{"id":2621,"date":"2019-11-15T10:14:19","date_gmt":"2019-11-15T09:14:19","guid":{"rendered":"https:\/\/laurentvanacker.com\/?p=2621"},"modified":"2022-12-09T09:50:14","modified_gmt":"2022-12-09T08:50:14","slug":"nlb-arr-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab","status":"publish","type":"post","link":"https:\/\/laurentvanacker.com\/index.php\/2019\/11\/15\/nlb-arr-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/","title":{"rendered":"NLB, ARR, IIS, DFS-R, Shared Configuration, SSL Offload, Windows Authentication, SNI, CCS in one place with AutomatedLab"},"content":{"rendered":"<p><a href=\"#en-us\" name=\"fr-fr\">Go to English version<\/a><\/p>\n<p>[MAJ 21\/12\/2019] Ajout d&rsquo;un binding SNI sur les noeuds <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">ARR<\/a> pour attaquer le site sans passer par le <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a>. Plusieurs onglets s&rsquo;ouvrent maintenant sur CA01 pour acc\u00e9der directement \u00e0 tous les sites en directe les serveurs sans passer par le <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a>.<\/p>\n<p>MAJ 16\/12\/2019] Une version simplifi\u00e9e de cette architecture sans <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">ARR<\/a> (juste une r\u00e9partition de charge de 2 serveurs <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> avec du <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a>) existe <a href=\"https:\/\/laurentvanacker.com\/index.php\/2019\/12\/13\/nlb-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/\">ici<\/a>.<\/p>\n<p>Si vous ne connaissez pas <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\" target=\"_blank\" rel=\"noopener noreferrer\">AutomatedLab<\/a> je vous invite fortement \u00e0 vous rendre <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\" target=\"_blank\" rel=\"noopener noreferrer\">ici<\/a> pour d\u00e9couvrir cette solution avant de poursuivre la lecture de cet article. Au passage n&rsquo;h\u00e9sitez pas \u00e0 suivre <a href=\"https:\/\/www.linkedin.com\/in\/raimund-andree-69a78871\/\">Raimund Andr\u00e9e<\/a> sur <a href=\"https:\/\/github.com\/raandree\">GitHub<\/a> et <a href=\"https:\/\/twitter.com\/raimundandree\">Twitter<\/a> .<\/p>\n<p>Dans le cadre d&rsquo;un POC chez un client je devais proposer une solution redondante de deux serveurs <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">Application Request Routing\u00a0<\/a> (<a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a>) qui eux-m\u00eames devaient r\u00e9partir leurs applications sur deux serveurs <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a>. Au final une solution similaire \u00e0 celle d\u00e9crite <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/extensions\/configuring-application-request-routing-arr\/achieving-high-availability-and-scalability-arr-and-nlb#use-of-application-request-routing-and-network-load-balancing\" target=\"_blank\" rel=\"noopener noreferrer\">ici<\/a> (avec seulement 2 \u00ab\u00a0content servers\u00a0\u00bb\/<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a>):<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_2627\" aria-describedby=\"caption-attachment-2627\" style=\"width: 426px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/extensions\/configuring-application-request-routing-arr\/achieving-high-availability-and-scalability-arr-and-nlb#use-of-application-request-routing-and-network-load-balancing\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-2627 size-full\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/ARRNLB.jpg\" alt=\"Use of Application Request Routing and Network Load Balancing\" width=\"426\" height=\"276\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/ARRNLB.jpg 426w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/ARRNLB-300x194.jpg 300w\" sizes=\"auto, (max-width: 426px) 100vw, 426px\" \/><\/a><figcaption id=\"caption-attachment-2627\" class=\"wp-caption-text\">Use of Application Request Routing and Network Load Balancing<\/figcaption><\/figure>\n<p>Quelques pr\u00e9requis :<\/p>\n<ol>\n<li>Pas de connection Internet disponible depuis les serveurs. (Ce qui est, rappellons-le, une bonne pratique sur les environnements de production). Donc de ce fait l&rsquo;utilisation de <a href=\"https:\/\/www.microsoft.com\/web\/downloads\/platform.aspx\">Web Platform Installer<\/a> \u00e9tait exclue (cf. le contenu du fichier <a id=\"c32e1e00cefa5465efad4421d451eedf-c6ee08f4e2cbdbda83c00c2cc8eb25649eb0ba4d\" class=\"js-navigation-open\" title=\"Extensions.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20ARR\/Extensions.zip\">Extensions.zip<\/a>)<\/li>\n<li>La solution devait \u00eatre automatisable de bout en bout (dans le cadre du POC).<\/li>\n<li>La solution devait \u00eatre simple (dans le cadre du POC).<\/li>\n<\/ol>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\" target=\"_blank\" rel=\"noopener noreferrer\">Network Load Balancing<\/a> \u00e9tait parfait pour la r\u00e9partition de charge au niveau <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a> et avait l&rsquo;avantage d&rsquo;\u00eatre natif dans Windows (simplicit\u00e9).<\/p>\n<p>Au passage le besoin final exprim\u00e9 \u00e9tait plus simple que la solution finale : Authentification anonyme, pas de certificats (donc pas besoin de <a href=\"https:\/\/blogs.iis.net\/wonyoo\/ssl-off-loading-in-application-request-routing\">SSL Offload<\/a>,\u00a0 <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/get-started\/whats-new-in-iis-8\/iis-80-server-name-indication-sni-ssl-scalability\" target=\"_blank\" rel=\"noopener noreferrer\">Server Name Indication<\/a> ni de <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/get-started\/whats-new-in-iis-8\/iis-80-centralized-ssl-certificate-support-ssl-scalability-and-manageability\" target=\"_blank\" rel=\"noopener noreferrer\">Centralized SSL Certificate Support<\/a>), aucun besoin de <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/web-hosting\/configuring-servers-in-the-windows-web-platform\/shared-configuration_211\" target=\"_blank\" rel=\"noopener noreferrer\">configuration partag\u00e9e<\/a> (d&rsquo;o\u00f9 le <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/storage\/dfs-replication\/dfsr-overview\" target=\"_blank\" rel=\"noopener noreferrer\">DFS-R<\/a>). Mon envie d&rsquo;aller plus loin a fait le reste !<\/p>\n<p>Le support r\u00e9cent de Raimund au sujet d&rsquo;un sc\u00e9nario <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\" target=\"_blank\" rel=\"noopener noreferrer\">AutomatedLab<\/a> fonctionnel sur DSC avec SQL Server 2016 (bas\u00e9 sur l&rsquo;article <a href=\"https:\/\/blogs.technet.microsoft.com\/fieldcoding\/2017\/05\/11\/using-sql-server-2016-for-a-dsc-pull-server\/\">Using SQL Server 2016 for a DSC Pull Server<\/a>) avait donn\u00e9 naissance \u00e0 ce <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\/blob\/develop\/LabSources\/SampleScripts\/Scenarios\/DSC%20Pull%20Scenario%201%20(Pull%20Configuration%2C%20SQL%20Reporting).ps1\">script.<\/a> C&rsquo;\u00e9tait donc l&rsquo;occasion pour moi d&rsquo;aller un peu plus loin avec <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\" target=\"_blank\" rel=\"noopener noreferrer\">AutomatedLab.<\/a><\/p>\n<p>J&rsquo;ai donc \u00e9labor\u00e9 le script <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20ARR\/AutomatedLab%20-%20NLB%20%26%20ARR.ps1\">suivant.<\/a> Ce script a besoin de :<\/p>\n<ul>\n<li><a id=\"c32e1e00cefa5465efad4421d451eedf-c6ee08f4e2cbdbda83c00c2cc8eb25649eb0ba4d\" class=\"js-navigation-open\" title=\"Extensions.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20ARRExtensions.zip\">Extensions.zip<\/a> : qui contient les MSI d&rsquo;installation de <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/url-rewrite\">IIS URL Rewrite Module 2<\/a>, <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=47333\">Microsoft Application Request Routing 3.0<\/a>,\u00a0 <a href=\"http:\/\/download.microsoft.com\/download\/C\/A\/5\/CA5FAD87-1E93-454A-BB74-98310A9C523C\/ExternalDiskCache_amd64.msi\">Microsoft External Cache<\/a>, <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=43717\">Microsoft Web Deploy 3.6<\/a> (Bonus), <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=24659\">Log Parser 2.2<\/a> (Bonus)<\/li>\n<li><a id=\"a1c12e5284a026a9c64e60982cd65099-5229870145b432fed53217e27bede5f07debcc1a\" class=\"js-navigation-open\" title=\"arr.contoso.com.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20ARR\/arr.contoso.com.zip\">arr.contoso.com.zip <\/a> : qui contient la source de notre site Web. Au passage les images, feuilles de styles et javascript sont servis par les serveurs <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">ARR<\/a>. J&rsquo;ai \u00e9galement utilis\u00e9 <a href=\"https:\/\/www.donnfelker.com\/watermarking-images-in-asp-net-with-an-httphandler\/\">JpgHttpHandler.cs<\/a> pour imprimer une watermark sur les images pour indiquer quel serveur ARR fournit les images (Modification de la ligne 59 du fichier <a href=\"https:\/\/www.donnfelker.com\/watermarking-images-in-asp-net-with-an-httphandler\/\">JpgHttpHandler.cs<\/a>).<\/li>\n<\/ul>\n<p>Je n&rsquo;ai impl\u00e9ment\u00e9 aucune affinit\u00e9 cliente (Ni au niveau <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a>, ni au niveau <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">ARR<\/a>) de mani\u00e8re \u00e0 avoir un trafic r\u00e9parti \u00e9quitablement \u00e0 tous les niveaux.