How to utilize Microsoft IIS with Apache Tomcat Connector (JK connector) as ISAPI redirector to load balance requests to Identity Manager nodes.

Windows 2012 R2 (64bit)

IIS 8.5

tomcat-connectors-1.2.46-windows-x86_64-iis

2 nodes of vApp 14.2, each with IM (Identity Manager) component

Also tested in Windows 2016 with IIS 10

The following is step by step guide how you can configure basic setup of IIS + JK connector to load balance requests to

 2 Identity Manager nodes.

1. Install IIS if it is not installed with ISAPI Extensions and ISAPI Filters. To do this launch Server Manager > Manage > Add Roles and Features, follow the wizard to install required components.

2. Create isapi directory, for example I am creating it under C:\inetpub directory

3. Run the following 'icacls' command on DOS prompt to grant "IIS APPPOOL\DefaultAppPool" SID (Security Identifier) modify privilege on isapi directory

icacls "C:\inetpub\isapi" /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)M

4. Download tomcat-connectors-1.2.46-windows-x86_64-iis.zip, e.g. from http://mirrors.advancedhosters.com/apache/tomcat/tomcat-connectors/jk/binaries/windows/ and unzip and store isapi_redirect.dll file under isapi directory.

5. Create isapi_redirect.properties file under the isapi directory with the following contents

extension_uri=/jakarta/isapi_redirect.dll
log_file=C:\inetpub\isapi\isapi_redirect.log
log_level=info
worker_file=C:\inetpub\isapi\workers.properties
worker_mount_file=C:\inetpub\isapi\uriworkermap.properties

6. Create workers.properties file under the isapi directory with the following contents

worker.list=lb, node1, node2

worker.lb.type=lb
worker.lb.balance_workers=node1,node2
worker.lb.sticky_session=1
worker.lb.set_session_cookie=1
worker.lb.session_cookie=jakartalb

worker.node1.host=192.168.0.11
worker.node1.port=8009
worker.node1.type=ajp13

worker.node2.host=192.168.0.12
worker.node2.port=8009
worker.node2.type=ajp13

Note:
 In above configuration we have configured the following
   -  Define 3 workers, 2 real workers using ajp13, i.e. "node1" and "node2" workers, and one being a load balancing worker, i.e. "lb" worker
   -  Sticky session is set to true
   -  Choose a non-standard cookie name using the "session_cookie" attribute
   -  vApp node 1 IP address is 192.168.0.11 and vApp node 2 IP address is 192.168.0.12

7. Create uriworkermap.properties file under the isapi directory with the following contents

# iam
/iam/im/*=lb
/iam/im/=lb
/iam/im*=lb

# castyles
/castylesr5.1.1/*=lb
/castylesr5.1.1/=lb
/castylesr5.1.1*=lb

8. Launch IIS management console, add a new virtual directory to your IIS web site. In a clean install, this will be the Default Web Site. The name of the virtual directory must be jakarta. Its physical path should be the directory where you placed isapi_redirect.dll

9. Select the newly created virtual directory in the management console and then double-click Handler Mappings. Select (currently disabled) ISAPI-dll entry and then click Edit Feature Permisions in the action pane. In the dialog box that opens, select Execute so all three permission are selected. Click OK and ISAPI-dll should now be in the enabled state.

10. Again using the IIS management console, add the ISAPI redirector as a filter to your web site. Select your web site and then double-click ISAPI Filters. From the action pane, click Add.... For the filter name use tomcat and the executable should be the full path to isapi_redirect.dll. Once configured, click OK.

11. Still using the IIS management console, configure the ISAPI redirector as allowed. Select your server (not the web site) and then double-click on ISAPI and CGI Restrictions. From the action pane, click Add.... Select the isapi_redirect.dll, add a description (e.g. tomcat) and select the Allow extension path to execute and then click OK.

11. Restart IIS (stop and start the IIS service from Windows Services panel)

12. You can then try access Identity Manager User Console using the following URL
             http://<IIS Server FQHN>/iam/im/identityEnv
      Notes:
        - <IIS Server FQHN> is the IIS Server Fully Qualified Hostname or IP address. No port specified as we assume IIS running on default TCP/80
        - identityEnv is the default Identity Manager Environment (IME) name

For more advanced settings please refer

https://tomcat.apache.org/connectors-doc/webserver_howto/iis.html

The exact config will vary depending on your IIS version and app server, etc.

This is provided as a sample and does not cover every possible use case of these 3rd party tools. You should perform your research on how to configure them specifically for your environment and use case.