1. Kemp Support
2. Knowledge Base
3. Content Delivery

How to create a Virtual Service for Load Balancing LDAP, LDAPS or RADIUS Requests

Updated: January 21, 2020 20:18

The purpose of this Knowledge Base Article is to provide a solution for Load Balancing LDAP, LDAPS and RADIUS requests using separate Virtual Service configurations on the LoadMaster.

This Knowledge Base guide primarily covers Unencrypted LDAP and Encrypted LDAPS over TCP, while RADIUS is available over UDP. On some occasions, it may be required to Load Balance LDAP/LDAPS over UDP. The LoadMaster is capable of supporting LDAP/LDAPS over UDP, but TCP is assumed by default. UDP can be selected via the Protocol drop down menu when creating the Virtual Service.

 

1. LDAP Configuration

1.1 - Create a new Virtual Service for LDAP

1. Navigate to Virtual Services > Add New.
2. Enter the Virtual Address IP Address.
3. Enter the Port (Port 389 for LDAP).
4. Give the Virtual Service a Service Name.
5. Click Add this Virtual Service.

Figure 1.1.1 - Adding a new Virtual Service on LDAP TCP Port 389

 

1.2 - Modify the Virtual Service and add the LDAP Real Server(s)

Below is a sample Virtual Service configuration for Load Balancing LDAP Requests. Please note the following defined requirements, and make all recommended changes where appropriate:

• By default, the Service Type should be set to Generic. If not, please manually set this to Generic.
• Also by default, the Server Initiating Protocols is set to Normal Protocols. Please change this to Other Server Initiating.
• By default, the Real Server Check Method is set to TCP Connection Only.

Figure 1.2.1 - The LDAP Virtual Service Configuration Overview

 

• Under Real Servers, click Add New and enter the IP Address of the LDAP Server under Real Server Address. Each LDAP Server IP Address will need to manually added here, one at a time.
• Once complete, click Back and now the Real Server IP Address(es) will be visible under the Real Servers section on the Virtual Service.

Figure 1.2.2 - Adding a new Real Server on LDAP Port 389

 

• Return to the View/Modify Services list and confirm the new LDAP Virtual Service is marked as Up.

Figure 1.2.3 - The LDAP Virtual Service Health Check being marked as Up

 

[Optional] 1.3 - Create an LDAP Endpoint for Health Checking the LDAP Virtual Service

Navigate to Certificates & Security > LDAP Configuration

1. Enter a Name for the LDAP Endpoint and click Add.
2. Enter the IP Address(es) of the LDAP Server(s), separated by a space, and click LDAP Server(s).
3. Select Unencrypted as the LDAP Protocol.
4. Leave Validation Interval, Referral Count and Server Timeout as the default values, or modify as required.
5. Enter the Active Directory's Admin User in UPN format e.g. user@domain.com, and click Set Admin User.
6. Enter the Password of the Admin User and click Set Admin User Password.

Figure 1.3.1 - [Optional] LDAP Endpoint Configuration

 

• It is now possible to change the Real Server Check Method to LDAP instead of TCP Connection Only. The Virtual Service will now be using the configured LDAP Endpoint for Health Checking.
• From the first drop down list, select LDAP as the Real Server Check Method.
• Select the same LDAP Endpoint from the second drop down list, as configured in Figure 1.3.1.

Figure 1.3.2 - [Optional] Real Server Health Check Method set to LDAP

 

 

2. LDAPS Configuration

2.1 - Create a new Virtual Service for LDAPS

1. Navigate to Virtual Services > Add New.
2. Enter the Virtual Address IP Address.
3. Enter the Port (Port 636 for LDAPS).
4. Give the Virtual Service a Service Name.
5. Click Add this Virtual Service.

Figure 2.1.1 - Adding a new Virtual Service on LDAPS TCP Port 636

 

2.2 - Modify the Virtual Service and add the LDAPS Real Server(s)

Below is a sample Virtual Service configuration for Load Balancing LDAPS Requests. Please note the following defined requirements, and make all recommended changes where appropriate:

• By default, the Service Type should be set to Generic. If not, please manually set this to Generic.
• Also by default, the Server Initiating Protocols is set to Normal Protocols. Please change this to Other Server Initiating.
• SSL Acceleration can be either enabled or disabled on the LDAPS Virtual Service, depending on the configuration requirements. For maximizing performance, it would be recommended to have SSL Acceleration disabled. This would result in the LDAPS connection not being offloaded by the LoadMaster, but it will be Passed-Through uninterrupted to the LDAPS server instead.
• By default, the Real Server Check Method is set to TCP Connection Only. 

