{"id":2709,"date":"2019-12-13T14:05:15","date_gmt":"2019-12-13T13:05:15","guid":{"rendered":"https:\/\/laurentvanacker.com\/?p=2709"},"modified":"2022-12-09T09:50:13","modified_gmt":"2022-12-09T08:50:13","slug":"nlb-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab","status":"publish","type":"post","link":"https:\/\/laurentvanacker.com\/index.php\/2019\/12\/13\/nlb-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/","title":{"rendered":"NLB, IIS, DFS-R, Shared Configuration, SSL Offload, Windows Authentication, SNI, CCS in one place with AutomatedLab"},"content":{"rendered":"<p><a href=\"#en-us\" name=\"fr-fr\">Go to English version<\/a><\/p>\n<p>Cet article est une version simplifi\u00e9e de l&rsquo;article <a href=\"https:\/\/laurentvanacker.com\/index.php\/2019\/11\/15\/nlb-arr-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/\">suivant<\/a>. En effet l&rsquo;architecture expos\u00e9e ici n&rsquo;inclut pas de serveur(s) <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a>.<\/p>\n<p>Les pr\u00e9requis restant les m\u00eames :<\/p>\n<ol>\n<li>Pas de connection Internet disponible depuis les serveurs.<\/li>\n<li>La solution devait \u00eatre automatisable de bout en bout (dans le cadre du POC).<\/li>\n<li>La solution devait \u00eatre simple (dans le cadre du POC).<\/li>\n<\/ol>\n<p>J&rsquo;ai donc \u00e9labor\u00e9 le script <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20IIS\/AutomatedLab%20-%20NLB%20%26%20IIS.ps1\">suivant.<\/a> Ce <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20IIS\/AutomatedLab%20-%20NLB%20%26%20IIS.ps1\">script<\/a>\u00a0a besoin de :<\/p>\n<ul>\n<li><a id=\"a1c12e5284a026a9c64e60982cd65099-5229870145b432fed53217e27bede5f07debcc1a\" class=\"js-navigation-open\" title=\"arr.contoso.com.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20IIS\/nlb.contoso.com.zip\">nlb.contoso.com.zip<\/a> : qui contient la source de notre site Web.<\/li>\n<\/ul>\n<p>Je n&rsquo;ai impl\u00e9ment\u00e9 aucune affinit\u00e9 cliente au niveau <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a> de mani\u00e8re \u00e0 avoir un trafic r\u00e9parti \u00e9quitablement sur les serveurs <a href=\"https:\/\/www.iis.net\/\">IIS<\/a>.<\/p>\n<p>L&rsquo;environnement est compos\u00e9 de 4 serveurs :<\/p>\n<ul>\n<li>IISNODE01 : Premier serveur <a href=\"https:\/\/www.iis.net\/\">IIS<\/a> de la ferme <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a><\/li>\n<li>IISNODE02 : Second serveur <a href=\"https:\/\/www.iis.net\/\">IIS<\/a> de la ferme <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a><\/li>\n<li>CA01 : Autorit\u00e9 de certificats<\/li>\n<li>DC01 : Contr\u00f4leur de domaine (contoso.com)<\/li>\n<\/ul>\n<p>Le nom des serveurs est \u00e9crit dans le code (faites un \u00ab\u00a0Global Replace\u00a0\u00bb CTRL+H si les noms ne vous conviennent pas). De m\u00eame que certains autres param\u00e8tres tels que :<\/p>\n<ul>\n<li>Le nom du Lab (\u00ab\u00a0NLBIISLab\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le compte \u00e0 utiliser (\u00ab\u00a0Administrator\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le mot de passe associ\u00e9 (\u00ab\u00a0P@ssw0rd\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le nom du domaine (FQDN et NetBIOS) (\u00ab\u00a0contoso.com\u00a0\u00bb et \u00ab\u00a0CONTOSO\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le compte du compte de d\u00e9marrage de l&rsquo;application pool <a href=\"https:\/\/www.iis.net\/\">IIS<\/a> (\u00ab\u00a0IISAppPoolUser\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le nom de l&rsquo;application r\u00e9partie (\u00ab\u00a0nlb.contoso.com\u00a0\u00bb par d\u00e9faut)<\/li>\n<\/ul>\n<p>Une fois le script termin\u00e9 (~40 min sur mon Laptop : Processeur Core i7 de 8i\u00e8me g\u00e9n\u00e9ration avec 8 coeurs + SSD), connectez-vous sur CA01 (utilis\u00e9 en tant que poste client pour l&rsquo;authentification Windows via Kerberos) et naviguez vers https:\/\/nlb.contoso.com\/ (Page par d\u00e9faut dans IE). Vous obtiendrez alors :<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2713 aligncenter\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com.jpg\" alt=\"\" width=\"1044\" height=\"610\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com.jpg 1044w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com-300x175.jpg 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com-1024x598.jpg 1024w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com-768x449.jpg 768w\" sizes=\"auto, (max-width: 1044px) 100vw, 1044px\" \/><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/01\/012717_1333_Fusionnerde1.png\" alt=\"\" \/><\/p>\n<p><a href=\"#fr-FR\" name=\"en-us\">Aller \u00e0 la version fran\u00e7aise<\/a><\/p>\n<div class=\"tlid-results-container results-container\">\n<div class=\"tlid-result result-dict-wrapper\">\n<div class=\"result tlid-copy-target\">\n<div class=\"text-wrap tlid-copy-target\">\n<div class=\"result-shield-container tlid-copy-target\" tabindex=\"0\">This article is a simplified version of the following <a href=\"https:\/\/laurentvanacker.com\/index.php\/2019\/11\/15\/nlb-arr-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/\">article<\/a>. Indeed the architecture exposed here does not include server (s) <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a>.