How to Load Balance Secure Web Traffic Between Two IIS Servers and Still Use Certificates (298559)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
This article was previously published under Q298559
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SUMMARY

This article describes how to set up certificates for secure communication between servers and Web clients when the servers are load balanced.

MORE INFORMATION

To install certificates on load balanced Web servers, install the same key on all the servers that are being load balanced. To do this, follow these steps:
  1. Install the certificate on the first Web site. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

    228991 How to Create and Install an SSL Certificate in IIS 4.0

  2. Export the key to the other server in the load balance. To do this, follow these steps:
    1. Open the Microsoft Management Console (MMC) for IIS and expand the Internet Information Server folder.
    2. Click the plus sign (+) sign next to the computer name.
    3. The default Web site is available now. Right-click the Default Web Site icon, click Properties, and then click the Directory Security tab.
    4. In Secure Communications, click the Edit button.

      NOTE: If the button reads Key Manager instead of Edit, you do not have an encryption certificate for the WWW service installed.
    5. In the second Secure Communications window, click Key Manager.
    6. In Key Manager, under Local Computer, select WWW.
    7. On the Key menu, click Export Key.
    8. Click Backup File and note the location where the file is stored. Copy the backup file to the other server that is being load balanced and note the location where it is copied.
  3. Import the key onto the other Web servers that are being load balanced. To do this, follow these steps:
    1. Open the Microsoft Management Console (MMC) for IIS and expand the Internet Information Server folder.
    2. Click the plus sign (+) sign next to the computer name.
    3. The default Web site is available now. Right-click the Default Web Site icon, click Properties, and then click the Directory Security tab.
    4. In Secure Communications, click the Key Manager button.

      NOTE: If the button reads Edit instead of Key Manager, you already have an encryption certificate for the WWW service installed. You must delete this key before you proceed.
    5. In Key Manager, select WWW.
    6. On the Key menu, click Import Key.
    7. Click Backup File and browse to the location where the file was copied.
    8. Commit the changes and ensure that port 443 is entered in the SSL field on the Web Site tab within the default Web site.
You can now load balance SSL Web traffic between the server on which the certificate was originally installed along with the server where the certificate was imported to.

REFERENCES

For more information, see the following article in the Microsoft Knowledge Base:

219277 Load Balancing HTTP with WLBS

Modification Type:MinorLast Reviewed:6/23/2005
Keywords:kbinfo KB298559
©2004 Microsoft Corporation. All rights reserved.