steps for !." # later. $or older ersions of the appliance
please contact loadbalancer.org sales or support
4
Microsoft Internet Information Services IIS!
IIS is one of te components of Microsoft 6indo!s and is Microsoft;s implementation of a !eb server. &e
protocols supported include )&&'? )&&'S? =&'? =&'S? SM&' , 11&'. &e latest release is v0.3 !ic is
part of 6indo!s 8318. IIS 0.3 is built on an open and modular arcitecture tat allo!s users to customiFe
and add ne! features troug various IIS E4tensions. It;s estimated tat around 8%G of all !ebsites utiliFe
IIS.
Load "alancing IIS
&e Basics
%haring the Load
&e primary function of te load balancer is to distribute inbound re@uests across multiple IIS servers. &is
allo!s administrators to configure multiple servers and easily sare te load bet!een tem.
A "irtual Service #"I'$ is configured on te load balancer and te related IIS servers are ten defined.
-lients ten connect to te "I' rater tan individual IIS servers. Incoming re@uests are ten distributed to
te IIS servers based on te algoritm selected #e.g. round robin? least connection$.
Adding additional capacity as demand gro!s ten becomes straigt for!ard and can be acieved by simply
associating additional IIS servers to te "irtual Service.
&roiding 'esilience
&ypically? t!o appliances are deployed. &is ensures tat a single point of failure is not introduced. A
eartbeat signal bet!een te pair is used to ensure tat sould te active unit fail? te passive unit ta+es
over.
II% %erer (ealth)chec*s
(egular IIS server monitoring ensures tat failed servers are mar+ed as do!n and client re@uests are only
directed to functional servers.
&orts # &rotocols
&e follo!ing table so!s te ports tat are normally used !it IIS for !eb based applications using )&&'
and )&&'SA
03 )&&' 'rotocol
449 )&&'S 'rotocol
%
%%L # Certificates
=or secure !ebsites , !eb pages? SSL is used. &is ensures tat data is encrypted bet!een client and
server. SSL certificates can be installed on te load balancer #a+a SSL off*loading$ or on te IIS servers.
6en terminating SSL on te load balancer? it;s important to consider tat data is not secured bet!een te
load balancer and te bac+*end IIS servers and is transmitted unencrypted. =or more details see p 93*9/.
1:&EA SSL termination on te load balancer can be very -'7 intensive. In most cases? for a
scalable solution? terminating SSL on te IIS servers is te best option.
&ersistence +a*a %erer ,ffinity-
Ideally? persistence sould be considered at te start of any IIS proHect. A database is typically used to
maintain session information. &is information is ten available to all IIS servers so tat !enever a user
connects? any previous session details can be accessed. If tis structure is not in place? persistence can be
implemented on te load balancer. =or )&&'? tis can be eiter based on source I' address or coo+ies? bot
metods ensure tat repeated connections from a particular client !itin a session are al!ays sent to te
same bac+*end IIS server.
.
#eplo$ment Architecture
&e follo!ing diagram provides a simply illustration to indicate o! te load balancer is deployed !it
multiple IIS servers.
&e load balancer can be deployed as a single unit? altoug Loadbalancer.org strongly
recommends a clustered pair for resilience , ig availability.
/
IIS 1
IIS 8
client
re@uests
Load
Balancer
#single unit
or clustered
pair$
"I'
Load "alancer #eplo$ment Methods
"arious deployment metods are supported. Eac metod is e4plained in te follo!ing sections.
Layer 4
.' /ode +a*a .irect %erer 'eturn-
&e one*arm direct routing #D($ mode offers te igest performance.
Direct routing !or+s by canging te destination MA- address of te incoming pac+et on te fly
!ic is very fast
6en pac+ets reac te IIS servers? teir destination address is te "I' #i.e. te "irtual Service$.
&is means tat eac IIS server must be configured to respond to bot its o!n I' address and te
"I' address. Additionally? eac IIS server must also be configured so it does not respond to A('
re@uests for te "I' #te load balancer must respond to tese re@uests$. &is is +no!n as ;solving
te A(' problem;. &is re@uires a loopbac+ adapter to be installed and configured on eac IIS server
and additionally for 6indo!s 8330 , 8318? te strongC!ea+ ost beavior must also be configured
using a series of netsh commands
Load balanced services can be configured directly on te interface #normally et3$ !it no additional
I' address. )o!ever? !en using a clustered pair all load balanced virtual services must be
configured on a floating I' to enable failover , failbac+ bet!een master , slave
&e "irtual Service and IIS servers must be in te same s!itc fabric C logical net!or+. &ey can be
on different subnets? provided tere are no router ops bet!een tem. If multiple subnets are used?
an I' address in eac subnet must be defined on te load balancer
'ort translation is not possible in D( mode i.e. aving a different IIS server port to te "irtual Service
port
D( mode is transparent? i.e. te IIS servers !ill log te source I' address of te client
Administration of te load balancer is via any active I' address #on port 2303$
0
Net0or* ,ddress 1ranslation +N,1 /ode-
Sometimes it;s not possible to use D( mode. &e t!o most common reasons beingA if te application cannot
bind to te (I' , "I' at te same timeI or if te ost operating system cannot be modified to andle te A('
problem. &e second coice is 1et!or+ Address &ranslation #1A&$ mode. &is is also a ig performance
solution but it re@uires te implementation of a t!o arm infrastructure !it an internal and e4ternal subnet to
carry out te translation #te same !ay a fire!all !or+s$.
