vADC Forum

Reply
New Contributor
Posts: 4
Registered: ‎12-02-2015

Health monitoring ADFS

Hello

 

We're looking to try and provide suitable health monitoring for some ADFS and ADFS Proxy services being provided by our Brocade virtual Traffic Manager (running v11.0).

 

I've seen a previous post (from 2015) that failed to suggest a solution. However in "Windows Server 2012 R2 Update rollup (KB.2975719)", Microsoft in their wisdom, provide a way of monitoring ADFS using HTTP. See the following URL for details:

 

https://blogs.technet.microsoft.com/applicationproxyblog/2014/10/17/hardware-load-balancer-health-checks-and-web-application-proxy-ad-fs-2012-r2/

 

However as ADFS uses SSL pass-through (at least in our case) on port 443, we seem unable to using the HTTP method to monitor this HTTPS service. The stock HTTP monitor sends the requests to port 443.

 

My question is therefore, is it possible, using the stock health monitors, to monitor a 443 (HTTPS) service on port 80 (HTTP).

Or must we write an external monitor, using Perl or similar?

 

The new ADFS HTTP monitor URL's are:

http://<Web Application Proxy name>/adfs/probe

http://<ADFS server name>/adfs/probe

http://<Web Application Proxy IP address>/adfs/probe

http://<ADFS IP address>/adfs/probe

 

many thanks in advance

 

Martyn Griffiths

University of South Wales

UK

 
Highlighted
Brocadian
Posts: 102
Registered: ‎04-22-2015

Re: Health monitoring ADFS

Thanks Martyn - It is possible to write a custom health monitor, but I think you should be able to use the standard HTTP monitor with the “use_ssl” flag set to True. That should give HTTPS monitoring on port 443. 

 

 

> is it possible, using the stock health monitors, to monitor a 443 (HTTPS) service on port 80 (HTTP).

 

However, your post suggests you are looking at port 80 (HTTP), is that the case?

 

 

Brocadian
Posts: 2
Registered: ‎08-02-2010

Re: Health monitoring ADFS

Hello,

 

a standard monitor always will monitor the port configured in the node config from the pool. To monitor other ports, you need a scripted health monitor.

 

Here's an example HTTP/S monitor I wrote in Python, although not performance optimized, as it runs an additional subprocess. It reads additional parameters through the health monitor to specify, what port you want to monitor and what path.

 

Upload the script to Extra Files/Monitors, then create a new program based monitor and add the parameters below...

 

#!/usr/bin/env python
# HTTPS health monitor for different port than node port
# Juergen Luksch, System Engineer vADC, Brocade Communications GmbH
# 26.09.2016   v2.2

# Running: HTTPS_port-monitor.py --ipaddr=192.168.42.111 --port=443 --node=192.168.42.111 --verbose --usessl --monitorport=8443 --timeout=1 --path=/ --failures_left=2

import argparse
import sys
import subprocess

parser = argparse.ArgumentParser(description="vTM HTTPS health monitor")

#standard VTM arguments
parser.add_argument("--ipaddr", dest="vtm_ipaddr", help="IP address to monitor")
parser.add_argument("--port", dest="vtm_port", type=int, help="node port")
parser.add_argument("--node", dest="vtm_node", help="node to monitor")
parser.add_argument("--verbose", dest="vtm_verbose", action="store_true", help="verbose output")
parser.add_argument("--usessl", dest="vtm_usessl", action="store_true", help="if SSL protocol used")
parser.add_argument("--failures_left", dest="vtm_failures_left", help="health monitor failures left")

#custom health monitor parameters
parser.add_argument("--monitorport", dest="monitorport", default="-1", help="tcp port to monitor")
parser.add_argument("--timeout", dest="timeout", type=int, default=1, help="timout for CURL health monitor")
parser.add_argument("--path", dest="path", default="", help="path to check in monitor")
args = parser.parse_args()

if args.vtm_usessl:
	protocol="https"
else:
	protocol="http"

if args.monitorport == "-1":
	monitorport=""
else:
	monitorport=":"+args.monitorport

if not args.path:
  args.path = "/"
elif args.path[0] != "/":
  args.path = "/" + args.path

devnull = open('/dev/null', 'w')
res=subprocess.call(["/usr/bin/curl", "--silent", "--fail", "--insecure", "--connect-timeout", str(args.timeout), 
  protocol + "://" + args.vtm_ipaddr + monitorport + args.path], stdout=devnull)

if args.vtm_verbose:
  print("/usr/bin/curl --silent --fail --insecure --connect-timeout %s %s://%s%s%s *** RESULT: %i" %
    (args.timeout, protocol, args.vtm_ipaddr, monitorport, args.path, res))

if res:
  sys.stderr.write("curl response code:"+str(res))
sys.exit(res)

add 3 arguments to the monitor to specify, path, port and timeout:

monitor parameters

 

Jürgen

J.Luksch
New Contributor
Posts: 4
Registered: ‎12-02-2015

Re: Health monitoring ADFS

Hi Paul

 

Yes, we're looking to monitor an HTTPS (443) VIP with a HTTP (80) monitor.

 

Basically it's Microsoft ADFS (which uses 443) and the monitor that Microsoft supplies is via a HTTP URL.

 

regards

Martyn

New Contributor
Posts: 4
Registered: ‎12-02-2015

Re: Health monitoring ADFS

Many thanks Jürgen

 

We've tested your script and it does work. However, the Microsoft documentation suggest we look for a HTTP "200" response code from the health monitor.

 

If it's okay with you, we'll take a look at the script and see if we can amend it to test for a suitable server response code.

 

We will let you know how we get on.

 

best regards

Martyn

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.