<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Some prerequisites:<\/p>\n<ul>\n<li>No internet connection available from the servers. (Which is, let&rsquo;s remember, a good practice on production environments.)<\/li>\n<li>The solution had to be fully automatable (as part of the POC).<\/li>\n<li>The solution had to be simple (as part of the POC).<\/li>\n<\/ul>\n<p>So I developed the following <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20IIS\/AutomatedLab%20-%20NLB%20%26%20IIS.ps1\">script<\/a>. This <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20IIS\/AutomatedLab%20-%20NLB%20%26%20IIS.ps1\">script<\/a> needs:<\/p>\n<ul>\n<li><a id=\"a1c12e5284a026a9c64e60982cd65099-5229870145b432fed53217e27bede5f07debcc1a\" class=\"js-navigation-open\" title=\"arr.contoso.com.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/NLB%20%26%20IIS\/nlb.contoso.com.zip\">nlb.contoso.com.zip<\/a>: which contains the source of our website.<\/li>\n<\/ul>\n<p>I did not implement any client affinity at the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">NLB<\/a> level to have a traffic distributed equitably across the <a href=\"https:\/\/www.iis.net\/\">IIS<\/a> nodes.<\/p>\n<p>The environment is composed of 4 servers:<\/p>\n<ul>\n<li>IISNODE01: First <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> server on the <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a> webfarm<\/li>\n<li>IISNODE02: Second <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> server of the <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/application-request-routing\">ARR<\/a> webfarm<\/li>\n<li>CA01: Certificate Authority<\/li>\n<li>DC01: Domain Controller (contoso.com)<\/li>\n<\/ul>\n<p>The name of the servers is written in the code (make a \u00ab\u00a0Global Replace\u00a0\u00bb CTRL+H if the names do not suit you). As well as certain other parameters such as:<\/p>\n<div class=\"tlid-results-container results-container\">\n<div class=\"tlid-result result-dict-wrapper\">\n<div class=\"result tlid-copy-target\">\n<div class=\"text-wrap tlid-copy-target\">\n<div class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">Lab name (\u00ab\u00a0NLBIISLab\u00a0\u00bb by default)<\/span><\/span><\/div>\n<ul>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">The account to use (\u00ab\u00a0Administrator\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">The associated password (\u00ab\u00a0P@ssw0rd\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">The domain name (FQDN and NetBIOS) (\u00ab\u00a0contoso.com\u00a0\u00bb and \u00ab\u00a0CONTOSO\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">The <\/span><\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> <span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">application pool identity (\u00ab\u00a0IISAppPoolUser\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">The name of the load balanced application (\u00ab\u00a0nlb.contoso.com\u00a0\u00bb by default)<\/span><\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Once the script is done (~ 40 min on my Laptop: 8th Gen Core i7 Processor with 8 cores + SSD), connect to CA01 (used as a client workstation for Windows authentication via Kerberos) and navigate to https:\/\/<span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">nlb<\/span><\/span>.contoso.com\/ (Default page in IE). You will then get:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2713 aligncenter\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com.jpg\" alt=\"\" width=\"1044\" height=\"610\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com.jpg 1044w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com-300x175.jpg 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com-1024x598.jpg 1024w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2019\/12\/nlb.contoso.com-768x449.jpg 768w\" sizes=\"auto, (max-width: 1044px) 100vw, 1044px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>Laurent.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Go to English version Cet article est une version simplifi\u00e9e de l&rsquo;article suivant. En effet l&rsquo;architecture expos\u00e9e ici n&rsquo;inclut pas de serveur(s) ARR. Les pr\u00e9requis [&#8230;]<\/p>\n","protected":false},"author":2,"featured_media":2465,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,19,12],"tags":[20,54,48,25,39],"class_list":["post-2709","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iis","category-powershell","category-securite-security","tag-net","tag-automatedlab","tag-github","tag-iis","tag-powershell"],"_links":{"self":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2709","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/comments?post=2709"}],"version-history":[{"count":10,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2709\/revisions"}],"predecessor-version":[{"id":3023,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2709\/revisions\/3023"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media\/2465"}],"wp:attachment":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media?parent=2709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/categories?post=2709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/tags?post=2709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}