In t!o*arm 1A& mode te load balancer translates all re@uests from te e4ternal "irtual Service to
te internal IIS servers
1ormally et3 is used for te internal net!or+ and et1 is used for te e2ternal net!or+ altoug tis
is not mandatory. If te IIS Servers re@uire Internet access? Autonat sould be enabled using te
67I optionA 3dit Configuration 4 Layer 4 5 ,danced Configuration #prior to v/.% te option isA 3dit
Configuration 4 Layer 4 5 ,danced Configuration$? select te e4ternal interface
6en te !iFard is used? te IIS Servers are automatically given access to te Internet troug te
load balancer #via Auto*1A&$
&e IIS servers must ave teir default gate!ay configured to point at te load balancer. 6en
master , slave units are used? a floating I' must be used to enable failover
Load balanced services can be configured directly on te interface #normally et3$ !it no additional
I' address. )o!ever? !en using a clustered pair all load balanced virtual services must be
configured on a floating I' to enable failover , failbac+ bet!een master , slave
1ormally te "irtual Service and IIS servers sould be located on different subnets !itin te same
logical net!or+ #i.e. no router ops$ and te load balancer sould ave an I' address in eac
subnet. N.B. It is possible to hae II% serers and 6irtual %erices in the sa7e subnet 5 please
search for 89ne),r7 +%ingle %ubnet- N,1 /ode8 in the ad7inistration 7anual. N.B. It is possible to
hae the II% serers located on routed subnets, but this 0ould re:uire a custo7i;ed routing
configuration on the II% serers and is not reco77ended
If you !ant te IIS servers to be accessible on teir o!n I' address for non*load balanced services?
e.g. SM&' or (D'? you !ill need to setup individual S1A& and D1A& fire!all script rules for eac IIS
server. 'lease searc for ;3nabling ,ccess to non Load)Balanced %erices; in te administration
manual for more details
1A& mode is transparent? i.e. te IIS servers !ill see te source I' address of te client
'ort translation is possible in 1A& mode? i.e. "I'A03 J (I'0303 is allo!ed
2
Layer /
%ource Net0or* ,ddress 1ranslation +(,&ro2y-
&is mode supports bot one*arm and t!o*arm configurations and as te advantage tat no canges are
re@uired to te IIS servers. )o!ever? as te load balancer is acting as a full pro4y it doesn;t ave te same
ra! trougput as te layer 4 routing based metods.
&e net!or+ diagram for te Layer / )A'ro4y S1A& mode is very similar to te Direct (outing e4ample
e4cept tat no re*configuration of te IIS servers is re@uired. &e load balancer pro4ies te application traffic
to te servers so tat te source of all traffic is te load balancer.
As !it oter modes a single unit does not re@uire a =loating I'? altoug it is recommended to
ma+e adding a slave unit easier
S1A& is a full pro4y and terefore load balanced IIS servers do not need to be canged in any !ay
Because S1A& is a full pro4y any server in te cluster can be on any accessible subnet including
across te Internet or 6A1
S1A& is not transparent by default? i.e. te IIS servers !ill not see te source I' address of te client? tey
!ill see te load balancers I' address. If re@uired? tis can be solved by eiter enabling &'ro4y on te load
balancer? or for )&&'? using >*for!arded*=or eaders. Details of bot can be found on page %1.
Loadbalancer.org (ecommended Metod
6ere possible? Loadbalancer.org recommends tat Layer 4 Direct (outing #D($ mode is used. D( mode
provides te best possible performance !it minimal cange to your e4isting infrastructure. 7ltimately? te
final coice !ill depend on your specific re@uirements and infrastructure.
13
Loadbalancer.org Appliance % the "asics
1et!or+ -onfiguration
&e I' address? default gate!ay and D1S settings can be configured in several !ays depending on te
version as detailed belo!.
Configure the IP address, Default Gateway & DNS Settings
Using the Network Setup Wizard at the onsole!
After boot? follo! te console instructions to configure te I' address? gate!ay and D1S settings.
Using the WUI!
