Jump to content
Welcome to our new Citrix community!

Reverse Proxy connections to Internal Adobe Connect Server


Recommended Posts

Hi,

 

We have an Adobe Connect installation on a server on our internal network and want to use the Netscaler as a Reverse Proxy / Load Balancer as shown in the first diagram on the following web page:

https://blogs.adobe.com/connectsupport/adobe-connect-10-1-switch-the-default-acts-service-protocol-from-ws-to-wss/

The Adobe Connect Server has 3 IP Addresses  

172.16.232.40 connect.domain.com

172.16.232.41 connectmeeting.domain.com

172.16.232.42 connectacts.domain.com

 

The ADC is setup with with 3 Virtual Servers 

172.16.252.42 connect - port 443 Protocol SSL - service binding - Name: connect Protocol http Port 8443 Profile - http-ns-default with Websockets enabled

172.16.252.43 connectmeeting port 443 Protocol SSL_TCP - service binding - Name: connectmeeting Protocol SSL_TCP Port 1935

172.16.252.44 connectacts-wss port 443 Protocol SSL - service binding - Name: connect-wss-acts Protocol http Port 9002 Profile - http-ns-default with Websockets enabled

 

I can connect to the Adobe Connect server connect.domain.com and the connectmeeting.domain.com (Runs on Adobe Connect Desktop Client on port 1935) opens fine but trying to launch a meeting in HTML5 using websockets doesn't work and the Console on Chrome shows the following:

 

Does anyone have any idea what could be missing?  HTML5 works fine on the Internal network.

 

image.thumb.png.8dc1778ce856c8e42e041fb1cbf1662c.png

 

Thanks

 

Frank

Link to comment
Share on other sites

If I understand correctly what you are writing do you have an SSL load balancer and then an HTTP service for websockets on it?

Does the websocket on port 9002 not work according to the Adobe article with certificate / SSL?

 

Does it all work without the NetScaler if connectacts.domain.com points directly to the server and not the load balancer?

Link to comment
Share on other sites

Hi

 

Yes we have an SSL Load balancer Virtual Server with an HTTP Service using Port 9002 bound to it and a SAN Certificate with the correct FQDN on it.

 

We have done a trial with a clone of the same server without the Netscaler running Stunnel TLS Wrapper on it and using the configuration below for the HTML5 (ACTS - Adobe Connect Transmuxing Service) and it works with no issues.

 

 

Protocol version (all, SSLv2, SSLv3, TLSv1)

sslVersion = all options = NO_SSLv2 options = NO_SSLv3 fips = no ;

Some performance tunings socket = l:

TCP_NODELAY=1 socket = r:

TCP_NODELAY=1

TIMEOUTclose=0

options = DONT_INSERT_EMPTY_FRAGMENTS

[acts] ;

accept = ACTS IP:443 accept = 10.1.1.3:443 ; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1 connect = 127.0.0.1:9002 ;

Certificate information for Connect Meetings. ;

This assumes you put the cert and key in the root folder of stunnel ;

cert = CertificateNameHere.pem ;

key = CerificateKeyNameHere.

pem cert = C:\Connect\stunnel\certs\public_certificate_acts-server.

pem key = C:\Connect\stunnel\certs\private_key_meeting-server.key.pem ;

ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

ciphers = ALL:!AECDH:!ADH:!LOW:!EXP:!MD5:@STRENGTH

Link to comment
Share on other sites

The config looks very malformatted? Maybe it's just a text formatting issue when you pasted here.

;Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
fips = no

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
options = DONT_INSERT_EMPTY_FRAGMENTS

[acts]
; accept = ACTS IP:443
accept = 10.1.1.3:443
; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1
connect = 127.0.0.1:9002

; Certificate information for Connect Meetings.
; This assumes you put the cert and key in the root folder of stunnel
; cert = CertificateNameHere.pem
; key = CerificateKeyNameHere.pem
cert = C:\Connect\stunnel\certs\public_certificate_acts-server.pem
key = C:\Connect\stunnel\certs\private_key_meeting-server.key.pem

; ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
ciphers = ALL:!AECDH:!ADH:!LOW:!EXP:!MD5:@STRENGTH

The acts configuration you posted is including a certificate, why do you use http services and not ssl services?

 

What did you set for ACTS_PROTOCOL and SSL_ONLY in custom.ini ?

Any errors in the stunnel log?

 

 

Link to comment
Share on other sites

Hi Martin,

 

We have turned off stunnel as effectively we want Netscaler to do what stunnel was doing.  Our setup with stunnel works fine but we want to have the Netscaler as a Reverse Proxy as we are not keen to put a Windows Server with SQL on our DMZ.  I have changed the Service on the Load Balancer to SSL on Port 9002 but now I get a wss handshake error.

 

Custom.ini

SSL_ONLY=yes

ACTS_PROTOCOL=wss:443  

 

image.thumb.png.a619c43362ee1c82301987927f6b8ea1.png

 

I am trying to locate the F5 Big-IP LTM documentation for Adobe Connect as this may shed some light on what I am missing.

 

Regards

 

Frank

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...