You configure the SSL VPN cluster to be behind a Layer 4 (L4) server because it is essential in order to assign multiple SSL VPN servers to the same configuration. You can use the same L4 server for SSL VPN server clustering, Identity Server clustering, and Access Gateway clustering, provided that you use different virtual IPs.
You can either have a cluster of traditional SSL VPN servers by using L4 and Access Gateways or you can have a cluster of ESP-enabled SSL VPNs by using the L4 server. In a cluster, policies such as the client integrity check policies, traffic policies, and client policies are common to all the cluster members. However, each of the secondary members of the cluster must have specific listening IP addresses for Kiosk mode and Enterprise modes and a specific subnet mask and subnet addresses configured for Enterprise mode.
Make sure that the base URL of SSL VPN is resolvable with its own IP address as well as the public IP address of L4 server. The Identity Server should be able to resolve the base URL of SSL VPN to the virtual IP address of SSL VPN cluster.