Posts in Category "Install"

Connect on-premise Server: Configure additional ports for RTMP traffic

Posted on March 5, 2014 by | Comments (0)

By default the meeting server (FMS) in Connect binds to port 1935.  Here’s how to add additional ports like port 80 for use with the meeting server.

This should work with all versions of Connect.  I am assuming you would like to use port 80 and 443 in addition to 1935  (all in rtmp, no encryption).
As Connect consists of two servers, the application server (Tomcat) and the meeting server (FMS) you need to configure a second IP address and FQDN in order to bind two services to port 80.  Make sure your new FQDN resolves to the new second IP address. The second IP and FQDN will be used for the meeting traffic.

I am using these values in my setup:

Application Server: connect912.adobe.com – IP 10.1.1.1
Meeting Server: connect912meeting.adobe.com – IP 10.1.1.2

So here we go:

  • Make sure you can ping both names and they resolve to the correct IP addresses.
  • Open the server console and set the new meeting server FQDN in the “external name” field and save your changes.

In my setup this is connect912meeting.adobe.com:

consoleExternalName

 

  • Configure the meeting server to listen on the new IP:Port.

In my setup I am adding port 80 and 443 in addition to the default port 1935.

Open the custom.ini (by deault  in C:\Connect\9.1.1\ if running Connect 9.1.x) and add these lines:

DEFAULT_FCS_HOSTPORT=10.1.1.2:80,443,1935
RTMP_SEQUENCE= rtmp://external-host:1935/?rtmp://localhost:8506/,rtmp://external-host:80/?rtmp://localhost:8506/,rtmp://external-host:443/?rtmp://localhost:8506/

Replace 10.1.1.2 with your meeting server IP address and also make sure the RTMP_SEQUENCE is in one line. Save the changes.

  • Restart the services, FMS and Adobe Connect service.

Once the services are back up and running you should be able to start a new meeting.  If there are no firewall restrictions a meeting should connect on the first port listed in the RTMP_SEQUENCE. In this example port 1935.
To test the connection on the other ports, block outgoing connections to port 1935 on your client firewall.  If the meeting is still open on your client it should briefly disconnect and reconnect on the next available port. In my setup this would be port 80.

You can check which port you are connected to in a meeting by holding down the shift key and clicking “About Adobe Connect” from the help menu (top right in your meeting).

AboutAdobeConnect_RTMPSequence

 

 

update (03/04/2014): 

It appears that with version 9.2 you also need to specify the IP address the application server binds to. By default it binds on 0.0.0.0:80, so on all available IPs on port 80.With Connect 9.2 I have come across an issue where the application server does not properly create a listener when port 80 is used for the meeting server as well.
The easiest way around this problem is to specify the IP in the application server config so it starts a listener on this one IP only.

In the server.xml in \appserv\conf\ find this section:

    <Connector port=”80″ protocol=”HTTP/1.1″
            executor=”httpThreadPool”    
           enableLookups=”false”
               acceptCount=”250″
               connectionTimeout=”20000″
               redirectPort=”443″
               URIEncoding=”utf-8″/>

And add your application server IP address:

    <Connector port=”80″ protocol=”HTTP/1.1″
            address=”10.1.1.1″
           executor=”httpThreadPool”    
           enableLookups=”false”
               acceptCount=”250″
               connectionTimeout=”20000″
               redirectPort=”443″
               URIEncoding=”utf-8″/>

Save the change and restart your services once again.

Adobe Connect Database Disaster Recovery Options

Posted on February 26, 2014 by | Comments (0)

Having a good recovery strategy allows for recovery of data in case of unforeseen events such as user error, hardware failure, drone strikes and fecal tsunamis. There are three recovery models:

  • Simple Recovery
  • Bulked Logged Recovery
  • Full Recovery

Simple Recovery is the most rudimentary. When the DB recovery mode is set to simple, the transaction log does not get backed up. It is auto-truncated and you can only ever recover to a full db backup; this builds-in the potential for data loss as a point-in-time recovery is not possible. Generally, the Simple Recovery option is recommended for development or test environments where data recovery is not critical. It is also a good strategy for a novice DBA as you don’t have to worry about a detailed backup and restore plan/jobs. Mission critical databases should never be in simple mode, but for non-mission critical deployments it is a low-overhead alternative.

The Bulk Logged Mode is not very commonly used. When the DB recovery mode is set to Bulk Logged, bulk operations are only minimally logged (Select Into, Create Index, etc.). This results in in reduced log space consumption. The shortfall is that if the last transaction log has bulk operations in it, then point in time recovery is not possible; if it does not have bulk operations in it, then point in time recovery is possible. While it may be prudent to switch full recovery databases temporarily into Bulk Logged Mode for the purpose of re-indexing a very large database, be sure to always switch them back as critical databases probably shouldn’t be in Bulk Logged recovery mode.

