Symantec Privileged Access Management

 View Only
  • 1.  PAM clustering questions

    Broadcom Employee
    Posted Jun 13, 2016 09:26 AM

    I have a couple of PAM clustering questions:

    • We will configure PAM in a four node cluster located in two different
      data centers (two nodes in each data center). Can we then set up the two nodes
      in datacenter 1 to send their Session Recordings to one server (mounted via
      NFS) located in datacenter 1 and the two other nodes in datacenter 2 to send
      their Session Recordings to another server (mounted via NFS) located in
      datacenter 2? Or should the Session Recording data reside in a single place?
    • What is the benefit of setting up a cold appliance (as a disaster
      recovery appliance)? I.e. say that you have a cluster of two running nodes and
      one cold node. What is the benefit of having that compared to have all the
      three nodes always up and running? Does the cold appliance consume as many
      licenses as the active ones?


  • 2.  Re: PAM clustering questions
    Best Answer

    Broadcom Employee
    Posted Jun 13, 2016 10:33 AM

    **** Per,

    For the first part - Regarding Session Recording.

    You can setup two nodes in each data center, this would be good. If you want to use only one session recording for both these nodes, then you need to make sure that the "id" / "license" does match for the both the nodes.

    Similarly, you can do it for the other data center.

    Having only one session recording would add to performance issues and also in case the connection to the session recording is lost for some unexpected reasons, then the users would not be able to login to the endpoints unless you modify the option to connect to end points without any monitoring ability.

     

    For the second part regarding the license, I am not sure on this one. Also for the disaster part, the DB's should always be in sync, else if the Primary Site is down, the disaster site would not have the latest data.

     

    Thanks,

    Reatesh.



  • 3.  Re: PAM clustering questions

    Broadcom Employee
    Posted Jun 13, 2016 10:34 AM

    Hello Per,

    I had a typo earlier before your name, my apologies for this.

    Regards,

    Reatesh.



  • 4.  Re: PAM clustering questions

    Broadcom Employee
    Posted Jun 13, 2016 11:40 AM

    "Can we then set up the two nodes

    in datacenter 1 to send their Session Recordings to one server (mounted via

    NFS) located in datacenter 1 and the two other nodes in datacenter 2 to send

    their Session Recordings to another server (mounted via NFS) located in

    datacenter 2?"

     

    SWH: PAM Configuration settings (i.e., session recording) is configured on a per appliance basis. With this in mind, PAM 1 and 2 in DC 1 can be configured to write sessions in to a CIFS/NFS mount point in DC 1, while PAM 3 and 4 in DC2 can be configured to write sessions to a CIFS/NFS mount point in DC2.

     

    "Or should the Session Recording data reside in a single place?"

     

    SWH: If you don't write the session recordings in a single location, then you will have to log into each PAM appliance to view the session recordings for that specific appliance. Not quite operationally sound. From a user perspective, they will never remember to log into PAM 1 to look at PAM 1 recordings.

     

    For this reason, using a single store for all recordings is advised.

     

    Note that high latency between the PAM appliances and the session recording mount point will cause issues with recording and playback. If possible, keep the latency below 1000 ms, if you can.



  • 5.  RE: Re: PAM clustering questions

    Posted Dec 03, 2019 11:21 PM
    Hi @Shawn Hank "Note that high latency between the PAM appliances and the session recording mount point will cause issues with recording and playback. If possible, keep the latency below 1000 ms, if you can."

    Besides network latency, is there any recommendation/ guideline for NFS shares i.e. supported OS (are NFS shares on Windows supported/ recommended?), disk IO etc.

    Thanks​


  • 6.  Re: PAM clustering questions

    Posted Jun 14, 2016 05:11 AM

    For Your second query in regards to Setting up 3rd appliance as Cold standby or Part of cluster. Below are the things to be kept in mind.

     

    1) If you have cold standby configuration you mayconfigure and keep the cold standby with the base configuration and keep updating the database backup once in a while, Or this activity can be performed during DR situation which can take around 15-20 min.

     

    1) In case if you want to use it as Active Active as part of 3 rd node in the cluster, You need to keep in mind that 3rd node is in Different data-center and will be located in different geographical boundary, And most likely it will be having WAN connectivity.

     

    2) Currently CA PAM has partial support for clusters over the WAN, you may want to resist doing this unless you have 99.99% uptime with minimal latency,You can have a look at CA PAM Planning guide for in-depth information.

     

    3) If indeed you wish to make use of 3rd appliance, then this is what i would do, Use 3rd node as stanalone pam, and keep restoring the database backup of your production every week or during DR drill.

    Onething you should remember is to remove the Schedule task/password composition policy so that passwords are not updated/changed by 3rd node.

     

    Regards,



  • 7.  Re: PAM clustering questions

    Broadcom Employee
    Posted Jun 21, 2016 05:34 AM

    Hi Per,

    I guess your question is already addressed? If yes, can you please mark the most correct answer as the correct one?

    Thanks,

    -Lluis