How To Configure F5 BIG-IP LTM To Load Balance Azure RMS Connectors

We’re in the process of updating our load balancing platforms and are migrating several test/dev and backoffice applications from Kemp Virtual LoadMaster (VLM) load balancers to F5 BIG-IP Local Traffic Manager (LTM) virtual edition (VE). Wow…three abbreviations in the first sentence. Buckle up :).

One of the services that we migrated this week was the Azure Rights Management Server (RMS) Connector. If you’re here, you probably know what the Azure RMS connector is, but just in case, here’s the short definition from Microsoft:

The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management services.

This seemed like it would be a simple migration when I started, but I couldn’t get the health monitor to report the servers up. It was all green on Kemp, but not on F5, with all the same check parameters. I tried it in a browser (IE, Chrome and Firefox) and that puzzled me more. The only way to load the check page (https://<azurermsconnector_fqdn/_wmcs/certification/servercertification.asmx) was to authenticate with domain user credentials. Strange. It seems that the VLM, at least in v7.1-20b, was accepting a 401 as a healthy response. But that didn’t help with BIG-IP…

BIG-IP (F5) has a great CLI utility that helped verify that authentication was indeed the hold up on its health monitor. Using openssl s_client, I checked using the monitor parameters and received a 401 unauthorized error:

 <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
 <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>

I tried putting some domain credentials into the username and password fields on the BIG-IP health monitor, but that only succeeded in locking out the account. Then my colleague came across something that pointed us to use the account UPN ([email protected]) and that did the trick. Here’s the step-by-step from start to finish:

 1. Create HTTPS Health Monitor (Local Traffic > Monitors > Create…)

Fields below are required or otherwise different from default values

  • Name: rms_conn_https (feel free to name it according to your format)
  • Description: HTTPS monitor for Rights Management Server Connector
  • Type: HTTPS
  • Parent Monitor: https
  • Send String: GET /_wmcs/certification/servercertification.asmx HTTP/1.1\nHost: rmsconnector.domain.com\n
    (make sure you change the “Host:” to the FQDN of your RMS connector)
  • Receive String: ServerCertificationWebService
  • User Name: [email protected] (replace with your domain user service account)
  • Password: <password of above account>

f5_rms_monitor

2. Create Nodes (Local Traffic > Nodes > Create…)

  • Name: <RMS connector server name>
  • Description: RMS connector server
  • Address: 192.168.1.101 (replace with the RMS connector server IP, or use the FQDN, but make sure the LTM is configured for DNS properly)
  • Health Monitors: Node Default
  • Repeat for second (and other) RMS connector servers

f5_rms_node

3. Create Pool (Local Traffic > Pools > Create…)

  • Name: RMS_Connector
  • Description: Rights Management Server Connectors
  • Health Monitors: rms_conn_https
  • Load Balancing Method: Round Robin
  • New Members from Node List:
    • Address: rmsConn01 (192.168.1.101), Service Port: 443
    • Address: rmsConn02 (192.168.1.102), Service Port: 443

f5_rms_pool

4. Create Virtual Server (Local Traffic > Virtual Servers > Create…)

Fields below are required or otherwise different from default values

  • Name: RMS_Conn_VS_https_443
  • Description: RMS Connector Virtual Server HTTPS
  • Destination Address: 192.168.1.100
  • Service Port: 443 (HTTPS)
  • Source Address Translation: Auto Map
  • Default Pool: RMS_Connector

f5_rms_vs_1

f5_rms_vs_2

5. Verify Pool & Virtual Server Status (Statistics > Module Statistics > Local Traffic)

  • Statistics Type: Pools (verify RMS_Connector and its members)
  • Statistics Type: Virtual Servers (verify RMS_Conn_VS_https_443)

Hopefully yours is all green!

All of the above screenshots and data are derives from BIG-IP version 11.6. Other versions may vary.

2 Comments

Leave a Reply