While we have an internal load balancing mechanism provided in active- active (Mutli Master cluster) what factors drive the customer to have an external load balancer in front of the CA-PAM cluster?
The internal load balancer provides a "redirect" service. So the users browser or PAM client is redirected to the actual node. There may be cases where you don't want the user to ever connect directly to the actual node. So you would use an external load balancer to "forward" the request to the actual node instead. The end user only ever sees the FQDN of the load balancer
You may also want to split traffic in some logical way. E.g. You have a 4 node cluster. All user requests are served by nodes 1 and 2 and all A2A requests are served by nodes 3 and 4. External load balancing can achieve this.
And if you have a multi-site cluster, you may want to send users to the site closest to them, so geo-based external load balancing could be used.
These are some reasons. There may be more depending on the customer environment (e.g. different process for obtaining SSL certs for external load balancer and PAM appliances etc.)
Bear in mind that when using an External Load Balancer you should set the Persistence to be based on the IP address, and not the SSL Session.
we're using external load balancer in a multi site clustering model. But whenever we are trying to access PAM url with F5 url, on successful logon PAM throws an error saying "Failed to start access agent" and Dashboard shows user unauthorized error.
Can you please provide the actual external load balancing configuration for multi site cluster in PAM ?
I gave you the configuration item to change already, Persistance. It needs to be set to IP. The message you are seeing was occurring for another customer using an external load balancer. They made the change and the issue was resolved.
we have tried doing with source IP persistence and Destination IP persistence, but both the option is not working for us. are we missing anything ?
Bipin, Is your load balancer connecting to individual PAM servers, or to PAM site VIPs? And does it let connections pass through, or is it establishing its own secure connections to the chosen PAM server? Pass-through connections going to individual PAM servers that all have the same certificate (with all cluster node names and cluster VIP FQDNs included as subject alternate names) should work. And do you get the same errors using the PAM client or a browser?
Load balancer is connecting to individual PAM servers. How do we know the connections pass through or own secure connections ?
All Cluster nodes and VIP has same certificates and all FQDN included in SAN.
Bipin, that is a question of how your load balancer is configured. Whoever configured it should know.
Thanks Ralf, We have made the required changes and testing our environment. As of now we are good with the recommended changes. Thank you much.
hi Ralph, we have same problem (2 node clustered in same site) but the client point directly to VIP without external load balancer.
The error occour randomly but happen many times ...