Our infrastructure is team is doing a bunch of upgrades to our PKI infrastructure. They are setting it up to have redundancy with different hosting sites. They are exploring putting Multiple the NDES severs behind a VIP but we are not sure if we will run into any issues. My thought is as long as the various NDES servers provide valid certs it should be accepted by our NAC ClearPass.
Has anyone tried this or have experience with it?
Hello,
Configuring multiple NDES (Network Device Enrollment Service) servers behind a VIP (Virtual IP) for redundancy and load balancing is a common approach in environments with high availability (HA) requirements. Your thought that ClearPass should accept valid certificates provided by any of the NDES servers is generally correct, assuming the following conditions are met:
Key Considerations for NDES with VIP
Certificate Consistency Across NDES Servers:
Ensure all NDES servers are configured identically, including templates, RA (Registration Authority) certificates, and permissions.
If the servers are configured inconsistently, certificate issuance might fail or certificates may not meet the required standards.
Load Balancer Configuration:
Use a load balancer that supports sticky sessions (persistence) if your setup involves workflows requiring a single server for a complete transaction.
Health checks should be properly configured to ensure requests are sent only to healthy NDES servers.
Network Access Control (NAC) System:
ClearPass should be agnostic to which NDES server issued the certificate, provided the certificate chain is trusted.
Ensure the certificates issued by NDES servers are signed by the same issuing CA or within a trusted PKI hierarchy that ClearPass recognizes.
NDES-Specific Requirements:
NDES uses SCEP (Simple Certificate Enrollment Protocol), which may cache certain stateful data on the server. If the request handling is interrupted mid-transaction (e.g., routed to another server), it may cause issues unless the backend session state is synchronized.
Synchronization of Templates and Policies:
The Certificate Templates and configuration (e.g., registry settings and IIS configuration for NDES) must be consistent across all servers.
Automate the deployment and configuration management of these servers using tools like PowerShell, Ansible, or other configuration management tools.
Failover Testing:
Test failover scenarios with the VIP and multiple servers to ensure uninterrupted operation.
Simulate real-world loads to ensure the setup meets performance requirements.
Best Regards
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.