An L4 server is installed. The LB algorithm can be anything (hash/sticky bit), defined at the Real server level.
Persistence (sticky) sessions enabled on the L4 server. You usually define this at the virtual server level.
NOTE:If Access Manager Appliance is configured with public and private interface, the back channel communication uses the private interface. To allow this back channel communication on the private interface, modify the NAM-RP configuration to listen on private and public interfaces. For more information, see Section 3.8.3, Managing Reverse Proxies and Authentication.
A Note about Layer 4 Switch: A cluster of Access Manager Appliance must reside behind a Layer 4 (L4) switch. Clients access the virtual IP address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by balancing the traffic across the cluster.
Whenever a user accesses the virtual IP address assigned to the L4 switch, the system routes the user to an Access Manager Appliance in the cluster, as traffic necessitates.
IMPORTANT:You must not use a DNS round robin setup instead of an L4 switch for load balancing. The DNS solution works only as long as all members of the cluster are working and in a good state. If one of them goes down and traffic is still sent to that member, the entire cluster is compromised and all devices using the cluster start generating errors.
Services of the Real Server: A user’s authentication remains on the real (authentication) server cluster member that originally handled the user’s authentication. If this server malfunctions, all users whose authentication data resides on this cluster member must re-authenticate unless you have enabled session failover. For more information about this feature, see Configuring Session Failover.
Requests that require user authentication information are processed on this server. When the system identifies a server as not being the real server, the HTTP request is forwarded to the appropriate cluster member, which processes the request and returns it to the requesting server.
A Note about Service Configuration: If your L4 switch can perform both SSL and non-SSL health checks, you must configure the L4 switch only for the services that you are using in your Access Manager configuration. For example, if you configure the SSL service and the non-SSL service on the L4 and the base URL of your Identity Server configuration is using HTTP rather than HTTPS, the health check for the SSL service fails. The L4 switch then assumes that all the Identity Servers in the cluster are down. Therefore, ensure that you enable only the services that are also enabled on the Identity Server.
A Note about Alteon Switches When you configure an Alteon switch for clustering, direct communication between real servers must be enabled. If direct access mode is not enabled when one of the real servers tries to proxy another real server, the connection fails and times out.
To enable direct communication on the Alteon, perform the following steps:
Go to cfg > slb > adv > direct.
Specify e to enable direct access mode.
Insert the CD containing the software.
The installation process is almost same for a secondary appliance as for a primary. If this is a second or third appliance, Administration Console will be configured for the fault tolerance. Ensure that you perform the following actions while installing a secondary appliance:
Deselect Primary.
Specify the IP address of the primary Access Manager Appliance.
Specify the user name and password of the primary Access Manager Appliance.
Installation of the secondary appliance becomes interactive after the installation of operating system in the following scenarios:
(Conditional) When this is the fourth appliance: The number of Administration Consoles in a cluster is restricted to three. If more appliances are added into the cluster, the system will ask whether you want to proceed with the installation of rest of the components other than Administration Console.
(Conditional) When the time is not synchronized between primary and secondary appliances: The system will prompt a message asking you to re-try the time synchronization or to proceed without synchronization.
Configure the details on the Administration Console Configuration page as specified in step 9 in Installing Access Manager Appliancein the NetIQ Access Manager Appliance 4.4 Installation and Upgrade Guide.
Continue with the installation process.
Identity Server and Access Gateway from the secondary appliance are automatically clustered with the primary appliance. If this is second or third secondary appliance, the configuration store will be configured for the fault tolerance. Install at least one secondary appliance.
After successful installation, the appliance points to the Access Manager Appliance's IP address for the web server, and Identity Server points to the local user store. If a cluster is configured for Access Manager Appliance and if primary appliance is down, you cannot authenticate because the user store is on primary and they cannot access the resources because it points to the web server on primary. Hence, it is advised to change the IP address of the web server configured in the master proxy service to point to your test or production web server, and change the Identity Server’s configuration to point to an external user store.