Figure 2.2.1 - The LDAPS Virtual Service Configuration Overview

 

• Under Real Servers, click Add New and enter the IP Address of the LDAPS Server under Real Server Address. Each LDAPS Server IP Address will need to manually added here, one at a time.
• Once complete, click Back and the Real Server IP Address(es) will now be visible under the Real Servers section on the Virtual Service.

Figure 2.2.2 - Adding a new Real Server on LDAPS Port 636

 

• Return to the View/Modify Services list and confirm the new LDAPS Virtual Service is marked as Up.

Figure 2.2.3 - The LDAPS Virtual Service Health Check being marked as Up

 

[Optional] 2.3 - Create an LDAP Endpoint for Health Checking the LDAPS Virtual Service

Navigate to Certificates & Security > LDAP Configuration

1. Enter a Name for the LDAP Endpoint and click Add.
2. Enter the IP Address(es) of the LDAPS Server(s), separated by a space, and click LDAP Server(s).
3. Select LDAPS as the LDAP Protocol.
4. Leave Validation Interval, Referral Count and Server Timeout as the default values, or modify as required.
5. Enter the Active Directory's Admin User in UPN format e.g. user@domain.com, and click Set Admin User.
6. Enter the Password of the Admin User and click Set Admin User Password.

Figure 2.3.1 - [Optional] LDAP Endpoint Configuration using the LDAPS Protocol

 

• It is also possible to change the Real Server Check Method to LDAP instead of TCP Connection Only.
• From the first drop down list, select LDAP as the Real Server Check Method.
• Select the same LDAP Endpoint from the second drop down list, as configured in Figure 2.3.1.

 Figure 2.3.2 - [Optional] Real Server Health Check Method set to LDAP

 

 

3. RADIUS Configuration

3.1 - Create a new Virtual Service for RADIUS

1. Navigate to Virtual Services > Add New.
2. Enter the Virtual Address IP Address.
3. Enter the Port (Port 1812 for RADIUS).
4. Give the Virtual Service a Service Name.
5. Select UDP as the Protocol.
6. Click Add this Virtual Service.

Figure 3.1.1 - Adding a new Virtual Service on RADIUS UDP Port 1812

 

3.2 - Modify the Virtual Service and add the RADIUS Real Server(s)

Below is a sample Virtual Service configuration that works for Load Balancing RADIUS Requests. Please note the following defined requirements, and make all recommended changes where appropriate:

• By default, the Virtual Service may be set as Layer 4. This would enforce Transparency, which may not be suited for your environment. To switch to Layer 7, disable the Force L4 option under Standard Options. Please see this Knowledge Base guide for more information on Transparency.
• By default, the Real Server Check Method is set to ICMP Ping. This is the only suitable Real Server Health Check Method for this configuration.
• Whether to enable Subnet Origininating Requests (SOR) or not, would depend on which IP address has been configured for the RADIUS Client configuration on the NPS server side. If the RADIUS client is expecting to see connections coming from the Virtual Service IP, then leave SOR disabled. If the RADIUS Client expects to see connections coming from the LoadMaster's Interface Address, then SOR will need to be enabled. If the original true Client IP is expected by the RADIUS Client NPS configuration, then Transparency is required on the Virtual Service.

Figure 3.2.1 - The RADIUS Virtual Service Configuration Overview

 

• Under Real Servers, click Add New and enter the IP Address of the RADIUS Server under Real Server Address. Each RADIUS Server IP Address will need to manually added here, one at a time.
• Once complete, click Back and the Real Server IP Address(es) will now be visible under the Real Servers section on the Virtual Service.

Figure 3.2.2 - Adding a new Real Server on RADIUS Port 1812

 

• Return to the View/Modify Services list and confirm the new RADIUS Virtual Service is marked as Up.

Figure 3.2.3 - The RADIUS Virtual Service Health Check being marked as Up

---

Comments