Full Recovery Mode is the default recovery model and is the most granular. When the database recovery mode is set to full, everything get’s logged to the Transaction Log resulting in greater log space consumption. Point in time recovery is possible in full recovery mode. This is the recovery model most users should choose for production data. By using this recovery model with regularly scheduled full backups, differential backups and transaction log backups, it allows for quicker point in time recovery.

Choosing a backup and recovery plan is relevant to the following criteria:

  • How important is the Data? The more important the data, the more likely you will choose full recovery and schedule regular full backups, differential backups and log backups.
  • How often does the data change? How busy is the Connect server?
    If the data only changes frequently during normal business hours, scheduling log backups closer together during these times and further apart during non business hours might work out.
  • How much space do you have available for backups? This could determine how many backups will you store and how often will you back up.
  • How quickly do you need to recover data? If recovery speed is not important, but point in time is, you might choose not to do any differential backups and just do Full nightly backups and regular transaction log backups.

Based on the answers to the previous questions, you should be able to determine a backup plan that fits your needs. Remember to test the recovery of your backups regularly.  Backing up is useless if backups are corrupt or not working correctly.

Another important consideration is with the timing of backups. Keep in mind that performing backups is resource intensive.  To help determine an appropriate schedule of your backups, consider the ongoing activities on the Connect servers.

If  you want to focus on recovering data in case of fire or natural disaster then you you should consider storing the backups offsite.  Many savvy DBA’s they keep a predetermined number of current backups on site and also ship the backups offsite (tape or network).  They might choose to keep five current backups onsite and as many as 30 offsite.

SQL 2008 has backup compression allowing you to save on disk space, but it comes with a cost of speed. Choose the compression level that suits your speed of backup. Third-party products offer backup compression as well.

Consider also the various high availability options:

  • SQL clustering relies on Windows clustering. It clusters the entire server not just the database. The fail-over is slower than mirroring and doesn’t provide a fail-over against disk failure.
  • Mirroring (http://msdn.microsoft.com/en-us/library/ms189852.aspx) is a faster fail-over solution. The Connect SQL driver has the ability to choose a fail-over server. This can be done at the DB level.
  • Log Shipping ships completed transactions to the log shipped database; this can be done on the database level and requires manual intervention to fail-over as the log-shipped db is considered a warm DB

Note: Replication is not a recommended option.

Adobe’s Hosted infrastructure uses a hybrid high-availability strategy. We use database mirroring as the primary fail-over solution.It provides faster fail-over and does not have a single point of failure as does clustering which relies on the single disk. We also use log shipping as a secondary fail-over solution. In the extreme case that all mirrored databases go down, the log shipped database can be used with some user intervention: Break the log shipping, take the database out of standby mode and point the Connect server to it.

Adobe Connect Database Performance and Monitoring

Posted on February 26, 2014 by | Comments (0)

Following SQL database performance best practices and monitoring the health of you Connect database will help to insure a responsive Connect server providing excellent end user experience.

It is best to always place the operating system, data and log directories on separate disk drives; this will result in improved performance. If you must put Connect on the same server as the DB (never a best practice but sometimes a practical necessity), you should ensure that the Connect installation and content directories are on a different disk drive than is the database data. The Temp DB should also be on a separate disk drive. Putting the SQL data on striped disks,  provides a tuning benefit as well.

Be sure to aggressively re-index and update statistics. De-fragment the operating system data and log files on a regular schedule. Ensure that there is minimal latency between the Connect server and the SQL Server. Be wary of  network maintenance and backups that can produce latency between the Connect server and the SQL server and be sure to avoid heavy Connect use during any such maintenance.

Make sure that the SQL server has plenty of RAM; the more RAM the better.  Everything works much faster in memory.  The more of the database that you can keep in memory the better off you will be. Only virtualize the DB server if absolutely required.While Connect runs fine on supported VMWare servers, the SQL database server is best run on a dedicated platform

With reference to the use of separate disks, here is a prioritized list of what should have its own disk:

  1. Operating System
  2. Adobe Connect (Separate Server if possible)
  3. SQL database
  4. Data
  5. Log
  6. TempDB
  7. Transaction logs

For best performance, set the initial size of the transaction log file based on estimated use.  This avoids unnecessary fragmentation. The transaction log should be on a different drive than is your data file, temp database and operating system. Manually shrink the transaction log files based on monitoring.  If you try to do this as a nightly or weekly job, you will end up with unnecessary fragmentation. De-fragment the transaction log file as necessary and consider putting transaction logs on striped disks. Ensure regular backups as transaction log backups empty the space inside the log file and prevent it from continuing to grow.

