First published on TechNet on August 20, 2009
Chris here again. In the previous four parts of this series, we covered the basics of OCSP, as well as the steps required to prepare the CA and implement the OCSP responder. In this section I want to talk about how to implement a highly available OCSP setup.
Implementing a high availability setup consists of two main parts. The first step is to add the OCSP responders to what is called an array. When OCSP responders are configured in an array, the configuration of the OCSP responders can be easily preserved so that all responders in the array have the same configuration. The array controller settings are used as base settings, which are then applied to other members of the array.
The second part is to balance the OCSP responders. The load balancing of the OCSP responders is what actually provides fault tolerance. I will demonstrate how to use Windows Server 2008's built-in Network Load Balancing feature. Of course, you can also use a third-party hardware load balancer if you prefer. In this example, we are implementing two OCSP servers in a high availability configuration.
In Windows Server 2008, Windows Firewall is enabled by default. Depending on your business needs, you can use the firewall in its default state, disable it, or make custom settings.
If you are unfamiliar with Windows Firewall with Advanced Security, you might want to check it outWindows Firewall with advanced security and IPSEC, which provides links to a variety of information sources for configuring and implementing Windows Firewall with Advanced Security. The document contains a link to implement firewall configurations withGroup Policy.
There are three types of profiles in Windows Firewall with Advanced Security:
- Domain . Windows automatically identifies the networks on which it can authenticate access to the domain controller for the domain to which the computer in this category belongs. No other networks can be classified in this category.
- Public . With the exception of domain networks, all networks are initially classified as public. Networks that are direct connections to the Internet or that are in public places like airports and coffee shops should remain public.
- Private . A network is classified as private only if a user or application identifies the network as private. Only networks that are behind a NAT device (preferably a hardware firewall) should be identified as private networks. Users may want to mark home networks or small office networks as private.
In a more secure environment, you can configure this setting for a specific profile. For example, in a company, you might want to enable the rule only for the domain profile.
In this example, when we configure the rules, we configure them like thisAnyProfile that allows the respondent to be managed independently of the profile applied to them.
The following applies when installing the OCSP roleentry requirementsis configured in the Windows Firewall:
Services for the World Wide Web (HTTP Traffic-IN)
Dienste des World Wide Web (HTTPS Traffic-IN)
Also the followingexit ruleis activated:
Online Response Service (TCP Out)
These rules allow the OCSP responder to receive OCSP requests from clients and respond to OCSP clients.
You must also enable the following rules to manage the OCSP responders and allow the OCSP responder to synchronize configuration with the array controller:
DCOM-In Online Response Service
RPC-In Online Response Service
To activate the rules, open theWindows Firewall with advanced securityMMC (WF.msc) and clickentry requirements. Locate the rule, right-click the rule and select itactivate ruleno context menu.
You must perform this action for each OCSP responder that will be a member of the array. A more scalable solution is to collect and use all OCSP responders in a common organizational unitGroup Policyto get a consistent configuration.
emPart IIIn this series, we discuss preparing CAs for use with OCSP Responder. One of the configuration steps was to configure the Authority Information Access (AIA) extensions with the OCSP extension that contained the URL pointing to the OCSP responder. When configuring an OCSP responder in a load balancing configuration, you must specify the name of the load balancer. Below is a diagram of the OCSP infrastructure that I will show you how to implement in this blog post. Note that the names of the two OCSP responders are FCOCSP01.FourthCoffee.Com and FCOCSP02.FourthCoffee.com. You'll also notice that I've decided to name the NLB cluster FCOCSP.FourthCoffee.Com. Since I want clients to access the load balancer and let the load balancer determine which OCSP responder OCSP requests go to, I need to specify FCOCSP.FourthCoffee.Com in the OCSP URI.
As mentioned above, you want OCSP clients to make OCSP requests to your load balancer. This allows the load balancer to balance requests, which is especially important when one of the OCSP responders is offline. To ensure that clients can resolve the cluster's DNS name, you must register the hostname with DNS.
Follow these steps to register the A record for the NLB cluster in DNS:
1. Open theDNS-ManagerMMC (dnsmgmt.msc)
2. Right-click on the appropriate area andselect New Host (A or AAAA)...no context menu.
3. In the New Host dialog box, enter the hostname to use for the NLB cluster and enter the corresponding IP address. You can make additional settings, e.gCreate Related Record (PTR)if it is suitable for your environment.
Configuration of the OCSP response matrix
In the next section, we'll configure two OCSP responders in an array. The purpose of configuring an array is to keep the same configuration for all OCSP responders. It is important to consider what locking configurations you support with the fix. For revocation configurations that support enterprise CAs and are configured to automatically enroll with an OCSP signing certificate, the process is somewhat transparent because respondents who are added to the array automatically request the OCSP signing certificate. For revocation configurations that support independent CAs, you must manually request, install, and configure an OCSP signing certificate. And of course the OCSP responder can support both types of blocking configurations in the same responder.
Configuration of the OCSP response matrix
Prerequisites: Windows Firewall has been configured as shown in the Firewall Exceptions sections above.
1. The OCSP signing certificate must of course be available from the corporate CA to which the parent company provides revocation information. All OCSP responders that become members of the array must have read and write permissions to the OCSP signing certificate. Alternatively, if the fix supports a standalone CA revocation configuration, the OCSP signing certificate must be installed manually. Remember to grant read permission to the private key for all manually installed OCSP signing certificates. If you are unfamiliar with this process, see for instructions on granting permissions for the network service to read the private key of the OCSP signing certificatepart Onefrom this series
2. Configure the OCSP responder that becomes the array controller. For instructions on implementing an OCSP responder, seePart IIImiTeil IVfrom this series
3. Configure the first OCSP responder as an array controller.
4. Add more OCSP responders to the array.
Monitoring:If you are using OCSP responders on Hyper-V guests, read the additional stepsHereLearn how to configure virtual NLB guests.
I'll cover the last two steps as the other steps are covered elsewhere in this blog series.
1. In the Online Responder Management Console, expandMatrixkonfiguration. Select the respondent you want to make an array controller, right-click and select the respondent's nameDefine as array controllerno context menu.
2. To add an OCSP responder to the array, right-clickMatrixkonfigurationand selectAdd member to arrayno context menu.
3. You get theselect computersdialog box. Click on thatNavigate…Taste.
4. Enter the name of the OCSP responder you want to add and clickcheck namesTaste.
5. Once the computer name of the OCSP responder is resolved, clickOK.
6. Oselect computersDialog box is now populated with the FQDN of the computer hosting the Online Responder, clickOK.
7. You will be asked to confirm that you want to add the array member. This dialog gives you a last chance to cancel before the array controller configuration overwrites the OCSP responder configuration. ClickSimKeep going.
8. To verify the configuration, expand the array configuration in the OCSP MMC and select the name of the responder you just added. The revocation configuration status should be the same as shown in the following image.
Note: If you use a manually installed certificate, e.g. For example, from a standalone CA, you'll get the error shown in the image below.
To work around this issue, you must manually assign the certificate after installing it from the computer's local store. ExpandMatrixkonfiguration, click on the name of the OCSP server that was just added to the array and right-click on the revocation configuration that uses a manually assigned signing certificate. chooseAssign signing certificateno context menu.
Select the appropriate certificate and clickOK.
You will get the following error. This error just indicates that the OCSP responder has not yet obtained the revocation information and therefore cannot verify that the configuration is correct.
If you want to remove this error, right-click Matrix Configuration and select Update Revocation Data.
Installing the Network Load Balancing feature
Before installing and configuring your NLB cluster, there are a few important things you need to know in advance:
- What IP address will you assign to the NLB cluster?
- What DNS name will you associate with this cluster?
Before configuring the NLB cluster, you must first install the Network Load Balancing feature on all OCSP responders that will be members of the NLB cluster.
To install the NLB feature, open a command prompt and typeServerManagerCmd - Install NLB, as shown below.
1. After installing the Network Load Balancing feature, open the Network Load Balancing Manager.(Video) Configuring Online Responder
2. ChooseSentencein the menu bar, then selectneu. This starts the New Cluster Wizard.
3. Enter the hostname of the first node and clickConnect, then clickNext.
4. This opens the Host Parameters page of the New Cluster wizard. Accept the default settings and clickNext.
5. Then on the Cluster IP Address page of the wizard, clickAdd to…
6. Here you add the IP address and subnet mask of the load balancer. After entering the network information, clickOK.
7. Then clickNext.
8. On the Cluster Parameters page, add the cluster's FQDNInternet full nameThe text box. Set the cluster operation mode according to your environment. In this example I selectedUnicast.
9. On the Port Rules page, clickEnd.
Add nodes to the cluster
For each node that you want to add to the NLB cluster, you must complete the following steps.
1. MagnifyNetwork Load Balancing clustersin the Network Load Balancing Manager. Right-click the cluster name and select itAdd host to clusterin the context menu. This starts the Add Hosts to Cluster wizard.
2. On the wizard's Connect page, enter the hostname of the node that you want to add to the cluster and clickConnect.
3. On the Host Parameters page, clickNext.
4. On the Port Rules page of the wizard, clickEnd.
In this post, we cover the implementation of a highly available OCSP responder. In the next part of this series, I'll cover how to configure clients to receive revocation information from an OCSP responder that isn't listed in the certificate's OCSP URI.
Implementing an OCSP Responder: Part I Introduction to OCSP
Implementing an OCSP Responder: Part II Preparing Certificate Authorities
Implementing an OCSP Responder: Part III Configuring OCSP for Use with Enterprise Certificate Authorities
Implementing an OCSP Responder: Part IV Configuring OCSP for Use with Autonomous Certificate Authorities
Implementing an OCSP Responder: Part V High Availability
Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy
-Chris 'Tickle Fight' delay