KEMP LoadMaster Load Balancer Certificate Format Invalid

When implementing a KEMP LoadMaster load balancer, one of the first configuration tasks performed is importing root and intermediate Certification Authority (CA) certificates. When doing this, it is not uncommon to encounter the following error message.

Certificate Format Invalid.

KEMP LoadMaster Load Balancer Certificate Invalid

To resolve this issue, .CER files must first be converted to .PEM format before being imported in to the LoadMaster. Using OpenSSL, .CER files can quickly be converted to .PEM with the following command.

openssl x509 -inform der -in example.cer -out example.pem

Optionally, .CER files can be converted to .PEM online here.

If the root and/or intermediate certificates are from an internal PKI, export the certificates using the Base-64 encoded x.509 (.CER) option. Certificates exported using this format can be imported directly in to the LoadMaster without first having to be converted to .PEM.

KEMP LoadMaster Load Balancer Certificate Format Invalid

Pro tip: When entering the Certificate Name, it is not necessary to enter a file extension. The name will be appended with .PEM automatically upon import.

KEMP LoadMaster Load Balancer Certificate Format Invalid

KEMP LoadMaster Load Balancer Certificate Format Invalid

Additional Resources

DirectAccess Deployment Guide for KEMP LoadMaster Load Balancers

Maximize Your Investment in Windows 10 with KEMP LoadMaster Load Balancers

DirectAccess and the FREE KEMP LoadMaster Load Balancer

Configure KEMP LoadMaster Load Balancer for DirectAccess Network Location Server (NLS)

Planning and Implementing DirectAccess Video Training Course on Pluralsight

Implementing DirectAccess with Windows Server 2016 Book

WEBINAR: Maximize Your Investment in Windows 10 with DirectAccess and the Kemp LoadMaster

Kemp Technologies LoadMaster Load BalancerWith the recent release of Microsoft’s Windows 10 client operating system, many organizations are now planning their migration to Windows 10 from previous versions. For those organizations looking to maximize their investment in Windows 10, many are considering the deployment of DirectAccess with Windows Server 2012 R2.

DirectAccess and Windows 10 - Better TogetherDirectAccess and Windows 10 are much better together. Windows 10 includes full support for all of the important enterprise features of DirectAccess in Windows Server 2012 R2, including geographic redundancy, transparent site selection, and IP-HTTPS performance improvements. The Kemp LoadMaster load balancer can be used to extend and enhance the native high availability features of DirectAccess, and it can be used to reduce supporting infrastructure requirements.

To learn more about maximizing your investment in Windows 10 with DirectAccess and the Kemp LoadMaster load balancer, be sure to attend our upcoming webinar on Thursday, October 15 when I’ll discuss in detail and demonstrate the advantages of Windows 10 and the Kemp LoadMaster load balancer.

You can register for the Windows Server 2012 R2 DirectAccess and Kemp Technologies LoadMaster webinar here.

Kemp Technologies LoadMaster Load Balancer

Configure Kemp LoadMaster for DirectAccess NLS

In a previous post I outlined how to configure the F5 BIG-IP Local Traffic Manager (LTM) to serve as the Network Location Server (NLS) for a DirectAccess deployment. Many people then asked if it was possible to do the same with the Kemp Technologies LoadMaster load balancing solution. Until now, it was not. However, beginning with release 7.1-28b it is!

After upgrading your Kemp LoadMaster to version 7.1-28b, open the LoadMaster management console, expand Virtual Services, and then click Add New. Specify a Virtual Address, enter 443 for the Port, optionally provide a descriptive Service Name, select TCP for the Protocol, and then click Add this Virtual Service.

Configure Kemp LoadMaster for DirectAccess NLS

Expand SSL Properties and select Enabled for SSL Acceleration. If you have not yet installed the SSL certificate for the NLS, you will be prompted to use a temporary certificate.

Configure Kemp LoadMaster for DirectAccess NLS

Expand Advanced Properties and select 200 OK from the Error Code drop-down list. Optionally you can enter a description for the service in the Error Message box and click Set Message. This will be displayed if someone opens the NLS web site in a web browser.

Configure Kemp LoadMaster for DirectAccess NLS

At the top of the page click Back. If the SSL certificate for the NLS was not previously installed, add it now by clicking Add New.

Configure Kemp LoadMaster for DirectAccess NLS

Click Import Certificate and provide the certificate file as required. Once the certificate is installed successfully, assign the certificate to the NLS virtual service and click Save Changes.

Configure Kemp LoadMaster for DirectAccess NLS

Once complete, update the DNS record for NLS to point to the IP address assigned to the virtual service running on the LoadMaster.

