Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Health monitoring ADFS

Martyn Griffiths
New Contributor
‎03-29-2017 06:19:AM
‎03-29-2017 06:19:AM

Health monitoring ADFS

Hello

 

We're looking to try and provide suitable health monitoring for some ADFS and ADFS Proxy services being provided by our Brocade virtual Traffic Manager (running v11.0).

 

I've seen a previous post (from 2015) that failed to suggest a solution. However in "Windows Server 2012 R2 Update rollup (KB.2975719)", Microsoft in their wisdom, provide a way of monitoring ADFS using HTTP. See the following URL for details:

 

https://blogs.technet.microsoft.com/applicationproxyblog/2014/10/17/hardware-load-balancer-health-ch...

 

However as ADFS uses SSL pass-through (at least in our case) on port 443, we seem unable to using the HTTP method to monitor this HTTPS service. The stock HTTP monitor sends the requests to port 443.

 

My question is therefore, is it possible, using the stock health monitors, to monitor a 443 (HTTPS) service on port 80 (HTTP).

Or must we write an external monitor, using Perl or similar?

 

The new ADFS HTTP monitor URL's are:

http://<Web Application Proxy name>/adfs/probe

http://<ADFS server name>/adfs/probe

http://<Web Application Proxy IP address>/adfs/probe

http://<ADFS IP address>/adfs/probe

 

many thanks in advance

 

Martyn Griffiths

University of South Wales

UK

 
0 Kudos
4 REPLIES 4
PaulWallace
Contributor
‎03-30-2017 03:34:AM
‎03-30-2017 03:34:AM

Re: Health monitoring ADFS

Thanks Martyn - It is possible to write a custom health monitor, but I think you should be able to use the standard HTTP monitor with the “use_ssl” flag set to True. That should give HTTPS monitoring on port 443. 

 

 

> is it possible, using the stock health monitors, to monitor a 443 (HTTPS) service on port 80 (HTTP).

 

However, your post suggests you are looking at port 80 (HTTP), is that the case?

 

 

0 Kudos
jluksch
New Contributor
‎04-04-2017 02:22:AM
‎04-04-2017 02:22:AM

Re: Health monitoring ADFS

Hello,

 

a standard monitor always will monitor the port configured in the node config from the pool. To monitor other ports, you need a scripted health monitor.

 

Here's an example HTTP/S monitor I wrote in Python, although not performance optimized, as it runs an additional subprocess. It reads additional parameters through the health monitor to specify, what port you want to monitor and what path.

 

Upload the script to Extra Files/Monitors, then create a new program based monitor and add the parameters below...

 

#!/usr/bin/env python
# HTTPS health monitor for different port than node port
# Juergen Luksch, System Engineer vADC, Brocade Communications GmbH
# 26.09.2016   v2.2

# Running: HTTPS_port-monitor.py --ipaddr=192.168.42.111 --port=443 --node=192.168.42.111 --verbose --usessl --monitorport=8443 --timeout=1 --path=/ --failures_left=2

import argparse
import sys
import subprocess

parser = argparse.ArgumentParser(description="vTM HTTPS health monitor")

#standard VTM arguments
parser.add_argument("--ipaddr", dest="vtm_ipaddr", help="IP address to monitor")
parser.add_argument("--port", dest="vtm_port", type=int, help="node port")
parser.add_argument("--node", dest="vtm_node", help="node to monitor")
parser.add_argument("--verbose", dest="vtm_verbose", action="store_true", help="verbose output")
parser.add_argument("--usessl", dest="vtm_usessl", action="store_true", help="if SSL protocol used")
parser.add_argument("--failures_left", dest="vtm_failures_left", help="health monitor failures left")

#custom health monitor parameters
parser.add_argument("--monitorport", dest="monitorport", default="-1", help="tcp port to monitor")
parser.add_argument("--timeout", dest="timeout", type=int, default=1, help="timout for CURL health monitor")
parser.add_argument("--path", dest="path", default="", help="path to check in monitor")
args = parser.parse_args()

if args.vtm_usessl:
	protocol="https"
else:
	protocol="http"

if args.monitorport == "-1":
	monitorport=""
else:
	monitorport=":"+args.monitorport

if not args.path:
  args.path = "/"
elif args.path[0] != "/":
  args.path = "/" + args.path

devnull = open('/dev/null', 'w')
res=subprocess.call(["/usr/bin/curl", "--silent", "--fail", "--insecure", "--connect-timeout", str(args.timeout), 
  protocol + "://" + args.vtm_ipaddr + monitorport + args.path], stdout=devnull)

if args.vtm_verbose:
  print("/usr/bin/curl --silent --fail --insecure --connect-timeout %s %s://%s%s%s *** RESULT: %i" %
    (args.timeout, protocol, args.vtm_ipaddr, monitorport, args.path, res))

if res:
  sys.stderr.write("curl response code:"+str(res))
sys.exit(res)

add 3 arguments to the monitor to specify, path, port and timeout:

monitor parameters

 

Jürgen

Martyn Griffiths
New Contributor
‎04-04-2017 06:47:AM
‎04-04-2017 06:47:AM

Re: Health monitoring ADFS

Hi Paul

 

Yes, we're looking to monitor an HTTPS (443) VIP with a HTTP (80) monitor.

 

Basically it's Microsoft ADFS (which uses 443) and the monitor that Microsoft supplies is via a HTTP URL.

 

regards

Martyn

0 Kudos
Martyn Griffiths
New Contributor
‎04-19-2017 08:18:AM
‎04-19-2017 08:18:AM

Re: Health monitoring ADFS

Many thanks Jürgen

 

We've tested your script and it does work. However, the Microsoft documentation suggest we look for a HTTP "200" response code from the health monitor.

 

If it's okay with you, we'll take a look at the script and see if we can amend it to test for a suitable server response code.

 

We will let you know how we get on.

 

best regards

Martyn

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.