Manage the memory by setting the minimum server memory for SQL server.  Remember to leave enough for the operating system and any other applications running on the server:

db3.fw

SQL Server uses the tempdb database as a working area for temporary tables, sorting, sub-queries etc.; the tempdb should be stored on its own drive away from other DBs whenever possible.  The default location is on the SQL install disk. Increase the size of the tempdb database based on expected usage and available space. SQL Server automatically adjusts the size over time, but each change causes a performance hit and causes fragmentation. By increasing the size, you avoid constant growth. SQL 2008 uses the tempdb more than prior versions of SQL. Never try to backup the tempdb.

Monitor the disk space of the data files and log files. Disk space is inexpensive when compared with the benefits it provides when available in abundance.  You should aim to keep at least 30% free disk space in case you need to expand the data/log files, or if they are set to autogrow.  Sudden increases in size should  be cause for investigation.

Monitor the fragmentation levels. If the database and log were set to autogrow at small intervals, there is a high likelihood that they are fragmented. If you regularly shrink the DB data files or log files, that could also lead to fragmentation

Monitor for slow queries; you can see slow queries in the Connect debug log.  Just search for Slow Query. Query times are returned in msec. Also look for lock timeouts in the debug log.  Generally this is a sign of database problems. A lock timeout is a query that attempts to get a lock on a database resource.  It times out because something else is already holding a lock. A lock is usually held until the transaction has completed, so if there is a long running query it could cause lock timeouts. You can also run traces against the database to gather information on long running queries.  In SQL 2008 you can query dynamic management views to get this information.

Monitor indexes liberally keeping in mind that re-indexing regularly should decrease the need to monitor indexes. Sometimes re-indexing may start taking too long to complete and you will want to be more selective about what to target. Knowing which tables or indices are most fragmented allows you to only re-index them. You can query dynamic management views in SQL Server to get this information (see SQL Server books online). Many 3rd party products offer monitoring of SQL server and you might consider these products if you want a more automated GUI interface to monitoring indexes. Some of the products offer monitoring for other areas of SQL Server as well.

Windows performance monitor or perfmon is useful; you can use perfmon to monitor SQL counters.  Here are 3 common counters which, if they reveal something will warrant further scrutiny.

  • Pages/sec  -  How much your SQL server is paging in and out of memory
  • Disk Queues -  If the write or read disk queues are too high, you will need more RAM
  • CPU Queue length -  If the CPU queue is consistently over 2 per CPU for an extended period of time, you might have a CPU bottleneck.

Be aware of  load and activity when monitoring with perfmon as database backups and other maintenance activities can cause spikes in these numbers. It is best to connect to the server from a different PC if you intend to monitor it with perfmon.

A good maintenance plan will include scheduled re indexing during off hours. Fragmented indices can cause Connect to become sluggish and might even cause fast-fails in a Connect cluster. If you start to see a lot of slow queries in the debug log, you should ensure that the Connect DB is being re-indexed regularly: Index maintenance is one of the easiest ways to keep your DB healthy and SQL Server provides wizards that help make index maintenance easy.

Open SQL Server Management Studio and open the management folder.

  • Right Click on the Maintenance Folder
  • Choose Maintenance Wizard

Give the Maintenance plan a name:

db4.fw

Choose the desired maintenance tasks: Rebuild Index & Update Statistics

db5.fw

Choose the Database you want to re-index:

db6.fw

Reorganize with the default amount of free space; the default amount is what it was initially created with.

db7.fw

Choose the same database to update statistics after you re-index.

db8.fw

Schedule a job to run the maintenance plan; provide a name and choose a schedule that suits your infrastructure:

db9.fw

Database performance and monitoring best practices will insure a responsive Connect server providing excellent end user experience.

FAQs on Adobe Connect SQL Database Installation, Startup, Connection and Pooling

Posted on February 26, 2014 by | Comments (0)

The following is a summary of Adobe Connect 9 database installation tips

1. What do I need to start?

Always check the updated system requirements page prior to installing: http://www.adobe.com/products/adobeconnect/tech-specs.html
As of the writing of this article it reads: Microsoft SQL Server 2008 SP3, 2008 R2

While it is best to have sa permissions, you are required to use a username and password with dbcreator privileges.  We highly recommend recommend using an sa account. After the install you may use a dbo account for normal use, but during any upgrade or updater application, you must switch back to sa.