7sing a bro!ser? connect to te 67I on te default I' addressCportA http&''()*.(+,.*.*(&)-,-
to set te I' address useA Local Configuration 4 Net0or* Interface Configuration
to set te default gate!ay useA Local Configuration 4 'outing
to configure .N% settings use< Local Configuration 4 (ostna7e # .N%
Using "inu# o$$ands!
At te console? set te initial I' address using te follo!ing commandA
ip addr add <IP address>/<mask> dev eth0
e.g. ip addr add 192.168.2.10/24 dev eth0
At te console? set te initial default gate!ay using te follo!ing commandA
route add default g <IP address> <i!terfa"e>
e.g. route add default g 192.168.2.2#4 eth0
At te console? set te D1S server using te follo!ing commandA
e"ho !ameserver <IP address> >> /et"/resolv."o!f
e.g. e"ho !ameserver 192.168.64.1 >> /et"/resolv."o!f
N.B. If this 7ethod is used, you 7ust also configure these settings using the =>I, other0ise settings 0ill be
lost after a reboot
11
Accessing te 6eb 7ser Interface #67I$
&e 67I can be accessed from a bro!ser atA http!%%&'()&*+)()(&!',+,%l-ad$in
? Note the port nu7ber @ A0B0
+replace 1A2.1"B.2.21 0ith the I& address of your load balancer if changed fro7 the default-
Userna$e! loadbalancer
Password! loadbalancer
:nce you ave entered te logon credentials te Loadbalancer.org 6eb 7ser Interface !ill be displayed as
so!n belo!A
18
&e screen sot belo! so!s te "/.. 67I once logged inA
-lustered 'air -onfiguration
Loadbalancer.org recommend tat load balancer appliances are deployed in pairs for ig availability. In tis
guide a single unit is deployed first? adding a secondary slave unit is covered in te Appendi4.
1:&EA It;s igly recommended tat you ave a !or+ing IIS environment first before
implementing te load balancer.
N.B. 1he steps presented in this section coer ersions !." # later of the ,ppliance. $or older ersions of the
appliance please contact loadbalancer.org sales or support.
19
Implementing IIS using La$er . #/ Mode
:vervie!
D Configure the 0etwor1 Interface % A single Interface is needed? et3 is normally used
D Configure the Virtual Service VI2! % All IIS servers are accessed via tis I' address
D Configure the /eal Servers /I2s! 5 Define te servers tat ma+e up te IIS cluster
D Configure the IIS Servers 5 In D( mode? te ;A(' 'roblem; must be solved on eac IIS server
Load Balancer -onfiguration
Configure the Net0or* Interface
D :ne interface is re@uired. 'ages 11 , 18 of tis guide covers te various metods available to
configure net!or+ settings.
Configure the 6irtual %erice +6I&-
D 7sing te 67I? go to Cluster Configuration 4 Layer 4 5 6irtual %erices and clic+ 3Add a 0ew
Virtual Service4
D Enter te follo!ing detailsA
D Enter an appropriate name #Label$ for te "I'? e.g. IIS5Cluster
D Set te 6irtual %erice I& address field to te re@uired I' address? e.g. ()*.(+,.*.(,-
D Set te 6irtual %erice &orts field to ,-
D Leave &rotocol set to TC2
D Ensure tat $or0arding /ethod is set to #irect /outing
14
D -lic+ 6pdate
D 1o! clic+ 3Modif$4 ne4t to te ne!ly created "irtual Service
D Set Balance /ode #te load balancing algoritm$ according to your needs
D -lic+ 6pdate
Configure the 'eal %erers +'I&s-
D 7sing te 67I? go to Cluster Configuration 4 Layer 4 5 'eal %erers and clic+ 3Add a 0ew /eal
Server4 ne4t to te ne!ly created "irtual Service
D Enter an appropriate name #Label$ for te first IIS server? e.g. IIS(
D -ange te 'eal %erer I& ,ddress field to te re@uired I' address #e.g. ()*.(+,.*.()-!
D Leave oter settings at teir default values
D -lic+ 6pdate
D (epeat te above steps for your oter IIS server#s$
1%
IIS Server -onfiguration
%ole the 8,'& &roble78
As mentioned previously? D( mode !or+s by canging te MA- address of te incoming pac+et. &erefore
te load balancer and te IIS servers must bot be configured to accept traffic for te same I' address.
)o!ever? only te load balancer sould respond to A(' re@uests. &o acieve tis? a loopbac+ adapter is
added to te IIS servers. &e I' address is ten set to be te same as te "irtual Service and is also
configured so tat it does not respond to A(' re@uests. =or specific configuration steps for 6indo!s
8333C8339 and 6indo!s 8330C8318? please refer to te appropriate full admin manual referenced at te start
of tis guide and searc for ;,'& &roble7; and follo! te steps for your particular version of 6indo!s.
Configure II% Bindings
By default? IIS listens on all configured I' addresses as so!n belo!A
If te default configuration is left? no furter IIS configuration is re@uired. If you do cange te I' address in
te bindings from KAll 7nassignedL to a specific I' address? ten you need to ma+e sure tat you also add a
binding for te "irtual Service I' address #"I'$ as so!n belo!A
In tis e4ample? 128.1.0.8.103 is te main 1I- interface for te IIS server and 128.1.0.8.123 is te "irtual
Service;s I' address #assigned to te loopbac+ Interface$. &is ensures tat IIS responds to bot te (I'
and te "I'.
1.
D( Mode 5 <ey 'oints
D Mou must solve te ;A(' 'roblem; on all IIS servers in te cluster #please refer to te administration
manual for more details$
D "irtual Services , (eal Servers #i.e. te IIS servers$ must be !itin te same s!itc fabric. &ey can
be on different subnets but tis cannot be across a router 5 tis is due to te !ay D( mode !or+s?
i.e. by canging MA- addresses to matc te destination server
D 'ort translation is not possible? e.g. "I'A03 J IISA08 is not allo!ed. &e port used for te "I' , (I'
must be te same
D IIS bindings must include te "irtual Service I' #"I'$ address 5 tis is te default for IIS !en ;All
7nassigned; is selected
1/
Implementing IIS using La$er . 0AT Mode
:vervie!
D Configure the 0etwor1 Interfaces % &!o interfaces must be used located on different subnets. &is
can eiter be t!o pysical interfaces suc as et3 and et1? or one pysical interface suc as et3
and an additional aliasCsecondary interface
D Configure the /eal Servers /I2s! 5 Define te servers tat ma+e up te IIS cluster
D Configure the IIS Servers 5 In 1A& mode? te IIS servers default gate!ay must be configured to be
an I' address on te load balancer
Load Balancer -onfiguration
Configure the Net0or* Interfaces
D Set te first I' address using one of te metods listed on pages 11 , 18 of tis guide
D 7sing te 67I? define an additional I' address in a different subnet 5 eiter by using 8 separate
interfaces or a single interface !it an additional alias #secondary$ address as so!n belo!A
Using Separate Interfaes
10
Using a Single Interfaes with .ultiple IPs
D 7sing te 67I? go to to Cluster Configuration 4 Layer 4 5 6irtual %erices and clic+ 3Add a 0ew
Virtual Service4
D Enter an appropriate name #Label$ for te "I'? e.g. IIS5Cluster
D Leave &rotocol set to TC2
D Set te $or0arding /ethod is to 0AT
D -lic+ 6pdate
D 1o! clic+ 3Modif$4 ne4t to te ne!ly created "irtual Service
D Set Balance /ode #te load balancing algoritm$ mode according to your needs
D -lic+ 6pdate
12
D 7sing te 67I? go to Cluster Configuration 4 Layer 4 5 'eal %erers and clic+ 3Add a 0ew /eal
D Enter an appropriate name #Label$ for te first IIS server? e.g. IIS5(
D -ange te 'eal %erer I& ,ddress field to te re@uired I' address ? e.g. ()*.(+,.*7.()-
D Set te 'eal %erer &ort field to ,-
D Leave oter settings at teir default values
D -lic+ 6pdate
83
.efault Cate0ay
&e default gate!ay on eac IIS server must be configured to be an I' address on te load balancer. It;s
possible to use te internal I' address on et3 for te default gate!ay? altoug it;s recommended tat an
additional floating I' is created for tis purpose. &is is re@uired if t!o load balancers #our recommended
configuration$ are used. In tis scenario if te master unit fails? te floating I' !ill be brougt up on te slave
and failover !ill be seamless. &o create a floating I' address on te load balancerA
D Go to Cluster Configuration 4 $loating I&+s-
D Enter te re@uired I' address to be used for te default gate!ay and clic+ 6pdate. :nce added?
tere !ill be t!o floating I';s? one for te "irtual Service #()*.(+,.*.(,-$ and one for te default
gate!ay #e.g. ()*.(+,.*7.*8.$ as so!n belo!A
1A& Mode 5 <ey 'oints
D "irtual Services , (eal Servers #i.e. te IIS servers$ must be on different subnets
D &e default gate!ay on te IIS servers sould be an I' address on te load balancer
D 'ort translation is possible? e.g. "I'A03 J (I'A0303 is allo!ed
81
Implementing IIS using La$er 9 S0AT :A2ro;$! Mode
:vervie!
D Configure the 0etwor1 Interfaces! % )A'ro4y can be deployed in single*arm or t!o*arm mode. As
!it layer 4 1A& mode? !it a t!o*arm Layer / configuration? tis can be eiter t!o pysical
interfaces suc as et3 and et1? or one pysical interface suc as et3 and an aliasCsecondary
interface suc as et3A3
D Configure the /eal Servers /I2s! 5 Define te IIS servers tat ma+e up te IIS cluster
D Configure the IIS Servers 5 1o (eal Server canges are re@uired
Load Balancer -onfiguration #single*arm e4ample$
Configure the Net0or* Interface
D :ne interface is re@uired. 'ages 11 , 18 of tis guide covers te various metods available to
configure net!or+ settings.
D 7sing te 67I? go to Cluster Configuration 4 Layer ! 5 6irtual %erices and clic+ 3Add a 0ew
Virtual Service4
D Enter an appropriate name #Label$ for te "irtual Service? e.g. IIS5Cluster
88
D Leave Layer ! &rotocol set to :TT2 Mode
D -lic+ 6pdate
D 1o! clic+ NModif$O ne4t to te ne!ly created "irtual Service
D Set Balance 7ode #te load balancing algoritm$ mode according to your needs
D -lic+ 6pdate
D 7sing te 67I? go to Cluster Configuration 4 Layer ! 5 'eal %erers and clic+ 3Add a 0ew /eal
D Enter an appropriate name #Label$ for te first IIS server? e.g. IIS5(
D -ange te 'eal %erer I& ,ddress field to te re@uired I' address #e.g. ()*.(+,.*.()-!
D Set te 'eal %erer &ort field to ,-
D -lic+ 6pdate
89
In S1A& #)A'ro4y$ mode? no IIS server configuration canges are re@uired.
)A'ro4y 5 <ey 'oints
D "irtual Services , (eal Servers #te IIS servers$ can be on te same or different subnets
D 'ort translation is possible? e.g. "I'A03 J (I'A0303 is allo!ed
D 1o configuration canges are re@uired to te IIS servers
D 1ot as fast as Layer 4 D( mode or 1A& mode
84
Additional Configuration <ptions = Settings
SSL -ertificates
1 5 Installed on the II% %erers
6en certificates are installed on te IIS serversA
D It;s not possible to use )&&' coo+ie persistence since pac+ets are encrypted and terefore te
coo+ie cannot be read. If persistence via te load balancer is re@uired? I' persistence must be used
D Data is encrypted from client to server. &is provides full end*to*end data encryption as so!n in te
diagram belo!A
Creating a CS/ Steps shown are for >indows *--, /*!
&o generate a certificate for IIS te first step is to create a -ertificate Signing (e@uest #-S($
1. Select te IIS server in IIS Manager ten double*clic+ %erer Certificates
8%
8. In te actions section on te rigt and side of te screen? select Create Certificate 'e:uest? fill in
te relevant details as per te e4ample belo!? ten clic+ 0e;t
9. Leave te default settings and clic+ 0e;t
4. 6ere prompted on te follo!ing screen enter a suitable filename? e.g. cAPcsr.t4t and clic+ ?inish
%. 7se tis saved -S( !it your cosen -ertificate Autority to obtain your certificate
.. :nce you;ve received your certificate from te -A? save it as a te4t file
8.
/. &o install te certificate on te IIS server select Co7plete Certificate 'e:uest in te action section of
Server -ertificates in IIS Manager? ten specify te filename and a friendly name and clic+ <@
0. At tis point depending on your specific version of 6indo!s? you may receive te message so!n
belo!. &is is a +no!n issue tat occurs because te friendly certificate name entered in step /
above in not being read correctly
=or more details please refer to ttpACCsupport.microsoft.comC+bC2%281.. 1ote tat te certificate as
been installed and can be seen in IIS Manager under Server -ertificates
2. 1o! amend te site bindings to include )&&'S and te ne!ly installed certificate
8/
2 5 Installed on the Load balancer +a*a %%L off)loading-
* 6en certificates are installed on te load balancerA
D It;s possible to use )&&' coo+ie based persistence
D Since SSL is terminated on te load balancer? data from te load balancer to te IIS servers is not
encrypted as so!n in te diagram belo!. &is may or may not be an issue depending on te
net!or+ structure bet!een te load balancer and IIS servers and your security re@uirements
D A 'ound or S&unnel SSL "I' can be used to terminate SSL #N.B. %1unnel in only aailable in !.D
and later$. &e bac+end for tis "I' can be eiter a Layer 4 1A& mode "irtual Service or a Layer /
)A'ro4y "irtual Service. &e follo!ing diagram so!s tisA
N)/) It0s not possi-le to use a layer 1 D2 $ode 3irtual Ser4ie in this senario
1:&EA SSL termination on te load balancer can be very -'7 intensive. In most cases? for a
scalable solution? terminating SSL on te IIS servers is te best option.
