It is generally a good idea to ensure the availability of the certificate enrollment Web services (Certificate Enrollment Policy Service, CEP, and Certificate Enrollment Web Service, CES) at all times.
The following describes how this can be achieved with the Windows feature "Network Load Balancing" (NLB).
In order to be able to operate several servers with high availability behind only one DNS name, it is necessary to connect load balancers upstream, which take care of the distribution of the requests. This cannot always be done with hardware load balancers. In such a case, the software-based load balancer called Microsoft Network Load Balancing (NLB), which is supplied with the Windows Server operating system, can be a useful option.
The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.
Disadvantages compared to a hardware load balancer
- Poorer performance at high load because processing is done in software.
- No health probes possible, i.e. if for example not the whole server is down, but only the service, clients run into an error.
- In unicast mode, no management of NLB functions is possible from the custer nodes themselves.
- May require Configuration changes to the participating servers and infrastructure (e.g. when they are virtualized).
Requirements
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
For the following instructions, it is assumed that CEP and CES have already been installed and configured on the cluster nodes. See also article "Installing a Certificate Enrollment Policy Web Service (CEP)" and "Installing a Certificate Enrollment Web Service (CES)„.
In order for certificate enrollment web services to be used with a load balancer, some special considerations must be taken into account:
- Since the clients are connected to a central IP address, a corresponding alias must be created in the DNS for this and configured in the web services. See also article "Configure the Certificate Enrollment Policy Web Service (CEP) for use with an alias." and "Configure the Certificate Enrollment Web Service (CES) to work with an alias.„.
- All servers require SSL certificates issued to the alias described above. See also article "Configuring a Secure Socket Layer (SSL) Certificate Template for Web Server„.
- CEP and CES can be installed together on the same cluster node, but then they must use the same identity for the IIS application pool. See also article "Configure the Certificate Enrollment Policy Web Service (CEP) to work with a Group Managed Service Account (gMSA)." and "Configure the Certificate Enrollment Web Service (CES) to work with a Group Managed Service Account (gMSA)." as well as "Configure the Certificate Enrollment Policy Web Service (CEP) to work with a domain account." and "Configure the Certificate Enrollment Web Service (CES) to work with a domain account.„.
- If CEP and CES are installed on separate clusters, the steps must be repeated accordingly for each cluster.
Establishment
The following operating modes are possible with Microsoft Network Load Balancing:
- In unicast mode, each network card has only the MAC address of the cluster network.
- In multicast mode (recommended), each network card has an additional MAC address for the cluster network.
If the cluster nodes are located on a Microsoft Hyper-V server, MAC address spoofing must be allowed in the virtual machine network card settings.

The network load balancing function must be installed on each cluster node. This can be done, for example, with the following Windows PowerShell command:
Add-WindowsFeature NLB -IncludeManagementTools

The Network Load Balancing Manager can then be started from one of the cluster nodes.
A new cluster is created there.
If CEP and CES are installed on separate servers, the following configuration must of course be performed for both clusters.

The IP address or hostname of the first cluster node is entered and it connects to it.

The following dialog can be left with the default settings.

The cluster IP address is then created.

Then a name is assigned to the cluster and the operating mode is selected. The choice of mode depends on the possibilities of the infrastructure. See "Configuring network infrastructure to support the NLB operation mode"(Microsoft). In this example, multicast mode is used.

In the next dialog, the port range is restricted. For the certificate enrollment web services, it is sufficient to restrict the range to TCP port 443.


Finally, the other cluster nodes are added.



Function test
After setting up load balancing, a functional test of the services should be performed. See also article "Performing a functional test for the Certificate Enrollment Policy Web Service (CEP)" and "Perform functional test for Certificate Enrollment Web Service (CES)„.
Related links:
External sources
- Configuring network infrastructure to support the NLB operation mode (Microsoft)
- Certificate Enrollment Web Services in Active Directory Certificate Services - Planning Load Balancing and Fault Tolerance (Microsoft)
- Network Load Balancing (Microsoft)
- Microsoft Network Load Balancing Multicast and Unicast operation modes (1006580) (VMware)
- Sample Configuration - Network Load Balancing (NLB) Multicast Mode Configuration (1006558) (VMware)
Comments are closed.