While placing CA PAM appliances(Two) in the same Data Center for fail-over purposes, will these require a VIP defined on the F5 load balancer or will this be handled via the CA PAM appliance or application?
I have a setup two appliance in cluster and defined 1 VIP on Loadbalancer and It works perfectly.
Just to note CA PAM appliance works in Active/Active configuration not the Active/Sandby, You will have both appliance ready to receive user request at a same time. Load balancer will play a vital role of distributing traffic among both appliance. Just double check the Load balancing method you wish to configure, I recommend using round robin with sticky client IP address.
For your question regarding VIP on PAM , I think it is used for internal communication , Don't think that will do load balancing of User traffic---Eager to see reply from support or development team on this point.
If leveraging the appliance load balancing(via defined vip but no external load balancer) internally when a user connects it will pass their connection to the appliance in the cluster with least number of active sessions to devices.
What is the best practice? Using Internal LB mechanism or 3rd party LB.
If we have an external loadbalancer, does that mean it is just a pass through only to the primary CA PAM appliance (which does the real load balancing between its cluster memebers)?
can we have both the CA PAM appliance configured in loadbalancer and they both can receive requests as per the logic/algorithm defined in the loadbalancer?
Yes, You can configure both appliance in loadbalancer and both can receive request as per the logic/algorithm defined at a same time in active/active. There are some advantages in using external load balance i.e one can monitor health of the appliace and based on that load balancer will send traffic to the the appliance which is more efficient at that moment, In addition to that there are n number of load balancing algorithm which you can pick and choose as per the requirement.
Is your original question already answered? If yes, can you please mark this question as answered?
CA Support Delivery Manager