<\/p>\n<p>L&rsquo;environnement est compos\u00e9 de 6 serveurs :<\/p>\n<ul>\n<li>ARRNODE01 : Premier serveur <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a> de la ferme <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a><\/li>\n<li>ARRNODE02 : Second serveur <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR <\/a>de la ferme <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a><\/li>\n<li>IISNODE01 : Premier serveur <a href=\"https:\/\/www.iis.net\/\">IIS<\/a> de la ferme <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a><\/li>\n<li>IISNODE02 : Second serveur <a href=\"https:\/\/www.iis.net\/\">IIS<\/a> de la ferme <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a><\/li>\n<li>CA01 : Autorit\u00e9 de certificats<\/li>\n<li>DC01 : Contr\u00f4leur de domaine (contoso.com)<\/li>\n<\/ul>\n<p>Le nom des serveurs est \u00e9crit dans le code (faites un \u00ab\u00a0Global Replace\u00a0\u00bb CTRL+H si les noms ne vous conviennent pas). De m\u00eame que certains autres param\u00e8tres tels que :<\/p>\n<ul>\n<li>Le nom du Lab (\u00ab\u00a0NLBARRLab\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le compte \u00e0 utiliser (\u00ab\u00a0Administrator\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le mot de passe associ\u00e9 (\u00ab\u00a0P@ssw0rd\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le nom du domaine (FQDN et NetBIOS) (\u00ab\u00a0contoso.com\u00a0\u00bb et \u00ab\u00a0CONTOSO\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le compte du compte de d\u00e9marrage de l&rsquo;application pool <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> (\u00ab\u00a0IISAppPoolUser\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le nom de l&rsquo;application r\u00e9partie (\u00ab\u00a0arr.contoso.com\u00a0\u00bb par d\u00e9faut)<\/li>\n<\/ul>\n<p>Une fois le script termin\u00e9 (~40 min sur mon Laptop : Processeur Core i7 de 8i\u00e8me g\u00e9n\u00e9ration avec 8 coeurs + SSD), connectez-vous sur CA01 (utilis\u00e9 en tant que poste client pour l&rsquo;authentification Windows via Kerberos) et naviguez vers https:\/\/arr.contoso.com\/ (Page par d\u00e9faut dans IE). Vous obtiendrez alors :<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2631 aligncenter\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/arr.contoso.com.jpg\" alt=\"\" width=\"966\" height=\"531\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/arr.contoso.com.jpg 966w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/arr.contoso.com-300x165.jpg 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/arr.contoso.com-768x422.jpg 768w\" sizes=\"auto, (max-width: 966px) 100vw, 966px\" \/><\/p>\n<p>Vous constaterez alors les points suivants :<\/p>\n<ul>\n<li>Le contenu dynamique est servi par les serveurs IIS (IISNODE01 ici).<\/li>\n<li>Les images (ainsi que d&rsquo;autres ressources statiques) sont servies par les serveurs <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a> (ARRNODE01 et ARRNODE02 en alternance)<\/li>\n<li>L&rsquo;authentification Windows via Kerberos est op\u00e9rationnelle et vous \u00eates authentifi\u00e9 sur un serveur IIS (IISNODE01 ici).<\/li>\n<\/ul>\n<p>Un certain nombre d&rsquo;articles m&rsquo;ont \u00e9t\u00e9 utiles pour la mise en place de cette solution :<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/extensions\/configuring-application-request-routing-arr\/achieving-high-availability-and-scalability-arr-and-nlb#use-of-application-request-routing-and-network-load-balancing\">https:\/\/docs.microsoft.com\/en-us\/iis\/extensions\/configuring-application-request-routing-arr\/achieving-high-availability-and-scalability-arr-and-nlb#use-of-application-request-routing-and-network-load-balancing<\/a><\/li>\n<li><a href=\"https:\/\/www.thebestcsharpprogrammerintheworld.com\/2015\/05\/22\/configure-application-request-routing-with-windows-authentication-kerberos\/\">https:\/\/www.thebestcsharpprogrammerintheworld.com\/2015\/05\/22\/configure-application-request-routing-with-windows-authentication-kerberos\/<\/a><\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/01\/012717_1333_Fusionnerde1.png\" alt=\"\" \/><\/p>\n<p><a href=\"#fr-FR\" name=\"en-us\">Aller \u00e0 la version fran\u00e7aise<\/a><\/p>\n<p>[Update 12\/21\/2019] Adding an SNI binding on the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">ARR<\/a> nodes to reach the site without going through the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a>. Several tabs now open on CA01 to directly reach all the sites directly to the servers without going through the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a>.<\/p>\n<p>[Update 12\/16\/2019] A simplified version of this architecture without <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">ARR<\/a> (just a load balancing of 2 <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> servers with <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a>) exists <a href=\"https:\/\/laurentvanacker.com\/index.php\/2019\/12\/13\/nlb-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/\">here<\/a>.<\/p>\n<p>If you do not know <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\" target=\"_blank\" rel=\"noopener noreferrer\">AutomatedLab<\/a>\u00a0I strongly urge you to go here to discover this solution before continuing reading this article. In the meantime do not hesitate to follow <a href=\"https:\/\/www.linkedin.com\/in\/raimund-andree-69a78871\/\">Raimund Andr\u00e9e<\/a> on <a href=\"https:\/\/github.com\/raandree\">GitHub<\/a> and <a href=\"https:\/\/twitter.com\/raimundandree\">Twitter<\/a> .<\/p>\n<div class=\"tlid-input input\">\n<div class=\"source-wrap\">\n<div class=\"input-full-height-wrapper tlid-input-full-height-wrapper\">\n<div class=\"source-input\">\n<div class=\"source-footer-wrap source-or-target-footer\">\n<div class=\"character-count tlid-character-count\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tlid-results-container results-container\">\n<div class=\"tlid-result result-dict-wrapper\">\n<div class=\"result tlid-copy-target\">\n<div class=\"text-wrap tlid-copy-target\">\n<div class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">In the context of a POC for a customer I had to propose a redundant solution of two <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">Application Request Routing<\/a> (<a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a>) servers which themselves had to distribute their applications on two <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> servers.<\/span> <span class=\"\" title=\"\">Finally a solution similar to the one described <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/extensions\/configuring-application-request-routing-arr\/achieving-high-availability-and-scalability-arr-and-nlb#use-of-application-request-routing-and-network-load-balancing\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> (with only 2 \u00ab\u00a0content servers\u00a0\u00bb \/ <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a>):<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div tabindex=\"0\"><\/div>\n<div class=\"tlid-result result-dict-wrapper\">\n<div tabindex=\"0\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/extensions\/configuring-application-request-routing-arr\/achieving-high-availability-and-scalability-arr-and-nlb#use-of-application-request-routing-and-network-load-balancing\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-2627 size-full aligncenter\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/ARRNLB.jpg\" alt=\"Use of Application Request Routing and Network Load Balancing\" width=\"426\" height=\"276\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/ARRNLB.jpg 426w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/ARRNLB-300x194.jpg 300w\" sizes=\"auto, (max-width: 426px) 100vw, 426px\" \/><\/a><\/div>\n<\/div>\n<\/div>\n<p>Some prerequisites:<\/p>\n<ul>\n<li>No internet connection available from the servers. (Which is, let&rsquo;s remember, a good practice on production environments.) So the use of <a href=\"https:\/\/www.microsoft.com\/web\/downloads\/platform.aspx\">Web Platform Installer<\/a> was excluded (see the contents of the <a id=\"c32e1e00cefa5465efad4421d451eedf-c6ee08f4e2cbdbda83c00c2cc8eb25649eb0ba4d\" class=\"js-navigation-open\" title=\"Extensions.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20ARR\/Extensions.zip\">Extensions.zip<\/a> file)<\/li>\n<li>The solution had to be fully automatable (as part of the POC).<\/li>\n<li>The solution had to be simple (as part of the POC).<\/li>\n<\/ul>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\" target=\"_blank\" rel=\"noopener noreferrer\">Network Load Balancing<\/a> was perfect for load balancing at the ARR level and had the advantage of being built in in Windows (simplicity).<\/p>\n<p>T<span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">he expressed final need was simpler than the final solution: Anonymous authentication, no certificates (no need for <a href=\"https:\/\/blogs.iis.net\/wonyoo\/ssl-off-loading-in-application-request-routing\">SSL Offload<\/a>,\u00a0 <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/get-started\/whats-new-in-iis-8\/iis-80-server-name-indication-sni-ssl-scalability\" target=\"_blank\" rel=\"noopener noreferrer\">Server Name Indication<\/a> or <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/get-started\/whats-new-in-iis-8\/iis-80-centralized-ssl-certificate-support-ssl-scalability-and-manageability\" target=\"_blank\" rel=\"noopener noreferrer\">Centralized SSL Certificate Support<\/a>), no need for <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/web-hosting\/configuring-servers-in-the-windows-web-platform\/shared-configuration_211\">shared configuration<\/a> (hence the <\/span><span title=\"\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/storage\/dfs-replication\/dfsr-overview\" target=\"_blank\" rel=\"noopener noreferrer\">DFS-R<\/a>)<\/span><span title=\"\">.