MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

SSL, MOSS and Load Balancing

  Asked By: Charmaine    Date: Aug 02    Category: MOSS    Views: 8479

We need to 'turn on' SSL for our MOSS farm.

For load balancing, we're using a netscaler device. Alas, this gets to
be out of my hands and is in the hands of our networking operations

Our MOSS web app's URL resolves to an IP address that points to the
netscaler device, which then handles the load balancing and requesting
data from the MOSS farm.

This has been working fine.

They then purchased a certificate, set it up on the netscaler device,
and now we can't access our site. Netscaler is handling the SSL
traffic between the browser and the netscaler device, and then the
netscaler is communicating via HTTP with the MOSS farm internally.

If we enter https://ourdomain.com we *do* get prompted for our MOSS
login, but are then denied access.

If we swap and go back to http, it works fine.

Neither myself nor our networking folks have any idea what to look for
here as the possible problem. We're not noticing any weird access
errors in the logs on the farm. Any theories/ideas?



13 Answers Found

Answer #1    Answered By: Cheyenne Jacobson     Answered On: Aug 02

Have you created the correct Alternate Access Mappings for the https  URL
you added?

Answer #2    Answered By: Makayla Lewis     Answered On: Aug 02

Well, this is where my lack of networking skills will start to show.

We had thought that from Netscaler to MOSS it was just using http, and
that as far as the MOSS farm  knows, it's getting a request for the
HTTP site.

But it sounds like perhaps that's not the case and that, indeed, a
request is being sent to the server for HTTPS.

Answer #3    Answered By: Miranda Scott     Answered On: Aug 02

Follow-up question.

I'm not going through the information found here:


They talk about using Internet Security and Acceleration Server 2006
and setting up rules to forward https  traffic to your moss  farm. In
our case, we're using NetScaler, so will have our operations folks
handle that part of the task.

If you scroll down, though, it shows you what needs to be done in Central Admin.

The example shows creating a extending a web  application to a web app
at port 80, and then putting the public HTTPS URL in the 'URL' Field.

Here's the catch...we already have the site set  up on port 80. I just
want to now change the URL listed so it looks for https. Can I change
that or is that option only available when extending a web

If the latter, what's the option? Do I extend it to say, port :81, use
a different URL for the host header, and then have the proxy/load
balance server point at THAT specific URL?

Answer #4    Answered By: Deirdre Macias     Answered On: Aug 02

I should probably give more specifics:

What we currently have:

public --> Netscaler load  balancer --> 3-server MOSS farm

Right now people request http://sharepoint.ourdomain.com" target="_blank" rel="nofollow">http://sharepoint.ourdomain.com and that's
what is set  up in MOSS

We now want https://sharepoint.ourdomain.com requests to go to the
Netscaler device, which will then request the
http://sharepoint.ourdomain.com" target="_blank" rel="nofollow">http://sharepoint.ourdomain.com site  on the MOSS farm.

According to this link:
...what has to be done in central admin is to set up the site as-is
(port 80) but make sure to put https  in the URL field of the web

However, it does not appear that one can MODIFY the URL setting once
the web  application is created.

In this case, I assume I need to extend the web application. It looks
like I could do that, choosing 'Use an existing IIS web site', leave
that to the default (port 80) site, and then give it a new URL (using
the https)

Is that the solution? What I'm a bit confused about is that if I did
that, I'd have extended the web application twice to the same URL on
the MOSS farm. That seems wrong (but maybe it isn't?)

Answer #5    Answered By: Kala Solomon     Answered On: Aug 02

you may find this-
I've used these steps to setup my CA and SSP is use
SSL and will be using them to do my web  app as well
(once I get back  to working  on my farm  setup). If you
are not using kerberos you can of course skip those

Answer #6    Answered By: Madison Clark     Answered On: Aug 02

The new AAM Public URL should have the HTTPS URL and the Internal URL
should have the HTTP URL. You'll need another AAM with the HTTP address
as both the Internal and Public URLs if you want people to be able to
use that too.

Answer #7    Answered By: Dhanraj Saxsena     Answered On: Aug 02

In our case, our NetScaler device  is going to have the SSL certificate.

Maybe a different way to word that, if the NetScaler device has the
SSL certificate, and it, in turn, is going to request the data/pages
via standard HTTP, what, if anything, do I need to set  up on the MOSS
Farm's IIS site  settings and/or Central Admin?

Answer #8    Answered By: Kacie Calhoun     Answered On: Aug 02

Your cert should be on the WFE servers not on your
load balancer. The load  balancer needs to be setup to
forward port 80 (if you are allowing non ssl) and port
443 (the standard ssl  port).
The certs need to be installed via the IIS MMC to each
WFE. That is why you need the PFX file for your cert.

Answer #9    Answered By: Duane Walton     Answered On: Aug 02

I disagree. The certificate  SHOULD NOT be installed on the WFE, it
should be installed on the NetScaler. The NetScaler will take incoming
HTTPS packets, use the ssl  cert to decrypt the packets and will pass the
decrypted, http  packets off to the WFE. The removes the burden of the
SSL decryption and encryption from the WFEs and frees up CPU cycles to
serve content.

The image I linked shows you how to set  up your AAMs for what
you're doing, there's nothing to it. Public URL is HTTPS, Internal URL
is HTTP. There's nothing else to do.

Check it out for more

Answer #10    Answered By: Cassandra Cooper     Answered On: Aug 02

Just be aware that the traffic between the NetScaler
box and the WFE's will be unencrypted. Which,
depending on your security requirements and network
setup could be a problem.

Answer #11    Answered By: Elaina Suarez     Answered On: Aug 02

Yes, indeed, I think you're right that this is simpler than it actually is.

What we ended up doing was extending the web  application to a new port
number, and then gave it the public URL of https.

Here's the new problem: In extending the web app, we can have it make
an IIS site  at the same time, which we did.

Alas, it only made this on one of the 3 servers on our farm. What did
I do wrong there? Was I supposed to make the IIS sites first on each
server, then extend via central admin?

Also, patrick: Yes, good point on traffic between the load  balancer
and MOSS farm  not being encrypted. We're OK with that in this case.

Answer #12    Answered By: Kacey Russo     Answered On: Aug 02

Unless you're using different authentication providers I don't think you
need a second web  application. Did you try just putting the HTTPS
address in the AAM for the existing web application like I suggested?

Answer #13    Answered By: Rebecca Lewis     Answered On: Aug 02

Could you explain what, exactly, I'm supposed to do in the AAM area?
The picture doesn't really give me a clear idea  of what I should have
in the AAM.

I go to AAM, select the Collection for our web  app, and see this:

internal URL: http://oursite.com" target="_blank" rel="nofollow">http://oursite.com
zone: defeault
Public URL for Zone: http://oursite.com" target="_blank" rel="nofollow">http://oursite.com


I go to EDIT PUBLIC URL and I change that to HTTPS, but upon
returning, I see this:

internal URL: https://oursite.com
zone: defeault
Public URL for Zone: https://oursite.com

note that it changes BOTH the public and internal URL.

Is that correct?

Didn't find what you were looking for? Find more on SSL, MOSS and Load Balancing Or get search suggestion and latest updates.