PKI: OCSP service in HA

49885604 170 Reputation points
2023-09-27T21:24:34.1966667+00:00

Hi all,

I need some advice from you, I'm configuring the second node to set up HA for the PKI's OCSP service, I'll add the second to the array as member with Revocation settings etc... The two servers will be behind Balancer\Firewall probably in Round Robin.

Is it necessary to configure the NLB Manager tool on Windows Server 2019 nodes adding another lever of High Availability?

Thanks in advance,

Alessio.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,093 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,547 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 44,336 Reputation points
    2023-09-28T11:15:17.7166667+00:00

    Hello 49885604,

    While Network Load Balancing (NLB) is a common approach for load balancing and HA in many scenarios, using NLB for OCSP in a Windows Server environment may not be necessary and, in some cases, may not provide the desired benefits. Before proceeding you should consider:

    OCSP Array: Setting up an OCSP Array with two or more OCSP Responder servers is a common and effective way to achieve high availability for the OCSP service. This array can be configured within the PKI environment, and OCSP requests are distributed among the responders in the array. You can configure the array to be aware of each OCSP Responder's health status and automatically distribute requests accordingly.

    Network Load Balancing (NLB): NLB is typically used for load balancing services that handle a large number of client connections, such as web servers. OCSP, on the other hand, tends to have a lower request rate compared to web services. NLB may introduce unnecessary complexity for OCSP services and may not significantly improve the service's availability or performance.

    Round Robin DNS: For distributing OCSP requests among multiple OCSP Responders, you can use Round Robin DNS. By configuring multiple DNS records (A or CNAME records) pointing to the IP addresses of your OCSP Responders, DNS servers will rotate between these addresses when resolving the OCSP service's hostname. This can distribute requests among the responders without the need for NLB.

    Firewall and Load Balancer: Since you mentioned that the servers will be behind a Balancer/Firewall (which can include Layer 7 load balancers), you can configure the firewall or load balancer to distribute OCSP requests to the OCSP Responder servers based on specific rules or policies. This approach provides flexibility and control over how requests are distributed.

    In summary, while NLB is a valid option for load balancing and HA, it may not be necessary or the most straightforward choice for OCSP services. Configuring an OCSP Array, using Round Robin DNS, or leveraging the capabilities of your firewall or load balancer can often provide a more suitable solution for distributing OCSP requests among multiple OCSP Responder servers in a high availability setup. Choose the approach that best fits your specific requirements and infrastructure.

    I can additionally recommend the next Microsoft official article that describes the operation and provides more details in related linksl:

    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/implementing-an-ocsp-responder-part-v-high-availability/ba-p/396882

    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.