L4 switches use health checks to determine which cluster members are ready to receive requests and which cluster members are unhealthy and must not receive requests. You need to configure the L4 switch to monitor the heartbeat URL of Identity Servers and Access Gateways, so that the L4 switch can use this information to update the health status of each cluster member.
The procedure is slightly different for Identity Servers and Access Gateways:
Administration Console uses the heartbeat URL to display the health status of Identity Servers. Identity Server heartbeat is the DNS name of Identity Server plus the following path:
/nidp/app/heartbeat
L4 switches require you to use IP address rather than the DNS name. If the IP address of Identity Server is 10.10.16.50, and you have configured Identity Server for HTTPS, the heartbeat has the following URL:
https://10.10.16.50:8443/nidp/app/heartbeat
You need to configure the L4 switch to use this heartbeat to perform a health check. If you have configured SSL on Identity Servers and your L4 switch has the ability to do an SSL L7 health check, you can use HTTPS. To indicate that everything is healthy, the SSL L7 health check returns a value of 200 OK, or 200 (only for 4.4 SP3 and later). Therefore, any other status code indicates an unhealthy state.
For a Foundry switch, the L7 health check script string must look similar to the following when the hostname is nidp1 and the IP address is 10.10.16.50:
healthck nidp1ssl tcp dest-ip 10.10.16.50 port ssl protocol ssl protocol ssl url "GET /nidp/app/heartbeat HTTP/1.1\r\nHost: st160.lab.tst" protocol ssl status-code 200 200 l7-check
If your switch does not support an SSL L7 health check, the HTTPS URL returns an error, usually a 404 error. Because Identity Server heartbeat URL listens on both HTTPS and HTTP, you can use an HTTP URL for switches that do not support the SSL L7 health check. For example:
http://10.10.16.50:8080/nidp/app/heartbeat
An Alteon switch does not support the L7 health check, so the string for the health check must look similar to the following:
open 8080,tcp send GET /nidp/app/heartbeat HTTP/1.1\r\nHOST:heartbeat.lab.tst \r\n\r\n expect HTTP/1.1 200 close
External communication to Access Gateway is typically configured to use HTTPS. In an HTTPS configuration, an L4 switch performs health checks of Access Gateways with the published DNS name of Access Gateway plus the following path:
/nesp/app/heartbeat
L4 switches require you to use IP address rather than the DNS name. If the IP address of Access Gateway is 10.10.16.172, and you have configured Access Gateway for HTTPS, the heartbeat has the following URL:
https://10.10.16.172:443/nesp/app/heartbeat
For an L4 switch to support an HTTPS query for the health of Access Gateway, the switch must support an L7 health check. For a Foundry switch, the L7 health check script string must look similar to the following when the hostname is ag1 and the IP address is 10.10.172.
healthck ag1ssl tcp dest-ip 10.10.16.172 port ssl protocol ssl protocol ssl url "GET /nesp/app/heartbeat HTTP/1.1\r\nHost: st160.lab.tst" protocol ssl status-code 200 200 l7-check
If your L4 switch does not support an SSL L7 health check, the HTTPS health check URL returns an error, usually a 404 error. To solve this problem, you can create a specialized reverse proxy that opens a non-SSL port for the heartbeat URL. The following instructions configure this reverse proxy to use port 81, because port 80 on the specified IP address is reserved for redirects to the SSL port.
To create a reverse proxy for the health check:
In Administration Console Dashboard, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
To create an additional reverse proxy service (such as heartbeat), click New, then specify a name.
Change the Non-Secure Port to 81.
Configure Access Gateway to listen on the same IP address as the service using port 443. For non-SSL, you must use port 81. Do not use port 80.
For proper heartbeat information when there are multiple IP addresses configured in your Access Gateway, ensure that you configure the reverse proxy service created for the heartbeat URL to listen in the same IP address as the authenticating reverse proxy service.
Click New to create the proxy service.
Configure the following fields:
Proxy Service Name: Specify a name that identifies the purpose of this proxy service.
Published DNS Name: Specify a second DNS name that resolves to the VIP of Access Gateways on the L4 switch. For example, if the DNS name is jwilson.provo.novell.com for Access Gateways, you could use heartbeat.jwilson.provo.novell.com for the second name.
Web Server IP Address: Specify the internal address:127.0.0.1.
Host Header: Select Forward Received Host Name. This field is not used.
Click OK.
On the Reverse Proxy page, click the new proxy service, then click Web Servers.
Change the Connect Port value on the Web Servers page to 9009.
The service provider (ESP) in Access Gateway that provides the heartbeat service listens on 127.0.0.1:9009.
Click Protected Resources.
Click New, then specify a name.
In the URL Path List, click /*, and modify the path to contain the following value:
/nesp/app/heartbeat
This is the path to the heartbeat application.
Click OK > OK.
The heartbeat of this Access Gateway is available from the following URL (See Step 4.):
http://heartbeat.jwilson.provo.novell.com:81/nesp/app/heartbeat
If the protected resource is configured with a path of / or /*, the solution works but it can be vulnerable to attacks because the configuration opens ESP over a non-SSL port. Restricting the resource to /nesp/app/heartbeat automatically denies access to ESP except for the heartbeat.
Click OK and apply the changes to the configuration.
Add a line similar to the health check script:
For a Foundry switch, your string must look similar to the following if the hostname is ag1 and the IP address is 10.10.16.172:
healthck ag1 tcp dest-ip 10.10.16.172 port http protocol http protocol http url "GET /nesp/app/heartbeat HTTP/1.1\r\nHost:st160.lab.tst" protocol http status-code 200 200 l7-check
For an Alteon switch, your string must look similar to the following if the hostname is ag1 and the IP address is 10.10.16.172:
open 81,tcp send GET /nesp/app/heartbeat HTTP/1.1\r\nHOST:heartbeat.lab. tst\r\n\r\n expect HTTP/1.1 200 close