One question that we often get from customers is how to load balance SSO. While we do have documentation and support for setting up Apache to load balance SSO many customers already own a load balancer or do not wish to use Apache.
Over the last few weeks Justin King and myself have tested three common load balancers many customers are using, our complete guide will be published in a white paper in the coming weeks but in the meantime I wanted to get some of the information out. Below are three videos demonstrating how I configured the load balancers to support SSO and the Web Client. The three load balancers we used were VMware vCNS, F5 BIG-IP, and Citrix NetScaler. We were unable to test and document Cisco ACE since it is now end of life from Cisco.
The following should be kept in mind while viewing these videos:
- The first SSO server (sso1) was installed using the “vCenter Single Sign-On for your first vCenter Server” option.
- The second SSO server (sso2) was installed using the “vCenter Single Sign-On for an additional vCenter Server in an existing site” option.
- The IP of sso1 is 192.168.110.41.
- The IP of sso2 is 192.168.110.42.
- The FQDN for the load balanced SSO instance is sso.vmware.local.
- The FQDN for the load balanced Web Client instance is ngc.vmware.local.
- The Virtual IP (VIP) for sso.vmware.local is 192.168.110.40.
- The Virtual IP (VIP) for ngc.vmware.local is 192.168.110.43.
- SSL certificates were replaced on both servers using a common SSL certificate from a 3rd party CA Root with sso.vmware.local as the common name and each servers hostname, FQDN, sso.vmware.local and 192.168.110.40 specified as the Subject Alternate Name (SAN) for SSO.
- SSL certificates were replaced on both servers using a common SSL certificate from a 3rd party CA Root with ngc.vmware.local as the common name and each servers hostname, FQDN, ngc.vmware.local and 192.168.110.43 specified as the Subject Alternate Name (SAN) for the Web Client.
- The Group Check, Admin Service, and the Secure Token Service (STS) were re-registered on both servers using the load balanced FQDN (sso.vmware.local).
- During the installation of the Web Client on both servers the load balanced FQDN (sso.vmware.local) was used for the SSO server.
- VMware support does not support the configuration of 3rd party load balancers.
The white paper will go into detail on each of these videos plus specify how to setup the components and replace their SSL certificates.