<\/span> <span class=\"\" title=\"\">My desire to go further has done the rest!<\/span><\/span><\/p>\n<div class=\"tlid-input input\">\n<div class=\"source-wrap\">\n<div class=\"input-full-height-wrapper tlid-input-full-height-wrapper\">\n<div class=\"source-input\">\n<div class=\"source-footer-wrap source-or-target-footer\">\n<div class=\"character-count tlid-character-count\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tlid-results-container results-container\">\n<div class=\"tlid-result result-dict-wrapper\">\n<div class=\"result tlid-copy-target\">\n<div class=\"text-wrap tlid-copy-target\">\n<div class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">Raimund&rsquo;s recent support for a functional <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\" target=\"_blank\" rel=\"noopener noreferrer\">AutomatedLab<\/a> scenario on DSC with SQL Server 2016 (based on the article <a href=\"https:\/\/blogs.technet.microsoft.com\/fieldcoding\/2017\/05\/11\/using-sql-server-2016-for-a-dsc-pull-server\/\">Using SQL Server 2016 for a DSC Pull Server<\/a>) gave birth to this <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\/blob\/develop\/LabSources\/SampleScripts\/Scenarios\/DSC%20Pull%20Scenario%201%20(Pull%20Configuration%2C%20SQL%20Reporting).ps1\">script<\/a>.<\/span> <span class=\"\" title=\"\">It was an opportunity for me to go a step further with <span title=\"\"><a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\" target=\"_blank\" rel=\"noopener noreferrer\">AutomatedLab<\/a><\/span>.<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>So I developed the following <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/PowerShell\/IIS\/AutomatedLab\/NLB%20%26%20ARR\/AutomatedLab%20-%20NLB%20%26%20ARR.ps1\">script<\/a>. This script needs:<\/p>\n<ul>\n<li><a id=\"c32e1e00cefa5465efad4421d451eedf-c6ee08f4e2cbdbda83c00c2cc8eb25649eb0ba4d\" class=\"js-navigation-open\" title=\"Extensions.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20ARR\/Extensions.zip\">Extensions.zip<\/a> : which contains the setup files for <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/url-rewrite\">IIS URL Rewrite Module 2<\/a>, <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=47333\">Microsoft Application Request Routing 3.0<\/a>,\u00a0 <a href=\"http:\/\/download.microsoft.com\/download\/C\/A\/5\/CA5FAD87-1E93-454A-BB74-98310A9C523C\/ExternalDiskCache_amd64.msi\">Microsoft External Cache<\/a>, <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=43717\">Microsoft Web Deploy 3.6<\/a> (Bonus), <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=24659\">Log Parser 2.2<\/a> (Bonus)<\/li>\n<li><a id=\"a1c12e5284a026a9c64e60982cd65099-5229870145b432fed53217e27bede5f07debcc1a\" class=\"js-navigation-open\" title=\"arr.contoso.com.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20ARR\/arr.contoso.com.zip\">arr.contoso.com.zip <\/a> : which contains the source of our website. The images, stylesheets and javascript are served by ARR servers. I also used <a href=\"https:\/\/www.donnfelker.com\/watermarking-images-in-asp-net-with-an-httphandler\/\">JpgHttpHandler.cs<\/a> to print a watermark on the images to indicate which <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR <\/a>server provided the images (Modification of line 59 of the <a href=\"https:\/\/www.donnfelker.com\/watermarking-images-in-asp-net-with-an-httphandler\/\">JpgHttpHandler.cs<\/a>).<\/li>\n<\/ul>\n<p>I did not implement any client affinity (Neither at the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a> level nor at the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">ARR<\/a> level) so as to have a traffic distributed equitably at all levels.