Symantec Privileged Access Management

Hi SME's ,

 Currently we have a external LB (F5) in front of 2 nodes to manage user sessions . We have faced several issues with it since we moved to cloud , so we are thinking of using PAM VIP instead of external LB . So earlier it was external LB which was being used by users to login to PAM ( it will manage session in 2 nods ) . As I understand if we use PAM VIP , then all sessions will be be managed in 3 nodes. Can you let me know if it can cause disturbance in cluster replication ? .

Note : We have an Azure Primary site with 3 nodes .

Hello Pankaj,

You need to make sure the users are able to reach the VIP that is provided in the CA PAM cluster.
There will not be any disturbance in the cluster replication.
Make sure that all the required ports are available/open in the Azure networking with the clusters.

Thanks,
Reatesh.

------------------------------
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 05-17-2021 09:46 AM
From: Pankaj Kumar
Subject: Using PAM VIP for users sessions instead of external LB

Hi SME's ,

 Currently we have a external LB (F5) in front of 2 nodes to manage user sessions . We have faced several issues with it since we moved to cloud , so we are thinking of using PAM VIP instead of external LB . So earlier it was external LB which was being used by users to login to PAM ( it will manage session in 2 nods ) . As I understand if we use PAM VIP , then all sessions will be be managed in 3 nodes. Can you let me know if it can cause disturbance in cluster replication ? .

Note : We have an Azure Primary site with 3 nodes .

Hello Pankaj, Do you have 2 nodes or three nodes? If you have 2, then one of the two in a single site cluster, then the internal load balancer will redirect to one of the two. Note that this is a redirection, i.e. the client will be instructed to connect to one of the PAM nodes. This is somewhat different behavior than what an external load balancer does, which just passes on the connection to one of the configured destinations. Also keep in mind that we do not recommend to run with 2 nodes in a single site, see the following comment on page https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0/deploying/set-up-a-cluster/cluster-synchronization-promotion-and-recovery/primary-site-fault-tolerance.html:

"To ensure primary site fault tolerance, we recommend at least three members at a primary site. If the entire cluster has only two members, do not put both members in the primary site. We recommend a 1 x 1 configuration (one member at the primary site and one member at secondary site).  "

However, if you have two nodes in two sites with one node each, there is no internal load balancing and users would have to connect to one or the other. PAM internal load balancing is limited to the site that the VIP is defined for.
Original Message:
Sent: 05-17-2021 09:46 AM
From: Pankaj Kumar
Subject: Using PAM VIP for users sessions instead of external LB

Hi SME's ,

 Currently we have a external LB (F5) in front of 2 nodes to manage user sessions . We have faced several issues with it since we moved to cloud , so we are thinking of using PAM VIP instead of external LB . So earlier it was external LB which was being used by users to login to PAM ( it will manage session in 2 nods ) . As I understand if we use PAM VIP , then all sessions will be be managed in 3 nodes. Can you let me know if it can cause disturbance in cluster replication ? .

Note : We have an Azure Primary site with 3 nodes .

@Reatesh Sanghi @Ralf Prigl Thanks for the information . We have 3 nodes in our primary cluster . I was able to achieve desired result by using PAM VIP. . Thanks for support .​​
Original Message:
Sent: 05-28-2021 05:45 PM
From: Ralf Prigl
Subject: Using PAM VIP for users sessions instead of external LB

Hello Pankaj, Do you have 2 nodes or three nodes? If you have 2, then one of the two in a single site cluster, then the internal load balancer will redirect to one of the two. Note that this is a redirection, i.e. the client will be instructed to connect to one of the PAM nodes. This is somewhat different behavior than what an external load balancer does, which just passes on the connection to one of the configured destinations. Also keep in mind that we do not recommend to run with 2 nodes in a single site, see the following comment on page https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0/deploying/set-up-a-cluster/cluster-synchronization-promotion-and-recovery/primary-site-fault-tolerance.html:

"To ensure primary site fault tolerance, we recommend at least three members at a primary site. If the entire cluster has only two members, do not put both members in the primary site. We recommend a 1 x 1 configuration (one member at the primary site and one member at secondary site).  "

However, if you have two nodes in two sites with one node each, there is no internal load balancing and users would have to connect to one or the other. PAM internal load balancing is limited to the site that the VIP is defined for.
Original Message:
Sent: 05-17-2021 09:46 AM
From: Pankaj Kumar
Subject: Using PAM VIP for users sessions instead of external LB

Hi SME's ,

 Currently we have a external LB (F5) in front of 2 nodes to manage user sessions . We have faced several issues with it since we moved to cloud , so we are thinking of using PAM VIP instead of external LB . So earlier it was external LB which was being used by users to login to PAM ( it will manage session in 2 nods ) . As I understand if we use PAM VIP , then all sessions will be be managed in 3 nodes. Can you let me know if it can cause disturbance in cluster replication ? .

Note : We have an Azure Primary site with 3 nodes .