E4porting -ertificates from 6indo!s C Importing to te load balancer #Steps so!n for 6indo!s 8330 (8$
It;s often easiest to get te certificate !or+ing on te IIS server first? ten e4port te certificate and import tis
to te load balancer. &e steps for 6indo!s 8330 (8 for tis process are as follo!sA
80
1. :nce te certificate is !or+ing correctly on your 6indo!s server? run 77c? and add te certificates
snap*in. E4pand te 'ersonal folder and clic+ on Certificates 5 your certificate sould be ere. (igt*
clic+ te certificate and select All Tas1s A B;port. &is !ill start te -ertificate E4port 6iFard as
so!n belo!A
8. -lic+ Ces to e4port te private +ey and clic+ 0e;t
82
9. -ec+ Include all Certificates in the certification path if possible and clic+ 0e;t
4. Enter a pass!ord to secure te private +ey and clic+ 0e;t
93
%. Enter a folder , filename for te e4ported certificate and clic+ 0e;t
.. 1o! clic+ =inis to complete te !iFard? te follo!ing confirmation sould be so!nA
/. 1o! create eiter a 'ound or S&unnel #v/.% and later$ "I' on te load balancer. =or te "I' you can
use te same I' address as your )A'ro4y or 1A& "I' created earlier !it port 449 for )&&'S. &e
I' address , port for te Bac+end -luster sould be set te same as your )A'ro4y or 1A& mode
"I' as detailed belo!A
"/.% and later supports S&unnel for SSL termination. &is is te default? but 'ound cal also
be selected if re@uired using te %%L 1er7inator radio button.
D 7sing te 67I? go to Cluster Configuration 4 %%L 1er7ination and clic+ 3Add a 0ew Virtual
Service4
D Enter te follo!ing details #so!s S&unnel e4ample !ic is te default terminator from v/.%$A
91
D Enter an appropriate name #Label$ for te "I'? e.g. IIS5SSL
D -ange te 6irtual %erice I& address field to te re@uired value? e.g. ()*.(+,.*.(,-
D -ange te 6irtual %erice &ort field to te re@uired value? e.g. ..7
D -ange te Bac*end 6irtual %erice I& ,ddress field to te re@uired value? e.g. ()*.(+,.*.(,-
D -ange te Bac*end 6irtual %erice &ort field to te re@uired value? e.g. ,-
D &e remaining options can be left at teir default values
D -lic+ 6pdate
0. 1o! upload te '=> format certificate to te ne!ly created SSL "I'A
D 7sing te 67I? go to to Cluster Configuration 4 %%L 1er7ination and clic+ 3Certificate4 ne4t to
te relevant "I'
D 7sing te bro!se option? select te .pf4 file created earlier
D -lic+ 6pload 2BM'2?D file
D A message !ill be displayed confirming te upload
98
D &e Certificate %tate field !ill cange to Signed Certificate Installed as so!n belo!A
2. 1o! restart S&unnel #v/.% , later only$ or 'oundA
D Go toA /aintenance 4 'estart %erices and clic+ /estart STunnel or /estart 2ound
:nce restarted your secure !ebsite sould be accessible atA https&''EVirtual I2 AddressA
99
Grouping Multiple 'orts on a Single "irtual Service #"I'$
In certain circumstances it may be desirable to combine multiple ports in a single "irtual Service. =or
e4ample? if your IIS server as bot )&&' and )&&'S content? you may !ant clients to connect to te same
IIS server for bot. &is is especially useful if you need persistence as clients move from )&&' to )&&'S?
e.g. an e*commerce !eb site !itout a proper bac+ end database for session state.
Layer 4 5 >sing $ire0all /ar*s
&e concept is to create a fire!all rule tat matces incoming pac+ets to a particular I' and port? and mar+
tem !it an arbitrary integer. A "irtual Service is ten configured or modified? specifying te fire!all mar+
instead of an I' and port.
=ire!all Mar+s are configured automatically !en multiple ports are defined for a Layer 4 "I'. =or e4ample?
to configure an )&&'C)&&'S "irtual Service? simply specify port 03 , 449 separated by a comma in te
;6irtual %erice &orts; field as so!n belo!A
N.B. $ire0all 7ar*s can also be configured 7anually if needed, for details on this please refer to the
ad7inistration 7anual and search for the section ) 8$ire0all /ar*s 5 /anual Configuration8
Layer ! 5 By .efining /ultiple &orts
=or Layer / "I's? multiple ports can be defined. Simply specify all te re@uired ports in te 6irtual %erice
&orts field separated by commas as so!n belo!A
N.B. /a*e sure you leae the 'eal %erer port field blan* if using 7ultiple ports at the 6I& leel.
94
(eal Server #IIS$ )ealt -ec+s
&e load balancer performs regular ealt cec+s to ensure tat eac server in te cluster is ealty and
able to accept client connections. &e ealt cec+ options depend on !eter te "I' is defined at layer 4
or layer / as outlined belo!.
