The most robust means of implementing secure socket layer (SSL) with Adobe Connect Enterprise servers is through a hardware-based SSL accelerator; the most robust means of clustering Connect Enterprise servers is with a hardware-based load-balancing device (HLD). Since most enterprise-class HLDs are also SSL accelerators, this example-based article offers a best-practice configuration of a Connect Server pool or cluster running the full suite of Connect Enterprise server applications: Adobe Connect Professional, Adobe Presenter, Adobe Connect Training, and Adobe Connect Events securely behind a high-end, application-aware HLD and SSL acceleration device such as F5 BIG-IP. This article does not exhaust the possible configurations, but offers a general working example.
To complete this tutorial you will need to install the following software and files:
- Adobe Connect Enterprise Server 6.x
Try and Buy
- Microsoft SQL Server 2000 SP4 or SQL 2005 SP1
- Adobe Connect Enterprise Server platform
- A Big-IP or high-end hardware-based load-balancing device
A basic understanding of network infrastructure, routing, bridging, and Network Address Translation (NAT).
Before joining BrightTiger/Allaire/Macromedia/Adobe in June 1997, Frank S. DeRienzo had a distinguished military career with the U.S. Army Rangers and Special Forces. He is a graduate of Gordon College and holds an MBA from the University of Massachusetts. During his tenure with Adobe (and Macromedia before), he has focused on high availability and scalability through website clustering and web server integration with various hardware load-balancing and content-management platforms. Currently he is part of the Adobe Enablement Services team, where his primary focus is on Adobe Connect Enterprise Server implementation and training.
The best place to start is with a basic network diagram illustrating the desired end state of a Connect Enterprise server pool running behind a high end hardware-based load-balancing device (HLD) running SSL acceleration:
Figure 1: Adobe Connect Enterprise server pool running Adobe Acrobat Connect Professional.
Following the example in Figure 1, the virtual Internet protocol addresses (VIPs) on the HLD and the Connect Enterprise and Acrobat Connect Professional pools correspond in the following manner:
- HTTPS VIP: connect.adobe.com: 10.10.10.1:443 points to Connect Enterprise servers: 192.168.0.1: 8443 and 192.168.0.2: 8443
- RTMPS VIP: meeting1.adobe.com: 10.10.10.2:443 points to Acrobat Connect Professional server meeting1 192.168.0.1: 1935
- RTMPS VIP: meeting2.adobe.com: 10.10.10.3:443 points to Acrobat Connect Professional server meeting2 192.168.0.2: 1935
This configuration can be confusing; it may seem odd to have a single server in a server pool, but each Acrobat Connect Professional VIP on the HLD must point to a single Acrobat Connect Professional meeting server; it is a one-to-one correspondence. The HTTPS enterprise or application VIP is more conventional; it points toward a two-server Connect Enterprise pool; the HTTPS application pool handles failover for the RTMPS meetings. Resist any temptation to attempt using a single VIP with multiple open ports. Each VIP also needs its own certificate and unique fully qualified domain name (FQDN); the configuration above requires three unique certificates and three FQDNs.
- One unique certificate and FQDN for the HTTPS VIP: connect.adobe.com
- One unique certificate and FQDN for RTMPS VIP: meeting1.adobe.com
- One unique certificate and FQDN for RTMPS VIP: meeting2.adobe.com
The external names for each server are the VIP names: meeting1.adobe.com and meeting2.adobe.com, respectively; the host name is connect.adobe.com. The only host name suffix the end users will ever see is: connect.adobe.com. Still, three unique certificates are required on the HLD/SSL accelerator: one for each VIP pointing to each Acrobat Connect Professional meeting/RTMPS server and one for both of the Enterprise/HTTPS servers. From the perspective of the HLD/SSL accelerator, there are actually four servers in three pools: two Connect Enterprise/application servers (connect.adobe.com) in one pool and two Connect Professional Meeting servers (meeting1.adobe.com and meeting2.adobe.com) each in a pool of its own with its own corresponding VIP. An application-level health monitor on the HLD/SSL accelerator should be associated with the HTTPS VIP, because the Connect Enterprise server will handle load balancing and failover of the meetings on the Acrobat Connect Professional servers (RTMPS) while the HLD handles failover of HTTPS.
This configuration employs a single IP address on each Connect Enterprise server. The single IP address uses two ports: 443 for the Connect Enterprise server and 1935 for the Acrobat Connect Professional server. Even though all traffic between the HLD/SSL accelerator and the Connect Enterprise servers is unencrypted, you still must point the HTTPS VIP to port 443 on each of the Communication servers; port 80 will not work.
Note: Do not try to take shortcuts; even for a lab environment. The Acrobat Connect Professional server needs genuine unique SSL certificates; self-signed certificates will not work with Acrobat Connect Professional meetings; the meeting rooms simply will not open. To obtain trusted certificates, you must contact a Certificate Authority and supply them with SSL Certificate Signing Requests (CSR) containing organizational information and fully qualified domain names (FQDN) that must correspond with each SSL certificate.
Even though the HLD/SSL accelerator is doing all the encryption, there are still some settings that need to be configured on each Connect Enterprise server to enable SSL traffic. To configure the Connect Enterprise servers to run on a single IP address as depicted in this working example, you will need to add the following entries to the custom.ini file in the Connect directory:
After adding these entries, save the custom.ini file.
The next step is to properly edit the Connect server settings to match the settings in the custom.ini file. Select Start > All Programs > Adobe Connect Enterprise Server > Configure Adobe Connect Enterprise Server > Server Settings to go to the Connect Enterprise server configuration interface (see Figure 2).
Figure 2: Editing the Connect server settings.
The server settings depicted in Figure 2 correspond to this working example.
After your custom.ini file and your server settings are configured, stop the Connect services beginning with the Adobe Connect Enterprise Service, followed by the Flash Management Server (FMS) service on each Windows server in the pool (see Figure 3). If the HLD/SSL accelerator is properly configured, you will be able to browse the Connect server pool through the HLD/SSL accelerator after restarting the Connect Enterprise services.
Figure 3: Stopping and restarting the Adobe Connect Enterprise services.
In order to make sure that the HLD/SSL accelerator performs failover in case one of the application servers should hang, you will want to make certain that the VIP that points to the application server pool is configured with an application-level health monitor. If you simply probe the health of the Connect Enterprise servers with a default health monitor at the level of the IP stack, then there are potential cases when the HLD/SSL accelerator might send traffic to a server with a non-responsive application that seems alive to lower-level probing mechanisms such as the packet Internet groper (PING). Always set the health monitor to probe for an actual string of content on the Connect Enterprise server; all high-end HLDs offer application-level health monitoring. It may not always be intuitive how to configure the monitor as each HLD has a different interface and different means of probing an application, but the following guidance will help you get an appropriate monitor in place.
Consider that you have three server pools and three VIPs. The only VIP and pool combination that needs an application-level health monitor for failover is the enterprise/application HTTPS server VIP and pool:
- HTTPS VIP: connect.adobe.com: 10.10.10.1:443 points to Connect Enterprise servers: 192.168.0.1: 443 and 192.168.0.2: 443
The probe or health monitor should point to a string on each Connect Enterprise server in its pool to check the health of each server. If one of the servers in the pool becomes non-responsive, the monitor will mark the server down and the HLD will redirect all traffic to the remaining server.
The Acrobat Connect Professional server VIP/pool combinations do not need a health monitor because the Connect Enterprise server handles failover for the Acrobat Connect Professional meeting rooms:
- RTMPS VIP: meeting1.adobe.com: 10.10.10.2:443 points to Connect Professional server meeting1 192.168.0.1: 1935
- RTMPS VIP: meeting2.adobe.com: 10.10.10.3:443 points to Connect Professional server meeting2 192.168.0.2: 1935
Because there is only one server in each pool, there is no place for the HLD to redirect meeting traffic should one of the Acrobat Connect Professional meeting servers fail to respond. The only reason to probe the Acrobat Connect Professional meeting server VIP/pools combination might be to trigger an email message to an administrator to warn that one of the Acrobat Connect Professional meeting servers is problematic.
The best string on the servers that you may point your application-level health monitor towards is the testbuilder diagnostic page:
The testbuilder page will send back the "status-ok" string,
It is best to point the health monitor to the testbuilder page rather than a simple HTML string, because testbuilder is actually probing the Connect Enterprise database to make sure there is a healthy connection. If there is any problem with the Connect Enterprise server application, then testbuilder will not report the "status-ok" string.
Each HLD has a different interface to configure these monitors and each one does the check differently, the following example works with F5 BIG-IP against testbuilder:
If you have a problem getting a health monitor to work against testbuilder on your specific HLD, then there is another, less effective option. You can place an HTML file in the content directory on each Connect Enterprise server and point to that file. This option should only be used if testbuilder is problematic with your flavor of HLD. The following example shows an HTML file called healthmonitortarget.html containing the string "You are being served HTML":
common/healthmonitortarget.html HTTP/1.0\nYou are being served HTML
The need for security, redundancy, and scalability is often answered by clustering application servers and running SSL encryption. Although it is possible to use a software-based clustering solution as well as software-based SSL, the most robust solution is to use a high-end HLD/SSL accelerator. The configuration described in this article is robust.
Now that you have successfully configured a Connect Enterprise server pool to run behind an HLD/SSL accelerator, you may find to begin planning to incorporate Adobe Connect Edge Servers into your enterprise infrastructure; the Adobe Connect application suite is contagious; as your usage of it ramps up, you may find concentrations of users who could benefit from a local Connect Edge server. When your staff discovers how simple it is to collaborate through Acrobat Connect Professional meetings and how Adobe Presenter and Connect Training can convert a plethora of content into fully deployed presentations, courses, and curricula, you may find that further expansion is warranted. Watch for future Adobe Connect resource center articles describing how to integrate Connect Edge servers with HLD/SSL accelerators and Connect Enterprise server clusters.