Good day All,
Welcome back!!!
We got a request to apply SSL to Storefront Servers recently even for internal users and also add 1 more Server for Load balancing .The current Setup we had was 1 Node Storefront Server with 2.x version running on it
Below are the steps we followed to fulfill the request
Step 1. We add a new Storefront Server with same 2.x version and added the Server to Load balancer. The steps are pretty straight forward..
a.Installed Storefront on the new node
b.Go to primary node, Click Add Server under Server Group in Citrix Storefront MMC and it will show a Authorization code as below
c. Login to new Secondary Storefront Server and click join to Storefront farm in welcome screen when you open Citrix Storefront MMC and then type in the Primary Node Server name and Authorization code , OLA the Server is added to Load Balancer
c. Requested a new Virtual IP(VIP) from F5 Load Balancer team and it was configured to Load Balance traffic on port 80 between both Storefront Servers.
d. Last step was to update the DNS record as it was earlier 1 node and it was pointing to the Primary Storefront Server IP. So we changed the DNS record to point to F5 Load Balancer VIP
Step 2: We wanted to upgrade the Storefront Servers from 2.x to 3.6 before we apply SSL. If you have a huge user base and can't afford to have users downtime for very long time then you probably will have to make sure you involve Load Balancer team during the upgrade process
a. Request Load Balancing team to remove Primary Server from Load Balancing.
b. Download the Setup and run the upgrade, simple straight forward upgrade.
c.After testing upgrade , add the upgraded Server to Load Balancing and remove the old Server from it
d.Upgrade the Secondary node
e.Request Load Balancing team add the other Server
As we had required downtime we didn't involve Load Balancer team and Servers was upgraded 1 Node at a time.
Step 3: Final step was to apply SSL on both the Storefront Servers.
As our requirement was to apply SSL for internal users we wanted to have the SSL traffic get terminated at Storefront Servers and not at F5 Load Balancer. Also we wanted if any users types in url then it should get auto redirected to 443 traffic and send to Storefront Servers.
a. A certificate was requested .Generating certificate etc are pretty straight forward process and there are so many articles out there so will not be covering it.
b.Requested the F5 Load Balancer team to reconfigure the Virtual IP(VIP) so that HTTP to HTTPS redirection works and HTTPS traffic is sent to both Storefront Servers.
c. Certificate as uploaded to Certificate.MMC store and also root and Intermediate Certificate was added to both Storefront Servers.
c.On both Citrix Storefront Servers under IIS, new binding was added for 443 as below under Default website and under the tab which says SSL Certificate , the certificate we processed earlier was pointed and applied.
d.Same steps as above needs to be done on the other node as well.
e. last Step was under Primary Citrix Storefront Server MMC, right click Server Group and click change Base URL and change the record from HTTP to HTTPS
f. During the testing we started to see the below error when we browsed the URL.
Troubleshooting Steps performed:
1. We know that before we applied SSL storefront was working fine so to identify if this error is on both nodes or 1 single node , so i went ahead and shutdown Secondary Server.
2. When tested, Storefront was working fine and we able to browse the Apps.
3. So this time i powered off Primary and brought online Secondary, now we Started to see the same error. Now i know the issue is with Secondary node. As we had load balancer sending traffic to both SF Servers so we seeing the above error when we hinting the Secondary node.
4. To fix the issue i brought the primary node online and went to Server group and started to check around.
5. Anyone any guess? what would be the fix? well guess what when i checked the Last Synchronization time it was showing couple of days ago, so clicked under Actions to propagate changes to all the other Nodes, and ola the issued got fixed.
To make sure we do a through testing , following things was tested
1. Primary Node was shutdown and Secondary Node was tested with Node IP, Load Balancer IP and HTTPS and application was tested.
2. Vise versa was tested
3. Last step was both Servers was brought online and tested both Servers with IP, VIP IP,HTTPS.
So this is how we completed this request, hopefully this helps someone...........
Until next one you all have great day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Welcome back!!!
