Layer7 Privileged Access Management

Expand all | Collapse all

External load balancer

Jump to Best Answer
  • 1.  External load balancer

    Posted 01-24-2018 05:00 AM

    While we have an internal load balancing mechanism provided in active- active (Mutli Master cluster) what factors drive the customer to have an external load balancer in front of the CA-PAM cluster?

  • 2.  Re: External load balancer
    Best Answer

    Posted 01-24-2018 05:08 AM

    The internal load balancer provides a "redirect" service. So the users browser or PAM client is redirected to the actual node. There may be cases where you don't want the user to ever connect directly to the actual node. So you would use an external load balancer to "forward" the request to the actual node instead. The end user only ever sees the FQDN of the load balancer


    You may also want to split traffic in some logical way. E.g. You have a 4 node cluster. All user requests are served by nodes 1 and 2 and all A2A requests are served by nodes 3 and 4. External load balancing can achieve this.


    And if you have a multi-site cluster, you may want to send users to the site closest to them, so geo-based external load balancing could be used.


    These are some reasons. There may be more depending on the customer environment (e.g. different process for obtaining SSL certs for external load balancer and PAM appliances etc.)

  • 3.  Re: External load balancer

    Posted 02-13-2018 11:25 AM

    Bear in mind that when using an External Load Balancer you should set the Persistence to be based on the IP address, and not the SSL Session.

  • 4.  Re: External load balancer

    Posted 05-29-2018 10:29 PM

    we're using external load balancer in a multi site clustering model. But whenever we are trying to access PAM url with F5 url, on successful logon PAM throws an error saying "Failed to start access agent" and Dashboard shows user unauthorized error. 

    Can you please provide the actual external load balancing configuration for multi site cluster in PAM ?

  • 5.  Re: External load balancer

    Posted 05-30-2018 08:41 AM

    I gave you the configuration item to change already, Persistance.  It needs to be set to IP.  The message you are seeing was occurring for another customer using an external load balancer.  They made the change and the issue was resolved.

  • 6.  Re: External load balancer

    Posted 05-30-2018 09:16 AM

    we have tried doing with source IP persistence and Destination IP persistence, but both the option is not working for us. are we missing anything ?

  • 7.  Re: External load balancer

    Posted 05-30-2018 12:46 PM

    Bipin, Is your load balancer connecting to individual PAM servers, or to PAM site VIPs? And does it let connections pass through, or is it establishing its own secure connections to the chosen PAM server? Pass-through connections going to individual PAM servers that all have the same certificate (with all cluster node names and cluster VIP FQDNs included as subject alternate names) should work. And do you get the same errors using the PAM client or a browser?

  • 8.  Re: External load balancer

    Posted 05-30-2018 01:59 PM

    Hi Ralf,

    Load balancer is connecting to individual PAM servers. How do we know the connections pass through or own secure connections ?

    All Cluster nodes and VIP has same certificates and all FQDN included in SAN.

  • 9.  Re: External load balancer

    Posted 05-30-2018 02:05 PM

    Bipin, that is a question of how your load balancer is configured. Whoever configured it should know.

  • 10.  Re: External load balancer

    Posted 05-31-2018 09:11 AM

    Thanks Ralf, We have made the required changes and testing our environment. As of now we are good with the recommended changes. Thank you much.

  • 11.  Re: External load balancer

    Posted 04-29-2019 10:55 AM

    hi Ralph, we have same problem (2 node clustered  in same site) but the client point directly to VIP without external load balancer.

    The error occour randomly but happen many times ...


    thank you