2. When does the installer create the database for Connect?

All current Connect versions (after 7.5SP1) create the database during installation. Typically the DB creation process takes about 50 seconds. First the schema get created and then the seed data are inserted. After the DB is created, Connect is still not fully functional until you download and apply the license.txt file. The license file will insert additional seed data into the Connect database including templates and folders.

3. How should I troubleshooting database login failures during installation?

db1.fw

This error can mean several things:

  • The username incorrect
  • The password could be incorrect
  • SQL Server Authentication might not be on.

Entries in the debug.log will provide some answers:

db2.fw

  • java.sql.SQLException… Login failed for user ‘sa’ usually means it is a mistype in the username or password
  • java.sql.SQLException… Login failed for user ‘sa’. The user is not associated with a trusted SQL Server connection usually indicates SQL Authentication is disabled
  • java.sql.SQLException…Cannot open database “dbname” requested by the login,  usually indicates that the login exists, but does not have permission to open the DB
  • java.sql.SQLException…CREATE TABLE permission denied in database ‘dbname, this usually indicates the login has permission to login to the DB, but does not have permission to create schema objects.

Note: During install and upgrade and during minor updates of point releases, the DB user must have permissions create, alter or drop schema objects.

Note also that log errors are discussed on page 83 of the Adobe Connect Installation Guide: http://help.adobe.com/en_US/connect/9.0/installconfigure/connect_9_install.pdf

If you encounter any of these errors, stop all of the Connect services, correct the user privileges in SQL and start the services again.

4. What happens during a successful startup?

During startup, Connect tries to login to the SQL database, if it can’t connect, the service stays running but enters into a dormant state. You will be able to gain access to local port 8510 to configure the Connect server through its wizard, but  not the application front end. If it the connection is successful then Connect
makes multiple connections to the SQL database (connection pool). The initial connection pool and max connection pool is configurable. Connect checks the DB Version and determines if it needs to apply updates and then the Connect Host updates a row in the DB (PPS_ENUM_DATA_HOSTS) and sets itself active.

5. How does Connect monitor the health of the SQL database? What is the HealthCheck function for?

Connect relies heavily on the SQL databse. it is safe to call the SQL database the heart of any Adobe Connect installation. Connect contsnatly checks to see if there is a valid connection to the SQL database. Loss of connection can lead to data corruption. To avoid this, Connect runs a haelthcheck on the SQL database; it pings the SQL Server and checks to see if it has been more than 40 seconds since the Connect Server has updated the PPS_ENUM_DATA_HOSTS table. If it is greater than 40 seconds, the Connect Pro Host is marked inactive and the services for that Connect server will restart and then reattempt  to connect to the SQL database.

If you are running the Connect SQL database in a SQL cluster rather than in a mirrored environment, you will want to make sure that Connect makes multiple database connection attempts during SQL fail-over. If Connect loses its SQL database, the entire Connect cluster will go down and it will wait for an administrator to manually reconnect to the database through launching the Connect configuration console on port 8510. Add the following to the custom.ini file to support any delays in clustered SQL fail-over:

DB_URL_CONNECTION_RETRY_COUNT = 15
DB_URL_CONNECTION_RETRY_DELAY= 30

The actual JDBC string is in the config.ini file so you do not need to put it into the custom.ini; double check the config.ini if you are running into any problems with the JDBC reconnection string:

DB_URL=jdbc:macromedia:sqlserver://{DB_HOST}:{DB_PORT};databaseName={DB_NAME};user={DB_USER};password={DB_PASSWORD};ConnectionRetryCount={DB_URL_CONNECTION_RETRY_COUNT};ConnectionRetryDelay={DB_URL_CONNECTION_RETRY_DELAY}

6. What is the purpose of the Connection Pool and why do it the way we do?

Adobe Connect makes use of a connection pool. Every time the Application needs to communicate with the SQL database, it checks for the next available idle connection and uses it. If there isn’t one available, it will create a new connection unless it has reached the connection pool max. Once the application has finished it’s transaction, it releases the connection back into the pool.

  • Default initial DB_POOL_INITIAL_SIZE=20
  • Default Max DB_POOL_MAX_SIZE=40

This prevents the overhead of creating new connections each time a call to the SQL database is required. The connections are made at start-up. Since Connect relies heavily on the DB, having available connections is essential.

Using a Named Instance of SQL Server with Adobe Connect

Posted on February 19, 2014 by | Comments (0)

Issue: When using  a named instance of SQL server with Adobe Connect, if you enter the name of the instance during installation, the connection to the database will fail.

