FIM Service&Portal&PasswordReset in NLB (hardware) using SSL


  • I'm deploying the following scenario

    I would like to know what are the specific steps in order to install FIMService&Portal&PasswordReset in NLB(hardware) using SSL at the portal. Actually SSL Certificate (CertificateSSL) has been issued pointing to the Name "Server3

    Actually i have installed the two servers (Server1, Server2) with WSS; and the NLB-HW has created the NLB cluster with "ClusterName" and "IPcluster".

    This is the first time i'll do it (and precisely in production environment) and want to be sure about how to do it, so my main doubts here are:

    • Install FIM Service&Portal&PasswordReset components in every two servers?
    • Should i use the "CertificateSSL" at section " Configure Common Services - Configure service certificate" ?
    • What would be the value "Configure FIM Service and Portal – Configure connection to the FIM Service" at each server? (own hostname or NLB "Clustername" or "Server3" name) ?
    • What would be the value "Enter the URL to the SharePoint" at each server ? should i specify HTTPS ?
    • At IIS bindings for each server, "CertificateSSL" should point to the NLB "IPcluster" ?
    • Should be "ClusterName" the same that "Server3" name ?
    • What DNS registry is necessary for "Server3" name ? (CNAME, A)
    • Is it required configure SPN's ?

    Sorry for so much detailed doubts but please if somebody here has worked with this scenario i would appreciate a lot his clarification.

    Thanks in advance.

    Thursday, February 16, 2012 12:58 AM

All replies

  • Hi-

    Not sure I completely follow, but, you're going to need a new SSL cert for sure.

    You need to pick a name for the NLB VIP. Let's call it

    You'll need to get an SSL cert for and install it on the FIM Service/Portal servers. If you don't have a specific technical need to bind the cert to the FIM Service during setup, don't. It will make patching alot more difficult.

    IIS will need to have the cert bound and listening on 443. You'll want to configure SPNs on the FIM Service service account for FIMService/, and on the Sharepoint account for http/

    My Book - Active Directory, 4th Edition
    My Blog -

    Thursday, February 16, 2012 1:20 AM
  • Thanks Brian,

    actually i would want to know if every FIM Portal installation would point to it's own URL(name), or to the final URL fimaddress name that users will access, and that the actual certificate points to.

    Friday, February 17, 2012 1:04 AM