We are planning to load balance three password registration and reset portals that will be used by network and non-network users. I haven’t found an official guide from Microsoft on how to do this so I wanted to run the scenario by the group to see if anyone could suggest best practices. I used this document for part of my design solution.
Allow end users on the internal network, as well as external remote users not on the network, to register for and reset their network passwords without calling the company help desk.
Standard Set Up:
- We already have connectivity to FIMService so all needed ports are open between portal machines, FIM Service and FIM Sync.
- There are three VMs: server1.acme.com, server2.acme.com, server3.acme.com
- These machines are available for internal users on the company network as well as external non-network users via reverse proxy
- IIS 7.5 installed on the password portal servers and SharePoint is not present
- Password and registration portal installed on each machine
- Single network adapter and IP per machine
- Single password service account (FIMPassword)
- There are three DNS entries for password registration that point to each server passwordregistration1.acme.com, passwordregistration 2.acme.com, passwordregistration 3.acme.com
- There are three DNS entries for password reset that point to each server passwordreset1.acme.com, passwordreset 2.acme.com, passwordreset 3.acme.com
- We will have a NLB with the main addresses as passwordreset .acme.com and passwordregistration .acme.com in front of the DNS entries
- We will set SPNS on FIMPassword passwordregistration1-3 and passwordreset1-3 along with the main passwordreset .acme.com and passwordregistration .acme.com addresses
- We plan to set up IIS to use the appPool per the document instructions
- Based on the game plan above, is this a valid approach to load balance three servers available to both internal and external users?
- Are there any other settings that we need to update to make the sites accessible to both network and non-network users?
- Any other recommendations for items we might have missed?
I think you should be fine if you follow these steps. Only thing I might add that it might be safe to configure your NLB for "sticky IP". Meaning once a client is load balanced to a server it will stick to the server. I'm not sure the web browser or FIM client need this, but better safe than sorry. Or do thourough testing with regards to this.
Personally I'm not a fan of "registering" the serverX names. It only complexifies stuff. Your FIM will ask in various places for "the" URLS. E.g. passwordreset and passwordregistration. YOu might see weird effects if you use a direct URL whilst everything might be just fine.
If i want to "bypass" the load balancer I prefer modifying MY hosts file so that the "virtual url" points to a dedicated node.
- Proposed as answer by AnthonyHoMicrosoft employee Thursday, August 01, 2013 12:25 PM