Connect Pro server pools and hardware-based load-balancing devices with SSL acceleration

The most robust means of implementing secure socket layer (SSL) with Connect Pro servers is through a hardware-based SSL accelerator; the most robust means of clustering Connect Pro servers is with a hardware-based load-balancing device (HLD). Since most enterprise-class HLDs are also SSL accelerators, this example-based article offers a best-practice configuration of a Connect Pro Server pool or cluster running the full suite of Connect Pro applications: Connect Pro Meeting, Adobe Presenter, Connect Pro Training, and Connect Pro Events securely behind a high-end, application-aware HLD and SSL acceleration device such as F5 BIG-IP. This article does not exhaust the possible configurations, but offers a general working example.

Requirements

To complete this tutorial you will need to install the following software and files:

• Adobe Acrobat Connect Pro Server
• Microsoft SQL Server 2000 SP4 or SQL 2005 SP1
• A Big-IP or high-end hardware-based load-balancing device

Prerequisite knowledge

A basic understanding of network infrastructure, routing, bridging, and Network Address Translation (NAT).

Table of Contents

Configuring DNS and ports and assigning SSL certificates
Configuring the Connect Pro server pool
Configuring application-level health monitors on the HLD/SSL accelerator
Conclusion

Configuring DNS and ports and assigning SSL certificates

The best place to start is with a basic network diagram illustrating the desired end state of a Connect Pro server pool running behind a high end hardware-based load-balancing device (HLD) running SSL acceleration:


Figure 1: Adobe Connect Pro server pool running Connect Pro Meeting.

Following the example in Figure 1, the virtual Internet protocol addresses (VIPs) on the HLD and the Connect Pro and Connect Pro Meeting pools correspond in the following manner:

• HTTPS VIP: connect.adobe.com: 10.10.10.1:443 points to Connect Enterprise servers: 192.168.0.1: 8443 and 192.168.0.2: 8443
• RTMPS VIP: meeting1.adobe.com: 10.10.10.2:443 points to Connect Professional Meeting1 192.168.0.1: 1935
• RTMPS VIP: meeting2.adobe.com: 10.10.10.3:443 points to Connect Professional Meeting2 192.168.0.2: 1935

This configuration can be confusing; it may seem odd to have a single server in a server pool, but each Connect Pro VIP on the HLD must point to a single Connect Pro meeting server; it is a one-to-one correspondence. The HTTPS enterprise or application VIP is more conventional; it points toward a two-server Connect Pro server pool; the HTTPS application pool handles failover for the RTMPS meetings. Resist any temptation to attempt using a single VIP with multiple open ports. Each VIP also needs its own certificate and unique fully qualified domain name (FQDN); the configuration above requires three unique certificates and three FQDNs.

• One unique certificate and FQDN for the HTTPS VIP: connect.adobe.com
• One unique certificate and FQDN for RTMPS VIP: meeting1.adobe.com
• One unique certificate and FQDN for RTMPS VIP: meeting2.adobe.com

The external names for each server are the VIP names: meeting1.adobe.com and meeting2.adobe.com, respectively; the host name is connect.adobe.com. The only host name suffix the end users will ever see is: connect.adobe.com. Still, three unique certificates are required on the HLD/SSL accelerator: one for each VIP pointing to each Connect Pro meeting/RTMPS server and one for both of the Connect Pro/HTTPS servers. From the perspective of the HLD/SSL accelerator, there are actually four servers in three pools: two Connect Pro/application servers (connect.adobe.com) in one pool and two Connect Pro Meeting servers (meeting1.adobe.com and meeting2.adobe.com) each in a pool of its own with its own corresponding VIP. An application-level health monitor on the HLD/SSL accelerator should be associated with the HTTPS VIP, because the Connect Pro server will handle load balancing and failover of the meetings on the Acrobat Connect Professional servers (RTMPS) while the HLD handles failover of HTTPS.

This configuration employs a single IP address on each Connect Pro server. The single IP address uses two ports: 443 for the Connect Pro server and 1935 for the Connect Pro Meeting server. Even though all traffic between the HLD/SSL accelerator and the Connect Pro servers is unencrypted, you still must point the HTTPS VIP to port 443 on each of the servers; port 80 will not work.

Note: Do not try to take shortcuts; even for a lab environment. The Connect Pro server needs genuine unique SSL certificates; self-signed certificates will not work with Connect Pro meetings; the meeting rooms simply will not open. To obtain trusted certificates, you must contact a Certificate Authority and supply them with SSL Certificate Signing Requests (CSR) containing organizational information and fully qualified domain names (FQDN) that must correspond with each SSL certificate.

Configuring the Connect Pro server pool

Even though the HLD/SSL accelerator is doing all the encryption, there are still some settings that need to be configured on each Connect Enterprise server to enable SSL traffic. To configure the Connect Pro servers to run on a single IP address as depicted in this working example, you will need to add the following entries to the custom.ini file in the Connect Pro directory:

ADMIN_PROTOCOL=https://
SSL_ONLY=yes
HTTPS_PORT=8443
RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/

After adding these entries, save the custom.ini file.
The next step is to properly edit the Connect server settings to match the settings in the custom.ini file. Select Start > Programs > Adobe Acrobat Connect Pro Server 7 > Start Connect Pro Central Application Server to go to the Connect Pro server configuration interface (see Figure 2).


