I have 3 Windows Server 2012 servers behind the Azure load balancer running IIS. I have configured the load balancer probe for port 80 using the following powershell command:
Get-AzureVM -ServiceName 'myfarm' | Set-AzureEndpoint -Name web -LocalPort 80 -PublicPort 80 -Protocol tcp -LBSetName web -ProbePath '/health.aspx' -ProbeProtocol http -ProbePort 80 | Update-AzureVM
This works great. But I have problems getting the same for port 443 to work. What I would like to do is to create a load balanced 443 but with the probe configured to hit the same port 80 on the servers. So I've executed the following command:
Get-AzureVM -ServiceName 'myfarm' | Set-AzureEndpoint -Name ssl -LocalPort 443 -PublicPort 443 -Protocol tcp -LBSetName webssl -ProbePath '/health.aspx' -ProbeProtocol http -ProbePort 80 | Update-AzureVM
But this doesn't work. Instead I get the following error on Update-AzureVM:
Update-AzureVM : Failed: Property 'LoadBalancerProbe.Port' for entity type 'ExternalEndpoint' with name 'ssl' has invalid value '443'. At line:1 char:196+ ... ProbePort 80 | Update-AzureVM+ ~~~~~~~~~~~~~~+ CategoryInfo : CloseError: (:) [Update-AzureVM], Exception+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Management.ServiceManagement.IaaS.UpdateAzureVMCommand
If I change the probe port to 443, the command executes without errors.(Sometimes the invalid port reported in the error is 80). So is it required that the probe port matches the endpoint's (local)port?
Even though I can get the command to execute when I set the probe port to 443, I can't reach my web servers with https (http works). I've validated that they work from localhost. I suspect this is because I don't have a signed certificate configured for the default web site, instead I'm using self-signed certificate which I've shared between all the servers.
I must admit that I don't have any idea on how to get a signed certificate for my default web site, because I don't set any host to the default web site. So should I get a certificate for my cloud service "myfarm.cloudapp.net"?
I'm lost and greatly appreciate any help.
Update: I found the following statement:
It is important to understand that the URL configured for the custom probe receives a GET request from the load balancerwithout passing host headers or any authentication of any kind.
Doesn't this mean that it's impossible to get load balanced 443 with probe to work? The request from LB to IIS comes without host header so it will hit the "default" IIS site (no host headers set in the bindings). And it's impossible(?) to create a trusted&signed certificate for that. This wouldn't be a problem if I could configure the load balancer to probe the port 80 instead of 443, but as mentioned above, this throws errors.