5.0 Clustering the High-Bandwidth SSL VPN Servers

You can cluster the high-bandwidth SSL VPN servers can now be clustered to provide load balancing and fault tolerance capabilities and act as a single server. The SSL VPN servers in a cluster share a common configuration and are managed on a single Administration Console. The servers are configured to balance load and failover. When a member of the SSL VPN cluster fails, the user sessions are failed over to another SSL VPN server that is healthy.

Even though the SSL VPN authentication connection to the cluster remains unaffected during the session failover, the SSL VPN tunnel goes down and a new tunnel is established with the new SSL VPN server. This might affect applications such as FTP that were being accessed through the tunnel at the time of failover.

A cluster can be set up to function with an L4 switch or the Access Gateway to handle load balancing. A cluster can be set up to function with an L4 switch or by using the Access Gateway. You can have a cluster of servers in both HTTP and HTTPS.

Clients access the virtual IP address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by balancing traffic across the cluster. Whenever a user accesses the virtual IP address (port 8080) assigned to the L4 switch, the system routes the user to one of the SSL VPN servers in the cluster, as traffic necessitates.

Using L4 for Clustering: In this approach, the SSL VPN cluster is placed behind an L4 switch. If the tunnel IP address configured in the administration console is the virtual IP address of an L4 switch, additional load balancing is done at this level. When a user is authenticated, all the members of the cluster are informed, so that the cluster members can handle failover. For more information on configuring the L4 switch, see Configuration Tips for the L4 Switch in the Novell Access Manager 3.1 SP5 Setup Guide.

Using Access Gateway for Clustering: In a direct connection, the client directly establishes contact with the tunneling component, which could be a NAT IP address and not the L4 switch. This approach ensures that the load balancing of SSL VPN servers is achieved with the help of Access Gateway clusters. The client establishes connection with the first tunnel.

For more information, see Section 5.5, Clustering SSL VPNs by Using the Access Gateway without an L4 Switch.

This section has the following information: