Setting Up Secure Load Balancing

  • Article

Setting Up Secure Load Balancing

To use Secure Sockets Layer (SSL) with Microsoft Speech Server (MSS), each Speech Engine Services (SES) computer must have a server certificate with its own name, and another with the cluster name.

Internet Information Services (IIS) allows only one server certificate to be attached to a Web site. Therefore, to make SSL work for SES, the "Default Web Site" on the SES computer must be duplicated to another Web site. One Web site must be configured to listen on the SES computer's dedicated IP, and another must be configured to listen on the cluster IP. A certificate can then be attached to each Web site, ensuring secure communication.

Secure load balancing can be implemented by:

  • Creating a Web site

  • Assigning a certificate to the Web site

  • Setting the advanced configuration options

  • Verifying the setup

  • Configuring Telephony Application Services (TAS) to use SES

The following procedures assume an MSS configuration of one TAS computer and two SES computers. A Network Load Balancing (NLB) cluster is created which includes both SES computers with the following example names and IP values:

Computer Name

Dedicated IP Address

MY-SES (cluster)

192.168.0.10

MY-SES1

192.168.0.11

MY-SES2

192.168.0.12

Important  All procedures in this topic must be completed individually for each SES computer. After completing the procedures for MY-SES1, return to this point and complete the procedures for MY-SES2.

To create the Web site

  1. On the SES computer, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

  2. In the left panel, expand Services and Applications, expand Internet Information Services, and then expand Web Sites.

  3. Right-click Default Web Site, point to All Tasks, and then click Save Configuration to a File.

  4. Enter a file name (for example, DefaultWebSite), select a path, and then click OK.

  5. Right-click Web Sites, point to New, click Web Site (from file), click Browse, locate the file that was saved in the previous step, and then click Read File.

  6. Click Default Web Site, and then click OK.

  7. When "This site already exists" appears, select Create a new site, and then click OK. The new Web site is labeled "Default Web Site (Stopped)".

  8. Right-click the new Web site, click Rename, and then type NLB Web Site.

  9. Keep the window open and go to the next procedure: To assign a certificate to the Web site.

To assign a certificate to the Web site

  1. Right-click Default Web Site, click Properties, select the Directory Security tab, and then click Server Certificate. When the Web Server Certificate wizard starts, click Next.

  2. On the Server Certificate page, select a method for assigning a certificate to this Web site. For example, if a certificate is already installed on this computer, select Assign an existing certificate, click Next, and then select the certificate from the list.

  3. Click Next until you reach the last page of the wizard, and then click Finish to close the wizard.

  4. Repeat steps 1–2 to attach a certificate with the NLB cluster name MY-SES to NLB Web Site.

  5. Keep the window open and go to the next procedure: To set the advanced configuration options.

To set the advanced configuration options

  1. Right-click Default Web Site, select Properties, and then click the Web Site tab.

  2. In the SSL Port field, type 443, and then click Advanced to open the Advanced Multiple Web Site Configuration window.

  3. In the top list, labeled "Multiple Identities for This Web Site," select the IP address. This is typically displayed as (All Unassigned).

  4. Click Edit, select the computer's dedicated IP (for example, 192.168.0.11) from the list, and then click OK.

    Note  If you need to access a resource from https://localhost (such as a preloaded resource manifest file for SES), 127.0.0.1:80 must be added to the top list.

  5. In the bottom list, labeled "Multiple SSL identities for this Web Site," select the IP address. This is typically displayed as (All Unassigned).

  6. Click Edit, select the computer's dedicated IP (for example, 192.168.0.11) from the list, and then click OK.

  7. Click OK to close the Advanced Multiple Web Site Configuration window.

  8. Repeat steps 1–7 to make "NLB Web Site" listen on the NLB cluster IP (for example, 192.168.0.10) for both port 80 (HTTP) and port 443 (SSL/HTTPS).

  9. Go to the next procedure: To verify the setup.

To verify the setup

  1. Start both Web sites.

  2. Verify that you can access the following Web sites from TAS using Internet Explorer:

    https://MY-SES/SES/Lobby.asmx

    https://MY-SES1/SES/Lobby.asmx

    Security Alert: Not a Trusted CA – If Internet Explorer displays a Security Alert which states that the certificate is not from a trusted certification authority (CA), install the root certificate of the CA (or the two certificates used on MY-SES1) on the TAS computer. Be sure to install the certificate on the local computer—not for the current user—since TAS runs as NetworkService account.

    Security Alert: Mismatched Names – If Internet Explorer displays a Security Alert which states that the name on the certificate does not match the name of the site, TAS will not be able to connect to https://MY-SES/SES/Lobby.asmx. To solve this, either use a certificate named MY-SES1 or use https://MY-SES1.mycompany.com/SES/Lobby.asmx to access SES instead. The same is true for the cluster name certificate.

  3. Once you have verified the setup for MY-SES1, repeat all procedures to set up MY-SES2.

To configure TAS

  1. Configure TAS to use the SES URL with cluster name https://MY-SES/SES/Lobby.asmx.

  2. Restart TAS.

See Also

Load Balancing and Availability