As part of installing Squared Up you’re asked to specify a management server. A recent shutdown of one of our two data centres highlighted this as an issue – although SCOM and Squared Up are resilient and kept running they weren’t able to communicate with each other because the management server that was specified during setup happened to be the one that was shut down!
Is it possible to use a load balancer (we’ve got F5 Big IPs handy) to create a pool of management servers and use the vIP of that pool as the management server address? Any advice or info gratefully received.
Yes, it is possible to connect Squared Up to a load balancer in front of your management servers.
However, to enable Squared Up to authenticate to the management server properly, you do need to setup Kerberos Constrained Delegation correctly.
Firstly, you need to create a new SPN in Active Directory.
The SPN must have the address of the load balancer:
And this SPN must be registered against the AD account that is running the “Data Access Service” on the SCOM management server.
Second, if you are using Windows Authentication with Squared Up, you need to modify the Kerberos Constrained Delegation settings for the Squared Up AD account to allow delegation to the load balancer address.
Fortunately, Tao Yang blogged about this (in the context of the SCOM web console – the process for setting up Kerberos for Squared Up is the same):
And his blog has screenshots 🙂
If I’ve read this right, it sounds like you have two Squared Up instances which you can point at different management servers.
i.e. SQUP1 points to MS1 and SQUP2 points to MS2
This gives you the resiliency if one goes down. As far as I’m aware, you can’t use a VIP to connect SQUP to SCOM as there’s all sorts of Kerberos issues that become apparent when this is used.
From what I understand F5’s are pretty intelligent though and you can tell them to redirect if there’s target text on the page that loads? (I’m not a network guy and haven’t any experience with F5’s!). If this is the case then you can tell it to redirect to the secondary if an error or certain text is found found on the page. However not being able to connect to SCOM will not present a HTTP status error code in SQUP, though there’s a couple of links for errors I’m aware of:
Hope this helps!