<\/p>\n<p>The environment is composed of 6 servers:<\/p>\n<ul>\n<li>ARRNODE01: First <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR <\/a>Server on <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a> Webfarm<\/li>\n<li>ARRNODE02: Second <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR <\/a>Server on <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a> Webfarm<\/li>\n<li>IISNODE01: First <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> server on the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">ARR<\/a> webfarm<\/li>\n<li>IISNODE02: Second <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> server of the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">ARR<\/a> webfarm<\/li>\n<li>CA01: Certificate Authority<\/li>\n<li>DC01: Domain Controller (contoso.com)<\/li>\n<\/ul>\n<p>The name of the servers is written in the code (make a \u00ab\u00a0Global Replace\u00a0\u00bb CTRL+H if the names do not suit you). As well as certain other parameters such as:<\/p>\n<div class=\"tlid-results-container results-container\">\n<div class=\"tlid-result result-dict-wrapper\">\n<div class=\"result tlid-copy-target\">\n<div class=\"text-wrap tlid-copy-target\">\n<ul>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">Lab name (\u00ab\u00a0NLBARRLab\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">The account to use (\u00ab\u00a0Administrator\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">The associated password (\u00ab\u00a0P@ssw0rd\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">The domain name (FQDN and NetBIOS) (\u00ab\u00a0contoso.com\u00a0\u00bb and \u00ab\u00a0CONTOSO\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">The <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> application pool identity (\u00ab\u00a0IISAppPoolUser\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">The name of the load balanced application (\u00ab\u00a0arr.contoso.com\u00a0\u00bb by default)<\/span><\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Once the script is done (~ 40 min on my Laptop: 8th Gen Core i7 Processor with 8 cores + SSD), connect to CA01 (used as a client workstation for Windows authentication via Kerberos) and navigate to https:\/\/arr.contoso.com\/ (Default page in IE). You will then get:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2631 aligncenter\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/arr.contoso.com.jpg\" alt=\"\" width=\"966\" height=\"531\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/arr.contoso.com.jpg 966w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/arr.contoso.com-300x165.jpg 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/11\/arr.contoso.com-768x422.jpg 768w\" sizes=\"auto, (max-width: 966px) 100vw, 966px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>You will see the following points:<\/p>\n<ul>\n<li>Dynamic content is served by IIS servers (IISNODE01 here).<\/li>\n<li>The images (as well as other static resources) are served by the ARR servers (ARRNODE01 and ARRNODE02 alternately)<\/li>\n<li>Windows authentication via Kerberos is operational and you are authenticated on an IIS server (IISNODE01 here).<\/li>\n<\/ul>\n<p>Here are some other links I found helpful during my personal configuration:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/extensions\/configuring-application-request-routing-arr\/achieving-high-availability-and-scalability-arr-and-nlb#use-of-application-request-routing-and-network-load-balancing\">https:\/\/docs.microsoft.com\/en-us\/iis\/extensions\/configuring-application-request-routing-arr\/achieving-high-availability-and-scalability-arr-and-nlb#use-of-application-request-routing-and-network-load-balancing<\/a><\/li>\n<li><a href=\"https:\/\/www.thebestcsharpprogrammerintheworld.com\/2015\/05\/22\/configure-application-request-routing-with-windows-authentication-kerberos\/\">https:\/\/www.thebestcsharpprogrammerintheworld.com\/2015\/05\/22\/configure-application-request-routing-with-windows-authentication-kerberos\/<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Laurent.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Go to English version [MAJ 21\/12\/2019] Ajout d&rsquo;un binding SNI sur les noeuds ARR pour attaquer le site sans passer par le NLB. Plusieurs onglets [&#8230;]<\/p>\n","protected":false},"author":2,"featured_media":2465,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,19,12],"tags":[20,54,48,25,39],"class_list":["post-2621","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iis","category-powershell","category-securite-security","tag-net","tag-automatedlab","tag-github","tag-iis","tag-powershell"],"_links":{"self":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/comments?post=2621"}],"version-history":[{"count":29,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2621\/revisions"}],"predecessor-version":[{"id":3034,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2621\/revisions\/3034"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media\/2465"}],"wp:attachment":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media?parent=2621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/categories?post=2621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/tags?post=2621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}