We got a request to apply SSL to Storefront Servers recently even for internal users and also add 1 more Server for Load balancing .The current Setup we had was 1 Node Storefront Server with 2.x version running on it
Below are the steps we followed to fulfill the request
Step 1. We add a new Storefront Server with same 2.x version and added the Server to Load balancer. The steps are pretty straight forward..
a.Installed Storefront on the new node
b.Go to primary node, Click Add Server under Server Group in Citrix Storefront MMC and it will show a Authorization code as below
c. Login to new Secondary Storefront Server and click join to Storefront farm in welcome screen when you open Citrix Storefront MMC and then type in the Primary Node Server name and Authorization code , OLA the Server is added to Load Balancer
c. Requested a new Virtual IP(VIP) from F5 Load Balancer team and it was configured to Load Balance traffic on port 80 between both Storefront Servers.
d. Last step was to update the DNS record as it was earlier 1 node and it was pointing to the Primary Storefront Server IP. So we changed the DNS record to point to F5 Load Balancer VIP
Step 2: We wanted to upgrade the Storefront Servers from 2.x to 3.6 before we apply SSL. If you have a huge user base and can't afford to have users downtime for very long time then you probably will have to make sure you involve Load Balancer team during the upgrade process
a. Request Load Balancing team to remove Primary Server from Load Balancing.
b. Download the Setup and run the upgrade, simple straight forward upgrade.
c.After testing upgrade , add the upgraded Server to Load Balancing and remove the old Server from it
d.Upgrade the Secondary node
e.Request Load Balancing team add the other Server
As we had required downtime we didn't involve Load Balancer team and Servers was upgraded 1 Node at a time.
Step 3: Final step was to apply SSL on both the Storefront Servers.
As our requirement was to apply SSL for internal users we wanted to have the SSL traffic get terminated at Storefront Servers and not at F5 Load Balancer. Also we wanted if any users types in url then it should get auto redirected to 443 traffic and send to Storefront Servers.
a. A certificate was requested .Generating certificate etc are pretty straight forward process and there are so many articles out there so will not be covering it.
b.Requested the F5 Load Balancer team to reconfigure the Virtual IP(VIP) so that HTTP to HTTPS redirection works and HTTPS traffic is sent to both Storefront Servers.
c. Certificate as uploaded to Certificate.MMC store and also root and Intermediate Certificate was added to both Storefront Servers.
c.On both Citrix Storefront Servers under IIS, new binding was added for 443 as below under Default website and under the tab which says SSL Certificate , the certificate we processed earlier was pointed and applied.
d.Same steps as above needs to be done on the other node as well.
e. last Step was under Primary Citrix Storefront Server MMC, right click Server Group and click change Base URL and change the record from HTTP to HTTPS
f. During the testing we started to see the below error when we browsed the URL.
Troubleshooting Steps performed:
1. We know that before we applied SSL storefront was working fine so to identify if this error is on both nodes or 1 single node , so i went ahead and shutdown Secondary Server.
2. When tested, Storefront was working fine and we able to browse the Apps.
3. So this time i powered off Primary and brought online Secondary, now we Started to see the same error. Now i know the issue is with Secondary node. As we had load balancer sending traffic to both SF Servers so we seeing the above error when we hinting the Secondary node.
4. To fix the issue i brought the primary node online and went to Server group and started to check around.
5. Anyone any guess? what would be the fix? well guess what when i checked the Last Synchronization time it was showing couple of days ago, so clicked under Actions to propagate changes to all the other Nodes, and ola the issued got fixed.
To make sure we do a through testing , following things was tested
1. Primary Node was shutdown and Secondary Node was tested with Node IP, Load Balancer IP and HTTPS and application was tested.
2. Vise versa was tested
3. Last step was both Servers was brought online and tested both Servers with IP, VIP IP,HTTPS.
So this is how we completed this request, hopefully this helps someone...........
Until next one you all have great day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
No comments:
Post a Comment