Figure 2: Editing the Connect Pro server settings.

The server settings depicted in Figure 2 correspond to this working example.

After your custom.ini file and your server settings are configured, stop the Connect Pro services beginning with the Connect Enterprise Service, followed by the Flash Management Server (FMS) service on each Windows server in the pool (see Figure 3). If the HLD/SSL accelerator is properly configured, you will be able to browse the Connect server pool through the HLD/SSL accelerator after restarting the Connect Enterprise services.

Figure 3: Stopping and restarting the Adobe Connect Enterprise services.

Configuring application-level health monitors on the HLD/SSL accelerator

In order to make sure that the HLD/SSL accelerator performs failover in case one of the application servers should hang, you will want to make certain that the VIP that points to the application server pool is configured with an application-level health monitor. If you simply probe the health of the Connect Pro servers with a default health monitor at the level of the IP stack, then there are potential cases when the HLD/SSL accelerator might send traffic to a server with a non-responsive application that seems alive to lower-level probing mechanisms such as the packet Internet groper (PING). Always set the health monitor to probe for an actual string of content on the Connect Pro server; all high-end HLDs offer application-level health monitoring. It may not always be intuitive how to configure the monitor as each HLD has a different interface and different means of probing an application, but the following guidance will help you get an appropriate monitor in place.

Consider that you have three server pools and three VIPs. The only VIP and pool combination that needs an application-level health monitor for failover is the enterprise/application HTTPS server VIP and pool:

• HTTPS VIP: connect.adobe.com: 10.10.10.1:443 points to Connect Enterprise servers: 192.168.0.1: 443 and 192.168.0.2: 443

The probe or health monitor should point to a string on each Connect Enterprise server in its pool to check the health of each server. If one of the servers in the pool becomes non-responsive, the monitor will mark the server down and the HLD will redirect all traffic to the remaining server.

The Acrobat Connect Professional server VIP/pool combinations do not need a health monitor because the Connect Enterprise server handles failover for the Acrobat Connect Professional meeting rooms:

• RTMPS VIP: meeting1.adobe.com: 10.10.10.2:443 points to Connect Professional server meeting1 192.168.0.1: 1935
• RTMPS VIP: meeting2.adobe.com: 10.10.10.3:443 points to Connect Professional server meeting2 192.168.0.2: 1935
  

Because there is only one server in each pool, there is no place for the HLD to redirect meeting traffic should one of the Connect Pro meeting servers fail to respond. The only reason to probe the Connect Pro meeting server VIP/pools combination might be to trigger an email message to an administrator to warn that one of the Connect Pro meeting servers is problematic.

The best string on the servers that you may point your application-level health monitor towards is the testbuilder diagnostic page:

/servlet/testbuilder

The testbuilder page will send back the "status-ok" string.

It is best to point the health monitor to the testbuilder page rather than a simple HTML string, because testbuilder is actually probing the Connect Pro database to make sure there is a healthy connection. If there is any problem with the Connect Pro server application, then testbuilder will not report the "status-ok" string.

Each HLD has a different interface to configure these monitors and each one does the check differently, the following example works with F5 BIG-IP against testbuilder:

/servlet/testbuilder HTTP/1.0\n
"status-ok"

If you have a problem getting a health monitor to work against testbuilder on your specific HLD, then there is another, less effective option. You can place an HTML file in the content directory on each Connect Pro server and point to that file. This option should only be used if testbuilder is problematic with your flavor of HLD. The following example shows an HTML file called healthmonitortarget.html containing the string You are being served HTML:

common/healthmonitortarget.html HTTP/1.0\n
You are being served HTML

Conclusion

The need for security, redundancy, and scalability is often answered by clustering application servers and running SSL encryption. Although it is possible to use a software-based clustering solution as well as software-based SSL, the most robust solution is to use a high-end HLD/SSL accelerator. The configuration described in this article is robust.

Where to go from here

Now that you have successfully configured a Connect Pro server pool to run behind an HLD/SSL accelerator, you may find to begin planning to incorporate Adobe Pro Edge Servers into your enterprise infrastructure; the Connect Pro application suite is contagious; as your usage of it ramps up, you may find concentrations of users who could benefit from a local Connect Pro server. When your staff discovers how simple it is to collaborate through Connect Pro meetings and how Adobe Presenter and Connect Pro Training can convert a plethora of content into fully deployed presentations, courses, and curricula, you may find that further expansion is warranted. Watch for future tutorials describing how to integrate Connect Pro Edge servers with HLD/SSL accelerators and Connect Pro server clusters.

About the author

Before joining BrightTiger/Allaire/Macromedia/Adobe in June 1997, Frank S. DeRienzo had a distinguished military career with the U.S. Army Rangers and Special Forces. He is a graduate of Gordon College and holds an MBA from the University of Massachusetts. During his tenure with Adobe (and Macromedia before), he has focused on high availability and scalability through website clustering and web server integration with various hardware load-balancing and content-management platforms. Currently he is part of the Adobe Professional Services team, where his primary focus is on Connect Pro Server implementation and training.