Symantec Access Management

 View Only
  • 1.  webagent dns

    Posted Aug 13, 2019 04:03 PM
    We have siteminder policy servers in AWS. In the HCO and SmHost.conf we are using the FQDN of the policy servers. IP associated with the FQDN changes everytime we destroy the policy server and recreate a new one. The New Server has the same FQDN but the IP is new. When this happens webagent does not conenct to the new servers.

    It appears that webagent only do the dns look up of the policy server hostname when started and after that it only tries to connect using the IP's even though it has lost the conenction.

    Is there any way to force webagent to do a dns lookup and connect to the new policy servers?

    Also, are there any issues using NLB between webagent and policy server?


  • 2.  RE: webagent dns
    Best Answer

    Broadcom Employee
    Posted Aug 23, 2019 02:38 AM
    Hi Rajesh,

    On the Web Agent side, you have to make the Web Agent thread to
    shutdown and start again when the Policy Server IP changes.

    I don't think we have that functionality in our Product.

    It may be feasible by third party customization to detect when the IP
    of the Policy Server changes, then flush the OS DNS cache, then
    restart the Web Agent threads in order to rebuild the connections and
    resolves the FQDN.

    Some one has the same issue with other product, and one solution is
    using a firewall to keep the FQDN going to the right IP.

    reconnect if server ip changed
    https://github.com/mobile-shell/mosh/issues/212

    I hope this helps,

    Best Regards,
    Patrick


  • 3.  RE: webagent dns

    Posted Sep 02, 2019 08:07 AM
    Hello Rajesh,

    I suppose NLB caould be used here as it would provide you with the static IP and then load balance accordingly between policy servers, you can also listen on the same set of port number normally used for authentication, authorization and accounting on the NLB like a normal policy server would do. If required, you can also enable session persistence on the NLB as well. But, yeah you would have to test the above as don't have a personal experience of this setup. 

    Thanks 
    Ankur Taneja