ProxySG & Advanced Secure Gateway

Hi;

Can BCAAA servers be load balanced for active/active performance? If yes, what is the mechanism please, is it a load balancer with round robin load balancing method and source IP persistence?

Kindly
Wasfi

Hi Wasfi,

The ProxySG connects to BCAAA with a single persistent connection. All requests are made through that single persistent connection. As such, any configuration of load balancing would not have the desired active/active effect.

If you were to put a couple BCAAA servers behind a load balancer with round robin, then on initial connection, the ProxySG would open a connection with one of them. That connection would then be used for all requests until something happened to the connection. The ProxySG would then reach out to your load balancer again, and with the round robin config, get the second BCAAA server, and use it exclusively until something happened to that connection.

If you are concerned about an overwhelmed BCAAA server, you might consider creating a second IWA-BCAAA realm to distribute the load. You would balance the load with your policy. For example, let's say my network is divided equally, with half of the users on a 10.0.0.0/16 subnet, and the other half on a 192.168.0.0/16 subnet. I could create policy that says that the 10.0.0.0/16 subnet uses Realm1, and the 192.168.0.0/16 subnet authenticates using Realm2. Secondary servers could be configured on both realms as well to secure the active/passive failover.

Hope this helps!

Original Message:
Sent: 09-17-2020 03:54 AM
From: Wasfi Bounni
Subject: Can BCAAA servers be load balanced

Hi;

Can BCAAA servers be load balanced for active/active performance? If yes, what is the mechanism please, is it a load balancer with round robin load balancing method and source IP persistence?

Kindly
Wasfi

. . . I should also add that using Kerberos will be much less resource intensive than NTLM. If you aren't already using Kerberos, I would recommend implementing it.

Thanks!
Original Message:
Sent: 09-29-2020 02:45 PM
From: Jacob M
Subject: Can BCAAA servers be load balanced

Hi Wasfi,

The ProxySG connects to BCAAA with a single persistent connection. All requests are made through that single persistent connection. As such, any configuration of load balancing would not have the desired active/active effect.

If you were to put a couple BCAAA servers behind a load balancer with round robin, then on initial connection, the ProxySG would open a connection with one of them. That connection would then be used for all requests until something happened to the connection. The ProxySG would then reach out to your load balancer again, and with the round robin config, get the second BCAAA server, and use it exclusively until something happened to that connection.

If you are concerned about an overwhelmed BCAAA server, you might consider creating a second IWA-BCAAA realm to distribute the load. You would balance the load with your policy. For example, let's say my network is divided equally, with half of the users on a 10.0.0.0/16 subnet, and the other half on a 192.168.0.0/16 subnet. I could create policy that says that the 10.0.0.0/16 subnet uses Realm1, and the 192.168.0.0/16 subnet authenticates using Realm2. Secondary servers could be configured on both realms as well to secure the active/passive failover.

Hope this helps!

Original Message:
Sent: 09-17-2020 03:54 AM
From: Wasfi Bounni
Subject: Can BCAAA servers be load balanced

Hi;

Can BCAAA servers be load balanced for active/active performance? If yes, what is the mechanism please, is it a load balancer with round robin load balancing method and source IP persistence?

Kindly
Wasfi