IDArchitect.NET

How to configure (Hardware) Load Balancer for Microsoft Forefront Identity Manager

Usually during FIM Portal deployment you have to ask your networking team to configure load balancer for you. Following article describes shortly what to configure on the load balancer side (and why).

Let’s assume you are installing FIM Portal and SSPR in highly available way.

What do you need to configure for FIM Portal

Load balanced FIM Portal name should be redirected on following ports:

80 for http (and/or 443 in case you use https)

 

Load balanced FIM Service name (usually same as the portal) should be redirected on following ports:

5725 FIM Resource Management Service
5726 Security Token Service – required for password reset

 

Second thing very important to set is to keep client session on the same server (set “sticky session“).

Why?

First because portal will not show properly. Probably the reason is that there are open 2 sessions to the portal, separate session for content and separate for reading css’es and other formatting related staff. If these sessions don’t land on the same server then portal may look little bit unformatted J.

There are as well requirements related to password reset (described later on).

 

What do you need to configure for SSPR

SSPR includes Password Registration Portal, Password Reset Portal and client.

For the password reset/registration load balanced portal names following ports should be redirected:

80 for http (and/or 443 in case you use https which is recommended)

 

Password registration and reset is using FIM Service (ports 5725 and 5726 already redirected for the FIM Portal needs).

 

For password reset client it is important as well to keep session on the same server across the ports 5725 and 5726. Why is that? Simply because when password reset client connect to the QA gate and after successful user identification gets token from the Security Token Service on the 5126 port it has to request for password reset thru the Resource Management Service on the same server (but on the port 5725). If it will go to different server password reset will be unsuccessful.

 

Above information is related just to configuration of Load Balancer (which is usually done for you by your network team). For installation instruction of load balanced FIM portal from the FIM perspective you can refer to following article (by Paul Williams): Installing FIM Portal and Service with a load balanced name

It is worth seeing as well Understanding Password Reset article.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.