3.2 Modifying Cluster Configuration

This section describes how to modify the cluster configurations:

3.2.1 Modifying Identity Provider Cluster Configuration

  1. In the Administration Console, click Devices > Identity Servers, then click the configuration name you created for the cluster.

  2. On the Cluster Details page, click the configuration name.

  3. Fill in the following fields as required:

    Name: Lets you change the name of the Identity Server cluster configuration.

    Cluster Communication Backchannel: Provides a communications channel over which the cluster members maintain the integrity of the cluster. For example, this TCP channel is used to detect new cluster members as they join the cluster, and to detect members that leave the cluster. A small percentage of this TCP traffic is used to help cluster members determine which cluster member would best handle a given request. This back channel should not be confused with the IP address/port over which cluster members provide proxy requests to peer cluster members.

    • Port: Specifies the TCP port of the cluster back channel on all of the Identity Servers in the cluster. 7901 is the default TCP port.

      Because the cluster back channel uses TCP, you can use cluster members on different networks. However, firewalls must allow the port specified here to pass through. To do so, use the port number plus 1 for additional devices in the cluster. For example, if you use four devices, your port numbers would be 7901, 7902, 7903, and 7904.

    • Encrypt: Encrypts the content of the messages that are sent between cluster members.

    NOTE:The Level Four Switch Port Translation feature is not required for Access Manager Appliance as Identity Server cluster is accelerated through Access Gateway.

    IDP Failover Peer Server Count: Enables session failover. For more information about this feature, see Configuring Session Failover in the NetIQ Access Manager Appliance 4.0 Identity Server Guide.

  4. Click OK.

  5. Under Cluster Members, you can refresh, start, stop, and update health from the server.

3.2.2 Modifying Access Gateways Cluster Configuration

A cluster of the Access Gateways must reside behind a Layer 4 (L4) switch. Clients access the virtual IP on the L4, and the L4 alleviates server load by balancing traffic across the cluster of Access Gateways. Whenever a user enters the URL for an Access Gateway resource, the request is routed to the L4 switch, and the switch routes the user to one of the Access Gateways in the cluster, as traffic necessitates.

Figure 3-1 illustrates the flow of a user request when the Access Gateways are clustered behind an L4 switch.

Figure 3-1 Clustering Access Gateways

  1. The user requests access to a protected resource by sending a request to the L4 switch. The request is sent to one of the Access Gateway servers in the cluster.

  2. The Access Gateway redirects the request to the Identity Server for authentication. The Identity Server presents the user with a login page, requesting a user name and a password.

  3. The Identity Server verifies the user’s credentials with the directory.

  4. The validated credentials are sent through the L4 switch to the same Access Gateway that first received the request.

  5. The Access Gateway verifies the user credentials with the Identity Server.

  6. If the credentials are valid, the Access Gateway forwards the request to the Web server.

If the Access Gateway where the user's session was established goes down, the user’s request is sent to another Access Gateway in the cluster. This Access Gateway pulls the user’s session information from the Identity Server. This allows the user to continue accessing resources, without having to reauthenticate.

IMPORTANT:Using a DNS round robin setup instead of an L4 switch for load balancing is not recommended. The DNS solution works only as long as all members of the cluster are working and in a good state. If one of them goes down and traffic is still sent to that member, the entire cluster is compromised and starts generating errors.

The following sections describe how to set up and manage a cluster of Access Gateways.

Prerequisites

  • An L4 switch installed. You can use the same switch for an Identity Server cluster and an Access Gateway cluster, provided that you use different virtual IPs.

  • One or more Access Gateways installed.

    When you install each new Access Gateway, configure it to use the same Administration Console.

  • Your DNS server must to be configured to resolve the published DNS names that you specify for your proxy services to the L4 switch.

  • Enabling persistent (sticky) sessions on the L4 switch is highly recommended, but not required.

Configuring a Cluster

Complete the following steps:

  1. In the Administration Console, click Access Gateways > Edit AG-Cluster.

  2. To configure the cluster, click Access Gateways > Edit.

    A cluster of Access Gateways has the same configuration options as a single Access Gateway. The only difference is that for some options you need to select the Access Gateway to configure. For example, the Date & Time option allows you to set the time separately for each member of the cluster.

    Applying the configuration to a cluster is slightly different. You have the option to apply the changes to all servers in the cluster by selecting the Update All option, or to apply them to one server at a time by selecting the Update option for each server. When you update the servers one at time, your site remains up. For more information on the Update and Update All options, see Configuration Options in the NetIQ Access Manager Appliance 4.0 Access Gateway Guide.

    If you prefer to apply changes to the servers one at time, you should save the changes to the configuration datastore. To do this, click OK on the Server Configuration page. (The OK buttons on the other configuration pages save the changes to browser cache.) If your session times out before you update all servers in the cluster and the changes have been saved only in browser cache, the changes are lost and are not applied to the servers that are still in an Update status.

  3. (Conditional) If the Access Gateways in the cluster have multiple network adapters or IP addresses, you need to configure the listening address for each reverse proxy. If this is not the address where you want the reverse proxy to listen for requests, click Access Gateways > Edit > [Name of Reverse Proxy], select the Access Gateway as the Cluster Member, then enable the Listening Address you want to use.

3.2.3 Modifying SSL VPN Server Cluster Configuration

You can cluster the high-bandwidth SSL VPN servers to provide load balancing and fault tolerance capabilities and act as a single server.

For more information about configuring the SSL VPN cluster by using the Access Gateway, see Clustering SSL VPN by Using an L4 Switch in the NetIQ Access Manager Appliance 4.0 SSL VPN Server Guide.