Workaround: Instead of using the name of the instance, you may enable TCPIP on the instance and use the IP address and then enter the port number for which the named instance is configured on the separate line as appropriate; if the named instance is listening on port 1833 (instead of 1433), then you would use the IPAddress (192.168.1.1)  and then the port number (1833) in the appropriate fields.

Using the instance name during installation after Connect version 8 will not work. The best approach is to use the port number of the instance and the IP Address of the database server.

To troubleshoot this, use SQL Server Configuration Manager:

Screen Shot 2014-02-21 at 7.59.05 AM

  • Make sure the instance has TCP/IP enabled.
  • Check to see what port the instance is listening on for that IP.
  • Use the IP address as server name (no instance name).  Put the port number in the port number field.
  • Make sure the named instance is listening on the port entered in Connect

Screen Shot 2014-02-21 at 7.59.41 AM

Screen Shot 2014-02-21 at 8.00.24 AM

Beginning with Connect version 8, the installer changed; in previous earlier versions, you would need to enter the the server instance and port on the same line.  The  newer installer has the port on a separate line:

HOST: INSTANCE-IP-ADDRESS
PORT: INSTANCE PORT-NUMBER
DATABASE NAME: SAMPLE-NAME
USER: SAMPLE-USER
PASSWORD: ****************
CONFIRM PASSWORD: ****************

The changes in the installer (beginning with Connect version 8) caused some confusion with named instances.

A named instance will work on an initial installation.  Sometimes, in an effort to troubleshoot you may initially point to a conventional instance of SQL in order to establish the installation and then point the established Connect installation to a named instance. The DB connection from an established Connect installation is more robust and forgiving than that of an initial installation.  After the installation is complete, you can modify custom.ini to include the instance name.

Note: You could use the server name, but you would need to ensure that the named instance has NAMED PIPES enabled.

Content Availability & Replication among Clustered Connect Servers

Posted on February 11, 2014 by | Comments (0)

This article addresses how to make sure every URL int a Connect cluster pops up like your grandmother’s trustworthy old pop-up-toaster.  If some published content will not play or display properly from your Connect cluster, do the following:

  • Make sure that the load balancing device in front the Connect cluster is not using sticky sessions or session awareness.
  • If you are using a Big-IP LTM, make sure that Nagle’s Algorithm is turned off .
  • Make sure that Clustered servers communicate with each other on ports 8506 and 8507. A simple netstat -an from the command prompt on each server will make certain each server is listening on 8507.
  • Don’t try to cheat on the number of documented VIPs required on the load-balancing device or SSL accelerator. Only one VIP is not the right answer.
  • When the servers cannot communicate, trouble ensues.Clustered servers need to be able to communicate with each other on port 8507. When they cannot communicate, the links to content will be broken and end users may experience hanging videos or unavailable content.
  • Search in your debug log for “cluster-”
    • [01-31 18:20:23,729] cluster-8507-696969 (INFO) MirrorHandler: waiting for commands”    2014-02-10T16:30:23.739-0600….
    • If you do  not see cluster-8507 then there is a replication communication problem on 8507
  • To help facilitate troubleshooting, during setup and during upgrades, if possible, allow the servers to have external access – at least allow the monitored and screened ability to toggle external access on and off by special request if needed. This will allow you access to Adobe’s license server and also to troubleshooting tools.
  • Install telnet on each server. Telnet is a great test tool. Placing telnet on each server and actually testing connectivity to each and from each server on ports 8506 and 8507 is prudent.
  • It is also prudent to have a useful browser on each server. I often install FireFox on each server along with the latest available Flashplayer. You may want to install Flashplayer on IE as well even though enhanced security will render it a challenge to use for any useful troubleshooting purposes. Useful flash-enabled browsers will facilitate direct tests on any problematic content on the servers from the servers thereby eliminating network and load-balancing variables when isolating issues.

How to Solve Port 80 Problems when running Adobe Connect on windows server and logs shows port 80 is already in use.

Posted on January 31, 2014 by | Comments (0)

Mostly in such situation the homepage wouldn’t show up however the console page works just fine.

There are a number of well-known Windows programs which use port 80:

IIS
The most likely culprit is Microsoft Internet Information Server.

SQL Server Reporting Services
SSRS can remain active even if you uninstall SQL Server. To stop the service:

  1. Open SQL Server Configuration Manager.
  2. Select “SQL Server Services” in the left-hand pane.
  3. Double-click “SQL Server Reporting Services”.
  4. Hit Stop.
  5. Switch to the Service tab and set the Start Mode to “Manual”.

Or

You can also stop the services from services.msc

Whats Using Port 80?

Further detective work is necessary if IIS and SSRS are not to blame. Enter the following on the command line:

netstat -aon

The active TCP addresses and ports will be listed — locate the line with local address “0.0.0.0:80″ and note the PID value.

Now right-click the task bar and select Start Task Manager. Navigate to the Processes tab and, if necessary, click View > Select Columns… to ensure “PID (Process Identifier)” is checked. You can now locate the PID you noted above. The description and properties should help you determine which application is using the port.

The Task Manager allows you to kill the process, but be a little wary about doing that — especially if it’s “NT Kernel & System”.

I Hope this would be helpful at some instances

Thanks

Configuring Adobe Connect to take Advantage of Database Mirroring

Posted on January 20, 2014 by | Comments (0)

Full redundancy requires that the Connect database be either mirrored or clustered; Adobe uses mirroring as the preferred solution.

The following example settings in the custom.ini file are needed to configure Connect to take advantage of SQL Mirroring:

DB_NAME=ConnectDBName

DB_HOST=ConnectDBPrimaryHostName

DB_BACKUP_HOST=ConnectDBSecondaryHostName

DB_URL=jdbc:macromedia:sqlserver://{DB_HOST}:{DB_PORT};databaseName={DB_NAME};user={DB_USER};password={DB_PASSWORD};AlternateServers=({DB_BACKUP_HOST}:{DB_PORT};DatabaseName={DB_NAME});ConnectionRetryCount=12;ConnectionRetryDelay=10;FailoverMode=extended;FailoverPreconnect=false;FailoverGranularity=atomic

Note: Change the first three variables as appropriate, but do not make any changes to the DB_URL.  It is all one line and it pulls the values from the other three entries in custom.ini:

The follwoing setting is always pudent whether using mirroring or clustering, but it is particularly important if you are clustering SQL. If you are running the Connect SQL database in a SQL cluster rather than in a mirrored environment, you will want to make sure that Connect makes multiple database connection attempts during SQL fail-over. If Connect loses its SQL database, the entire Connect cluster will go down and it will wait for an administrator to manually reconnect to the database through launching the Connect configuration console on port 8510. Add the following to the custom.ini file to support any delays in clustered SQL fail-over:

DB_URL_CONNECTION_RETRY_COUNT = 15
DB_URL_CONNECTION_RETRY_DELAY= 30

The actual JDBC string That invokes these variables is in the config.ini file:

DB_URL=jdbc:macromedia:sqlserver://{DB_HOST}:{DB_PORT};databaseName={DB_NAME};user={DB_USER};password={DB_PASSWORD};ConnectionRetryCount={DB_URL_CONNECTION_RETRY_COUNT};ConnectionRetryDelay={DB_URL_CONNECTION_RETRY_DELAY}

Save the custom.ini and cycle the services.

 

 

Improving the Performance of Connect Meeting Clustered Fail-over

Posted on January 6, 2014 by | Comments (0)

To improve the performance of Connect Meeting fail-over in a cluster, make the following changes to the custom.ini file and cycle the FMS and Connect services or reboot the connect servers:

The installation documentation for clustering originally prescribed setting the MEETING_TIMEOUT variable to 0 as shown:

#For Connect 8&9 Cluster fail-over add the following
MEETING_TIMEOUT=0
MEETING_CONNECT_BACK_TIME=1

We have discovered that setting the MEETING_TIMEOUT variable to 1 insures that a meeting will only have one active session while setting the MEETING_TIMEOUT variable to 0 opens the possibility (although rare) of a meeting having more than one active session. The result is a bit odd. Everyone could be happily in an ongoing Connect meeting while one attendee is alone in what appears to be the same meeting. This is usually triggered by an some form interruption in the isolated users meeting session such as from a brief outage in the network connection of the isolated user.

The new recommended custom.ini setting looks follows:

#For Connect 9 Cluster fail-over add the following
MEETING_TIMEOUT=1
MEETING_CONNECT_BACK_TIME=1

Save the custom.ini after making the change and cycle the Flash Management Sever and Adobe Connect Server services.

In Connect version 9.2, the meeting timeout session may be set back to 0 as we have made the appropriate code changes to insure the functionality works as originally intended even if a user experiences network interruptions and must reconnect to the meeting.

SSL Configuration Checklist for Connect with AEM-based Events

Posted on January 4, 2014 by | Comments (1)

This supplemental checklist alongside the  Adobe Connect installation guide and the SSL Configuration guide, will help expedite your SSL implementation of Connect with AEM-Events:

1. Always begin with a fully functional installation of Connect and AEM-based Events before adding SSL; Do not attempt to secure a server that is not fully tested to run all features without SSL: A server running all features in the clear with no problems manifested is the only place to begin.

2. Decide whether to use hardware-based or software-based SSL and obtain appropriate public certificates and FQDN’s. If needed, see Mohit’s excellent instructions to generate CSRs. If you are using software-based SSL, stunnel can either be installed locally or on a separate server. If you are using hardware-based SSL you will want to refer to the relevant third-party documentation along with that provided by Adobe. For F5 BIG-IP LTM, the following articles along with this blog article and the resources aforementioned will help:

For information about stunnel installation options with Connect 9, see Jim’s blog post on Adobe Connect 9.0.0.1 and 9.1 stunnel installation options. Within the 9.0.0.1 installation folder, under  \Adobe Connect 9.0.0.1\Adobe Connect\Merge_Modules, we provide the installer for  stunnel-4.53.  From there, you can install Stunnel 4.53 for your SSL deployment. Adobe QE has tested stunnel version 4.56 collocated with Connect – installed within the Connect installation directory. These days it is arguably prudent to use the latest security option tested. Depending on the version of Connect you are running, if you wish to use stunnel locally, then you would create and/or populate the stunnel directory under the root install directory: Connect\9.1.2\stunnel.

Click on this thumbnail diagram below to see what it would look like with a hardware-based SSL accelerator:

C9SSLAEMSingle

Click on this thumbnail diagram below to see what it would look like with stunnel collocated with Connect:

C9SSLAEMStunnel

The rest of this checklist & summary will assume stunnel is being used collocated with Connect, but the configuration variables will apply to hardware-based external SSL acceleration options as well and even a casual glance back at these diagrams will help you infer the differences.

The sample file editing offered herein will be based on the single server stunnel example depicted in the diagram above.

3. Four FQDN’s are required: This is how our working example FQDN list would appear in a host file.

  • 192.167.21.176  connectmtg.domain.com
  • 192.167.21.175 connect.domain.com
  • 192.167.21.174:443  cqauthor.domain.com
  • 192.167.21.173:443  cqpublisher.domain.com

4. Four certificates (or a wildcard certificate) is needed; here is the list of certificates for SSL following our example:

  • connectmtg.domain.com
  • connect.domain.com
  • cqauthor.domain.com
  • cqpublisher.domain.com

Note: These are depicted in our working example as a wildcard certificate: domain.com. If the certificates are not trusted public certificates, then meeting rooms will not open; self-signed certificates will not work with meeting unless they are installed on all clients. Place the certificates into the stunnel installation directory: \Connect\9.1.2\stunnel\

5. Backup and edit the stunnel.conf file: in the \Connect\9.1.2\stunnel\ directory to set up the four VIPs and pools:

stunnel.conf for four servers on one
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
options = DONT_INSERT_EMPTY_FRAGMENTS
; Service-level configuration
[https-vip]
; incoming vip for https (to secure Connect Application Traffic)
; ip address of the server with stunnel on it
; listens on port 443
accept =192.167.21.175:443
; ip of the connect server
; send the unecrypted request to port 8443
connect =127.0.0.1:8443
; Certificate info for Connect cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[rtmps-vip]
; incoming vip for fms (to secure Connect Meeting Traffic)
accept = 192.167.21.176:443
; ip of the fms server
; Send unencrypted request to 1935
connect = 127.0.0.1:1935
; Certificate info for Connect meeting cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[CQ_Author-vip]
; incoming vip for CQ-Author (to secure AEM-based Events Authoring)
accept = 192.167.21.174:443
; ip of the CQ Author server
; Send unencrypted request to 4502
connect = 127.0.0.1:4502
; Certificate info for CQ Author cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[CQ_Publisher-vip]
; incoming vip for CQ-Publisher (to secure AEM-based Events Publishing)
accept = 192.167.21.173:443
; ip of the CQ Publisher server
; Send unencrypted request to 4503
connect = 127.0.0.1:4503
; Certificate info for CQ Publisher cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem

6. Next backup and edit the custom.ini file: By default, the custom.ini will point to 4502 and 4502 for CQ Author and Publisher respectively; you must change the links to reflect https rather than http and also change the  names to the correct FQDNs and also enable SSL for Connect with these following entries:

CQ_AUTHOR_SERVER=https://author.adobeconnect.com
CQ_PUBLISH_SERVER=https://publisher.adobeconnect.com
DOMAIN_COOKIE=adobeconnect.com
ADMIN_PROTOCOL=https://
SSL_ONLY=yes
RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/

7. Next backup and edit the server.xml file; in the \appserv\conf\ directory; uncomment two sections depicted here to enable SSL:

<Executor name=”httpsThreadPool”
namePrefix=”https-8443-”
maxThreads=”350″
minSpareThreads=”25″/>

<Connector port=”8443″ protocol=”HTTP/1.1″
executor=”httpsThreadPool”
enableLookups=”false”
acceptCount=”250″
connectionTimeout=”20000″
SSLEnabled=”false”
scheme=”https”
secure=”true”
proxyPort=”443″
URIEncoding=”utf-8″/>

Note: Be sure to test the server.xml file for correct editing by opening it in a browser and viewing any syntax errors.

8. After configuring the stunnel.conf, the custom.ini and the server.xml file for all four server instances, stop all five the services in the following order:

  • Adobe Connect CQ Author
  • Adobe Connect CQ Publisher
  • Adobe Connect Server
  • Adobe Flash Media Server
  • stunnel

9. After all services are completely stopped, start all five services in reverse order; do not cheat and just restart each one successively.

  • stunnel
  • Adobe Flash Media Server
  • Adobe Connect Server
  • Adobe Connect CQ Publisher
  • Adobe Connect CQ Author

10. Open a browser on the Connect server; go to localhost:4502 and log into CQ5 Author as an administrator and edit the URL

  • Select CRXDE Lite on the menu list on the right side of the screen
  • Go to: content>connect>c1>jcr:content
  • Scroll to the serverURL line
    • Edit the URL for https
    • https://cqauthor.domain.com

11. Open a browser on the Connect server and go to localhost:4503 and log into CQ5 Publisher as an administrator and edit the URL

  • Select CRXDE Lite on the right menu list
  • Go to content>connect>c1>jcr content
  • Scroll to the serverURL line
    • Edit the URL for https
    • https://cqpublisher.domain.com

12. Open a browser on the Connect server and go to localhost:4502/system/console/configmgr and log in as an administrator and edit the author externalizer name and statistics URL

  • Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Author server
  • cqauthor.domain.com
  • Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4502 URL to reflect the FQDN of the Author server and HTTPS
  • https://cqauthor.domain.com/libs/wcm/stats/tracker

13. Open a browser on the Connect server and go to localhost:4503/system/console/configmgr and log in as an administrator and edit the publisher externalizer name and statistics URL

  • Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Publisher server
  • cqpublisher.domain.com
  • Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4503 URL to reflect the FQDN of the Author server and HTTPS
  • https://cqpublisher.domain.com/libs/wcm/stats/tracker

14. Stop all services and and restart as shown in steps 8 & 9 or reboot the server

15. Log into Connect and test all features including the Events module.

Troubleshooting appendix:

  • Check to make sure all five  services are running and start any that are not running.
  • Once all the services are up, click on the stunnel.exe icon in the stunnel directory and insure that stunnel runs without errors
    • If stunnel.exe throws an error then examine the stunnel.conf for syntax problems
    • If stunnel.exe starts successfully then look elsewhere for problems
  • If  Firefox browsers Fail to Connect when stunnel is used to secure Adobe Connect, then double check to be sure that the
    • sslVersion = all
    • fips = no
  • To make certain the help files are served via SSL, follow the instructions in Jim’s blog article: Changing the Help Links to use HTTPS://
  • Make sure there is not a passphrase on stunnel: see Jim’s blog article Adobe Connect Stunnel prompting for passphrase when server/services restarts
  • If stunnel does not start with Connect upon reboot, this technique will help: Stunnel does not Startup with Connect
  • Depending on the version of Connect you are running, you may need to add the certificate to the java CA certificates in Connect in order to allow images in the AEM-based Events module to appear in Connect. Ignore this step unless you are running Connect 9.0.0.1 and even then, if at all possible, simply use a later version of Connect instead as this issue has been fixed and this workaround is made superfluous for later versions:
    • For 9.0.0.1, export and then import the SSL certificate: Log into Connect and click on the lock in the URL line to the left of HTTPS and click the button in the pop-up: More Information>View Certificates>Details>Export to export the SSL certificate. Save the certificate in the jre\bin directory in the root install directory for Connect: Connect\9.1.2\jre\bin
    • Use the command prompt to complete the importation: F:\Connect\9.1.2\jre\bin> keytool -import -trustcacerts -alias connect -file certificate-name -keystore cacerts
      • The default password is changeit.
      • Overwrite any existing certificate.
      • The italicized alias connect is a variable
      • The italicized certificate-name must match the name of the certificate