| Author |
Hardware Load Balanced IIS SSL Web Farm
|
|
| phil.stollery@gmail.com 2006-01-16, 7:50 am |
| I've read through all the SSL and Web Farm posts on
microsoft.public.inetserver.iis.security and non of them seem to have
the answer for me. Before I start I have read the following articles:
http://support.microsoft.com/?id=313299 (how to setup SSL on webfarms)
http://support.microsoft.com/?id=290051 (dow to diagnose SSL problems)
The setup we have is two windows 2003 servers sat under a hardware load
balancer (in a hosted environment). The SSL certificate is for
secure.lumleyjacobs.com.
I have installed it on web server1 and exported/imported the
certificate on web server 2. Locally (i.e browsing to the site on the
actually servers) works fine, but externally (i.e. browsing from my
desktop) doesn't.
The sites are setup to respond to any IP address under IIS, for both
HTTP and HTTPs. When I nslookup secure.lumleyjacobs.com from the
servers it resolves to the local IP address 192.something or other, but
externally it maps to 80.something or other.
Do I need to setup IIS differently, or contact our ISP about setting up
the load balancer correctly. Running SSL diagnostics on the servers
say everything is OK.
Any help is much appreciated.
| |
| Ken Schaefer 2006-01-16, 7:50 am |
| It might help if you told us what you mean by "does not work"
Thanks.
Cheers
Ken
<phil.stollery@gmail.com> wrote in message
news:1137411586.487607.225800@g47g2000cwa.googlegroups.com...
: I've read through all the SSL and Web Farm posts on
: microsoft.public.inetserver.iis.security and non of them seem to have
: the answer for me. Before I start I have read the following articles:
:
: http://support.microsoft.com/?id=313299 (how to setup SSL on webfarms)
: http://support.microsoft.com/?id=290051 (dow to diagnose SSL problems)
:
: The setup we have is two windows 2003 servers sat under a hardware load
: balancer (in a hosted environment). The SSL certificate is for
: secure.lumleyjacobs.com.
:
: I have installed it on web server1 and exported/imported the
: certificate on web server 2. Locally (i.e browsing to the site on the
: actually servers) works fine, but externally (i.e. browsing from my
: desktop) doesn't.
:
: The sites are setup to respond to any IP address under IIS, for both
: HTTP and HTTPs. When I nslookup secure.lumleyjacobs.com from the
: servers it resolves to the local IP address 192.something or other, but
: externally it maps to 80.something or other.
:
: Do I need to setup IIS differently, or contact our ISP about setting up
: the load balancer correctly. Running SSL diagnostics on the servers
: say everything is OK.
:
: Any help is much appreciated.
:
| |
| phil.stollery@gmail.com 2006-01-16, 6:04 pm |
| Sorry. Well, try it by going to https://secure.lumleyjacobs.com - IE
says "The page cannot be displayed".
Firefox does something altogether prettier.
| |
| Ken Schaefer 2006-01-16, 6:04 pm |
| And below "page can not be displayed" what do you see? A HTTP status code? A
"Server can not be found or DNS
error"?
Have you looked at logs on the load-balancer to see what it thinks is
happening?
Please, try to be forthcoming with information...
Cheers
Ken
<phil.stollery@gmail.com> wrote in message
news:1137423992.003359.264540@g44g2000cwa.googlegroups.com...
: Sorry. Well, try it by going to https://secure.lumleyjacobs.com - IE
: says "The page cannot be displayed".
:
: Firefox does something altogether prettier.
:
| |
|
| Going out on a limb here since there's a lot that could be going on and not
enough info to work on:
>Locally (i.e browsing to the site on the> actually servers) works fine, but
>externally (i.e. browsing from my
> desktop) doesn't.
If you can browse locally via https: with no errors, then we can *assume*
that the cert was installed properly. I don't know where your "desktop" is
but if it's outside your local/private net (re: not in the 192.something)
then my first guess is that it's a network issue. Check your load balancer
to see if it is properly forwarding traffic to your internal servers,
particularly IP ADDRESS and PORT (192.something and port 443)
---------
Cheers,
Ed
| |
| phil.stollery@gmail.com 2006-01-17, 8:03 am |
| Sorry Ken and Ed for being vague.
I don't have access to the load-balancers logs. The farm is hosted
externally by our ISP, we're based on a completely different network.
Therefore, internally the domain secure.lumleyjacobs.com resolves to an
internal IP address. To you and I the DNS resolves to an external IP
address.
The IE error I think is:
"Cannot find server or DNS Error"
If I use http, the load balancer forwards the request correctly to one
of our farms nodes. It only fails with the HTTPS.
Thanks for your help so far - do you need anymore information?
| |
|
| Thanks for the additional info. I think you've resolved your problems since
I can get to your secure site without problems. re: it's red with a white
box/table and text "SECURE TEST SITE" and your CA is AddTrust.
Just curious - what was the problem and resolution?
Congratulations!
----------
Cheers,
Ed
<phil.stollery@gmail.com> wrote in message
news:1137491432.313658.61150@g44g2000cwa.googlegroups.com...
> Sorry Ken and Ed for being vague.
>
> I don't have access to the load-balancers logs. The farm is hosted
> externally by our ISP, we're based on a completely different network.
> Therefore, internally the domain secure.lumleyjacobs.com resolves to an
> internal IP address. To you and I the DNS resolves to an external IP
> address.
>
> The IE error I think is:
>
> "Cannot find server or DNS Error"
>
> If I use http, the load balancer forwards the request correctly to one
> of our farms nodes. It only fails with the HTTPS.
>
> Thanks for your help so far - do you need anymore information?
>
| |
| phil.stollery@gmail.com 2006-01-18, 7:51 am |
| Thanks Ed.
It wasn't me, it was the network engineers. The load balancer wasn't
listening on port 443, as soon as that puppy was opened everything
magically worked.
| |
|
| Cool. Just as I suspected (re: port 443)! Congratulations!
-----------
Cheers,
Ed
<phil.stollery@gmail.com> wrote in message
news:1137575810.104970.303200@g44g2000cwa.googlegroups.com...
> Thanks Ed.
>
> It wasn't me, it was the network engineers. The load balancer wasn't
> listening on port 443, as soon as that puppy was opened everything
> magically worked.
>
|
|
|
|