Layer 4
At layer 4? IIS server ealt cec+ing is provided by ldirectord. &is allo!s a full range of options to cec+
tat te IIS servers are operational? and if not !at steps to ta+e. &e default cec+*type for ne! "I's is a
&-' connect to te port defined for te "I'.
=or full details on te options available? please refer to te administration manual referenced at te start of
tis guide and searc for te section ;(ealth /onitoring;.
Layer !
By default layer / #)A'ro4y$ "I's also use a connect type ealt cec+ on te same port specified in te
"irtual Service.
=or full details on te options available? please refer to te administration manual referenced at te start of
tis guide and searc for te section ;(ealth /onitoring;.
9%
7sing Server =eedbac+ Agents
&e load balancer can modify te !eigt #amount of traffic$ of eac server by gatering data from eiter a
custom agent or an )&&' server. =or layer 4 "I's te feedbac+ metod can be set to eiter agent or )&&'?
for Layer / "I's? only te agent metod is supported.
A telnet to port 9999 on a (eal Server !it te agent installed !ill return te current idle stats as an integer
value in te range 3 5 133. &e figure returned can be related to -'7 utiliFation? (AM usage or a
combination of bot. &is can be configured using te >ML configuration file located in te agents installation
folder #by default -AP'rogramDataPLoadBalancer.orgPLoadBalancer$.
&e load balancer typically e4pects a 3*22 integer response from te agent !ic by default relates to te
current -'7 idle state? e.g. a response of 28 !ould imply tat te (eal Servers -'7 is 28G idle. &e load
balancer !ill ten use te formula #28C133Qre@uestedR!eigt$ to find te ne! optimiFed !eigt. 7sing tis
metod an idle (eal Server !ill get 13 times as many ne! connections as an overloaded server.
N.B. 1he 8'e:uested =eight8 is the 0eight set in the =>I for each 'eal %erer.
=or more information please also refer to te follo!ing blog articleA
ttpACCblog.loadbalancer.orgCopen*source*!indo!s*service*for*reporting*server*load*bac+*to*apro4y*load*
balancer*feedbac+*agentC
=indo0s ,gent
&e latest 6indo!s feedbac+ agent can be do!nloaded fromA
ttpACCdo!nloads.loadbalancer.orgCagentCloadbalanceragent.msi
&o install te agent? run loadbalanceragent.msi on eac server
-lic+ 0e;t
N.B. 1he agent should be installed on all 'eal %eres in the cluster
9.
Select te installation folder and clic+ 0e;t
-lic+ 0e;t to start te installation
N.B. .N31 $ra7e0or* E.D is re:uired by the agent and .N31 $ra7e0or* 4.0 is re:uired by the /onitor
Starting the Agent
:nce te installation as completed? you;ll need to start te service on te (eal Servers. &e service is
controlled by te =eedbac+ Agent Monitor program tat is also installed along !it te Agent. &e monitor
can be accessed on te 6indo!s server usingA ,ll &rogra7s 4 Loadbalancer.org 4 /onitor. It;s also possible
to start te service using te services snap*in 5 te service is called ;Loadbalancer -'7 monitor;.
9/
D &o start te service? clic+ Start
D &o stop te service? clic+ Stop
N.B. 1he agent should be installed on all II% serers in the cluster
To Configure the Virtual Service to use the Agent
As mentioned? from v/.. bot layer 4 and layer / "I's are supported. &o -onfigure "irtual Services to use
Agent C )&&' =eedbac+ follo! te steps belo!A
D Go to Cluster Configuration 4 Layer 4 ) 6irtual %erices or Layer ! ) 6irtual %erices
D -lic+ NModif$O ne4t to te "irtual Service
D -ange te =eedbac+ Metod to eiter Agent or :TT2 for layer 4 "I's
D -ange te =eedbac+ Metod to eiter Agent for layer / "I's
D -lic+ 6pdate
90
Load Balancer &ransparency
Layer 4 5 .' # N,1 /ode
By default bot Layer 4 modes are transparent. &is means tat IIS !ill log te actual I' address of te client
rater tan te I' address of te load balancer.
Layer ! 5 1&ro2y
6en using )A'ro4y? te load balancer is not transparent by default. &is means tat te I' address of te
load balancer !ill be captured and stored in te IIS logs. &o get around tis? &'ro4y can be enabled. &'ro4y
enables te IIS servers beind a layer / )A'ro4y configuration to see te client source I' address. =or tis
to !or+? te load balancer must be in a 1A& configuration #i.e. bot internal and e4ternal subnets$ and te IIS
servers must be configured to use te load balancer as teir default gate!ay.
&o Enable &pro4yA
D 7sing te 67I, go to Cluster Configuration 4 Layer ! 5 ,danced Configuration
D -ange 1ransparent &ro2y to <n
D -lic+ 6pdate
N.B. $or 7ore details on 1&ro2y, please search for 8>sing 1&ro2y8 in ad7inistration 7anual aailable at the
follo0ing lin*< http<FF000.loadbalancer.orgFpdfFloadbalancerad7inistration!.pdf
Layer ! 5 G)$or0arded)$or (eaders
Since te load balancer must be in a 1A& configuration #i.e. te "irtual Service and te IIS servers in
different subnets$ to utiliFe &'ro4y? it;s not al!ays an appropriate solution. In situations suc as tis? it;s
possible to use te >*=or!arded*=or eader tat is included by default in all layer / "I's.
&o enable IIS to support >== eaders? it does depend on te version on 6indo!s being used. =or IIS/ and
later? IIS Advanced Logging can be installed and used. =or IIS.? a 9
rd
party application must be installed.
Several options are available 5 some free and some tat must be paid for. :ne free solution tat !or+s very
!ell is =%;s >*=or!arded*=or ISA'I =ilter.
Bot options are covered in te follo!ing blogA ttpACCblog.loadbalancer.orgCiis*and*4*for!arded*for*eaderC
92
Testing = Validation
Monitoring
Layer 4
=or Layer 4 "irtual Services? te follo!ing monitoring options are usefulA
D S$stem <verview #sho0s the total actie and inactie connections for each 6I&-
S %yste7 9erie0
D Status +sho0s si7ilar details to syste7 oerie0-
S 'eports 4 Layer 4 %tatus
D Current Connections +sho0s a detailed brea*do0n of all current connections-
S 'eports 4 Layer 4 Current Connections
D Graphs +sho0s arious graphical reports for each 6I& # 'I&-
S 'eports 4 Craphing
Logs are also available to elp !en diagnosing issues. 7se te Logs menu option to vie! tese.
Layer !
=or Layer / "irtual Services? te follo!ing monitoring options are usefulA
D S$stem <verview +sho0s the total connections for each 6I&-
S %yste7 9erie0
D Status :A2ro;$! +displays a detailed real)ti7e statistics page for all Layer ! 6I&% ) re:uires a
userna7e # pass0ord 5 use the default credentials-
S 'eports 4 Layer ! %tatus
D Graphs +sho0s arious graphical reports for each 6I& # 'I&-
S 'eports 4 Craphing
Logs are also available to elp !en diagnosing issues. 7se te Logs menu option to vie! tese.
43
Technical Support
=or more details or assistance !it your deployment please don;t esitate to contact te support teamA
supportTloadbalancer.org
Conclusion
Loadbalancer.org appliances provide a very cost effective and fle4ible solution for igly available load
balanced Microsoft IIS environments.
41
Appendi;
1 5 -lustered 'air -onfiguration 5 Adding a Slave 7nit
If you initially configured Hust te master unit and no! need to add a slave? please refer te section ;,dding a
slae unit after the 7aster has been configured8 in te administration manual !ic is available at te
follo!ing lin+A ttpACC!!!.loadbalancer.orgCpdfCloadbalanceradministrationv/.pdf
Don;t esitate to contact our support team if you need furter assistanceA supportTloadbalancer.org
48
8 5 -ompany -ontact Information
We-site 7(L A !!!.loadbalancer.org
North 5$eria 6US7 Loadbalancer.org? Inc.
8/3 'residential Drive
6ilmington?
DE 1203/
7SA
&el A
=a4 A
Email #sales$ A
Email #support$ A
U1 000.0./.2%34 #844/$
U1 938.819.3188
salesTloadbalancer.org
North 5$eria 6Canada7 Loadbalancer.org Ltd.
933*488 (icards Street
"ancouver? B-
".B 8V4
-anada
&el A
=a4 A
Email #sales$ A
Email #support$ A
U1 0%%..01..31/ #844/$
U1 938.819.3188
8urope 6U97 Loadbalancer.org Ltd.
'ortsmout &ecnopole
<ingston -rescent
'ortsmout
':8 0=A
England? 7<
&el A
=a4 A
Email #sales$ A
Email #support$ A
U44 #3$993 90313.4 #844/$
U44 #3$0/3 498/./8
8urope 6Ger$any7 Loadbalancer.org Gmb)
Alt 'empelfort 8
43811 DWsseldorf
Germany
&el A
=a4 A
Email #sales$ A
Email #support$ A
U42 #3$93 283 909 .424
U42 #3$93 283 909 .42%
vertriebTloadbalancer.org
49

Microsoft IIS Deployment Guide PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Microsoft IIS Deployment Guide PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Load Balancing Microsoft IIS

Das könnte Ihnen auch gefallen