You can install and run the SSL VPN self-monitoring and failover scripts on each SSL VPN server in order to provide automatic monitoring and failover support for the SSL VPN servers that are behind a 3.1 SP4 Access Gateway.
When the health status of an SSL VPN server is bad, these scripts modify the iptables entries on that server to stop the Access Gateway from sending connection requests to that particular SSL VPN server. When the SSL VPN server health status returns to normal, the scripts remove the iptables entries and allow the Access Gateway to communicate with the SSL VPN server. You must perform the following tasks to configure load balancing and fault tolerance through the Access Gateway:
In the Administration Console, click .
Add all the SSL VPN servers that are part of the failover group as origin Web servers to the proxy service that you have defined.
Click .
Select in the field.
Select .
Save your changes and update the Access Gateway.
Download the tar file containing scripts for SSL VPN automatic monitoring and failover from the Additional Resources section on the NetIQ Access Manager documentation page. The tar file contains sslvpn-heartbeat.sh and sslvpn-heartbeat.
Copy the sslvpn-heartbeat.sh script to the /opt/novell/sslvpn/bin directory in each of the SSL VPN servers.
Copy the sslvpn-heartbeat file to the /etc/init.d/directory.
Enter the following commands to change sslvpn-heartbeat.sh and sslvpn-heartbeat into executable files:
chmod +x sslvpn-heartbeat.sh
chmod +x sslvpn-heartbeat
Enter the following command to run the script every time the Access Gateway is started:
insserv /etc/init.d/sslvpn-heartbeat
Enter the following command to stop the SSL VPN server:
/etc/init.d/novell-sslvpn stop OR rcnovell-sslvpn stop
Enter the following command to verify if the scripts have blocked port 8080:
iptables -L
The following lines are displayed if port 8080 is blocked:
Chain sslvpn-heartbeat-chain (1 reference) target prot opt source destination REJECT tcp -- anywhere anywhere tcp dpt:http-alt reject-with icmp-port-unreachable
In the Administration Console, click . The following message is displayed if the SSL VPN server is down:
The HTTP Reverse Proxy service <reverse proxy name> might not be functioning properly. Few of the Web servers being accelerated are unreachable <sslvpn server IP Address>:8080
Click to get the latest health status of the Access Gateway.
Connect to SSL VPN. Verify that your connection was sent to the SSL VPN that is running and not to the one that is marked as down by the Access Gateway.
Enter the following command to start the SSL VPN server:
/etc/init.d/novell-sslvpn start
OR rcnovell-sslvpn start
Enter the following command to verify if the script has removed the block on port 8080:
iptables -L
The following lines are displayed if the block on port 8080 is removed:
Chain sslvpn-heartbeat-chain (1 references) target prot opt source destination
In the Administration Console, click , then check to make sure that the SSL VPN server is up.
Click to get the latest health status of the Access Gateway.
Connect to SSL VPN. Verify if your connection was sent to the SSL VPN server that was restarted. It might require several attempts before you can connect to the desired Access Gateway.
Repeat Step 1 to Step 8 to verify if the SSL VPN health scripts are working on all the SSL VPN servers.