For more information about the Kemp Technologies LoadMaster load balancer and to download a free fully-functional trial, click here. You can also download a completely free and fully-functional version of the Kemp LoadMaster here.

To learn more about the DirectAccess NLS, please refer to the following posts:

DirectAccess Network Location Server Guidance

DirectAccess NLS Deployment Considerations for Large Enterprises

DirectAccess Single NIC Load Balancing with Kemp LoadMaster

Kemp Technologies Load BalancersEarlier this year I authored the Windows Server 2012 R2 DirectAccess Deployment Guide for Kemp LoadMaster load balancers. The documentation described in detail how to configure the Kemp LoadMaster to provide load balancing for DirectAccess when configured with two network adapters. It also assumed that the DirectAccess server is configured to use the LoadMaster as its default gateway.

There are many scenarios in which the DirectAccess server does not use the LoadMaster as its default gateway, most commonly deployments where the DirectAccess server is configured with a single NIC. To support load balancing for DirectAccess configured with a single NIC, it will be necessary to make some changes to the LoadMaster configuration to enable load balancing support for this scenario.

To configure the Kemp LoadMaster for load balancing DirectAccess single NIC deployments, follow the guidance to create the virtual service as documented. After creating the virtual service for DirectAccess, expand Standard Options, deselect Transparency, and then select Subnet Originating Requests.

DirectAccess Single NIC Load Balancing with Kemp LoadMaster

This will configure the LoadMaster to forward traffic to the DirectAccess server using the internal IP address of the LoadMaster as the source IP address for the connection instead of the original public address of the client. This allows the DirectAccess server to return DirectAccess traffic to the LoadMaster without having to use it as its default gateway.

DirectAccess and the Free Kemp Technologies LoadMaster

Kemp Technologies Load BalancersBeginning with Windows Server 2012, DirectAccess includes native support for external load balancers. Where high availability is required (which is most deployments!) the use of an external load balancer (physical or virtual) has many advantages over Windows Network Load Balancing (NLB).

While NLB is easy to configure, it is not without serious drawbacks. NLB relies on network broadcasts, which limits its effectiveness in some environments. In addition, NLB supports only a single load distribution mode, which is round robin. NLB also lacks a convenient monitoring interface.

A dedicated load balancing solution provides more robust load balancing and better, more granular traffic control than NLB. Along with this greater control comes increased traffic visibility, with most solutions providing details and insight in to node health, status, and performance. Many solutions also offer Global Server Load Balancing (GSLB) support, which enhances geographic redundancy and offers improvements when performing automatic site selection in multisite deployments.

Often the barrier to adoption for a dedicated external load balancer is cost. Many of the leading solutions are incredibly powerful and feature-rich, but come with a substantial price tag. The Kemp Technologies LoadMaster Load Balancers solution is an excellent, cost-effective alternative and works quite well providing load balancing support for DirectAccess. And to make things even more interesting, they recently announced a completely FREE version of their commercial load balancing product.

The Free Kemp Technologies LoadMaster Load Balancer is fully functional and supported for use in production environments. It provides full layer 4-7 support and includes reverse proxy, edge security, web application firewall (WAF) functionality, and GSLB. It can be installed on most major virtualization platforms including Microsoft Hyper-V, VMware, and more. The free LoadMaster is also available in Kemp Technologies LoadMaster Load Balancer on the Microsoft Azure Public Cloud Platform, as well as the VMware and Amazon public cloud platforms.

The free LoadMaster does have some restrictions, however. For example, you cannot create high availability clusters of LoadMasters. Also, the free LoadMaster is limited in terms of network throughput (20Mbps) and SSL/TLS transaction per second (50, using 2048 bit keys). There is also a limit on the number of virtual servers you can create (1000). The free LoadMaster must also have access to the Internet as it must be able to call home to validate its license every 30 days. You can find a complete model comparison matrix between the free and commercial Kemp LoadMasters Kemp LoadMaster Comparison Chart.

As the free version of the Kemp LoadMaster does not support clustering, technically you still have a single point of failure. However, it can still deliver a net improvement in stability and uptime, as the LoadMaster is a purpose-built platform that requires much less servicing and maintenance than a typical Windows server.

DirectAccess Deployment Guide for Kemp LoadMaster Load BalancersFor detailed information about configuring the Kemp LoadMaster to provide load balancing services for DirectAccess, be sure to download the DirectAccess Deployment Guide for Kemp LoadMaster Load Balancers. And if you end up liking the free Kemp LoadMaster load balancer (and I’m confident you will!) you can always upgrade to the full commercial release at any time.

For more information about the free Kemp LoadMaster load balancer, click Free Kemp LoadMaster Load Balancer.

%d bloggers like this: