3.7 Access Gateways Clusters

A cluster of Access Gateways must reside behind a Layer 4 (L4) switch. Clients access the virtual IP on the L4, and the L4 alleviates server load by balancing traffic across the cluster of Access Gateways. Whenever a user enters the URL for an Access Gateway resource, the request is routed to the L4 switch, and the switch routes the user to one of Access Gateways in the cluster, as traffic necessitates.

Figure 3-4 illustrates the flow of a user request when Access Gateways are clustered behind an L4 switch.

Figure 3-4 Clustering Access Gateways

  1. The user requests access to a protected resource by sending a request to the L4 switch. The request is sent to one of Access Gateway servers in the cluster.

  2. Access Gateway redirects the request to Identity Server for authentication. Identity Server presents the user with a login page, requesting a user name and a password.

  3. Identity Server verifies the user’s credentials with the directory.

  4. The validated credentials are sent through the L4 switch to the same Access Gateway that first received the request.

  5. Access Gateway verifies the user credentials with Identity Server.

  6. If the credentials are valid, Access Gateway forwards the request to the web server.

If Access Gateway where the user's session was established goes down, the user’s request is sent to another Access Gateway in the cluster. This Access Gateway pulls the user’s session information from Identity Server. This allows the user to continue accessing resources, without having to re-authenticate.

IMPORTANT:You must not use a DNS round robin setup instead of an L4 switch for load balancing. The DNS solution works only as long as all members of the cluster are working and in a good state. If one of them goes down and traffic is still sent to that member, the entire cluster is compromised and starts generating errors.

The following sections describe how to set up and manage a cluster of Access Gateways: