Hello 49885604,
While Network Load Balancing (NLB) is a common approach for load balancing and HA in many scenarios, using NLB for OCSP in a Windows Server environment may not be necessary and, in some cases, may not provide the desired benefits. Before proceeding you should consider:
OCSP Array: Setting up an OCSP Array with two or more OCSP Responder servers is a common and effective way to achieve high availability for the OCSP service. This array can be configured within the PKI environment, and OCSP requests are distributed among the responders in the array. You can configure the array to be aware of each OCSP Responder's health status and automatically distribute requests accordingly.
Network Load Balancing (NLB): NLB is typically used for load balancing services that handle a large number of client connections, such as web servers. OCSP, on the other hand, tends to have a lower request rate compared to web services. NLB may introduce unnecessary complexity for OCSP services and may not significantly improve the service's availability or performance.
Round Robin DNS: For distributing OCSP requests among multiple OCSP Responders, you can use Round Robin DNS. By configuring multiple DNS records (A or CNAME records) pointing to the IP addresses of your OCSP Responders, DNS servers will rotate between these addresses when resolving the OCSP service's hostname. This can distribute requests among the responders without the need for NLB.
Firewall and Load Balancer: Since you mentioned that the servers will be behind a Balancer/Firewall (which can include Layer 7 load balancers), you can configure the firewall or load balancer to distribute OCSP requests to the OCSP Responder servers based on specific rules or policies. This approach provides flexibility and control over how requests are distributed.
In summary, while NLB is a valid option for load balancing and HA, it may not be necessary or the most straightforward choice for OCSP services. Configuring an OCSP Array, using Round Robin DNS, or leveraging the capabilities of your firewall or load balancer can often provide a more suitable solution for distributing OCSP requests among multiple OCSP Responder servers in a high availability setup. Choose the approach that best fits your specific requirements and infrastructure.
I can additionally recommend the next Microsoft official article that describes the operation and provides more details in related linksl:
--If the reply is helpful, please Upvote and Accept as answer--