A cluster of Access Gateways must reside behind a Layer 4 (L4) switch. Clients access the virtual IP on the L4, and the L4 alleviates server load by balancing traffic across the cluster of Access Gateways. Whenever a user enters the URL for an Access Gateway resource, the request is routed to the L4 switch, and the switch routes the user to one of the Access Gateways in the cluster, as traffic necessitates.
Figure 3-2 illustrates the flow of a user request when the Access Gateways are clustered behind an L4 switch.
Figure 3-2 Clustering Access Gateways
The user requests access to a protected resource by sending a request to the L4 switch. The request is sent to one of the Access Gateway servers in the cluster.
The Access Gateway redirects the request to the Identity Server for authentication. The Identity Server presents the user with a login page, requesting a user name and a password.
The Identity Server verifies the user’s credentials with the directory.
The validated credentials are sent through the L4 switch to the same Access Gateway that first received the request.
The Access Gateway verifies the user credentials with the Identity Server.
If the credentials are valid, the Access Gateway forwards the request to the Web server.
If the Access Gateway where the user's session was established goes down, the user’s request is sent to another Access Gateway in the cluster. This Access Gateway pulls the user’s session information from the Identity Server. This allows the user to continue accessing resources, without having to reauthenticate.
IMPORTANT:Using a DNS round robin setup instead of an L4 switch for load balancing is not recommended. The DNS solution works only as long as all members of the cluster are working and in a good state. If one of them goes down and traffic is still sent to that member, the entire cluster is compromised and starts generating errors.
The following sections describe how to set up and manage a cluster of Access Gateways.
An L4 switch installed. You can use the same switch for an Identity Server cluster and an Access Gateway cluster, provided that you use different virtual IPs.
One or more Access Gateways installed.
When you install each new Access Gateway, configure it to use the same Administration Console.
Your DNS server must to be configured to resolve the published DNS names that you specify for your proxy services to the L4 switch.
Enabling persistent (sticky) sessions on the L4 switch is highly recommended, but not required.
IMPORTANT:If you have created a configuration for one or more of the Access Gateways you are going to put in a cluster, you need to carefully select the primary cluster server. The current configuration of the primary cluster server is pushed to the other servers in the cluster. If you have created configurations for the other servers in the cluster, these configurations are overwritten.
In the Administration Console, click
> .Fill in the following fields:
Cluster Name: Specify a display name for the cluster.
Type: Select the type of cluster you want to create: Gateway Appliance or Gateway Service.
Primary Cluster Server: Select the server that is to be the primary server in the cluster.
In the
list, select the servers that you want to be members of the cluster.You can create a cluster of one, and add additional servers later. You cannot create a cluster that contains Access Gateway Appliances and Access Gateway Services. The cluster can contain only one type of Access Gateway.
Each server you add to the cluster adds about 30 seconds to the time it takes to configure the cluster because certificates must be synchronized and configuration options must be sent to that server. If you create a very large cluster of twenty servers, it can take up to ten minutes to configure and create the cluster.
Click
.After the cluster has been created, each server in the cluster needs be restarted. On the
page, click by the name of the cluster.(Conditional) If the Access Gateways in the cluster have multiple network adapters or IP addresses, you need to configure the listening address for each reverse proxy.
When you create the cluster configuration for newly added servers, the listening address is always the IP address of eth0. If this is not the address where you want the reverse proxy to listen for requests, click
> > , select the Access Gateway as the , then enable the you want to use.To configure the cluster, click
> .A cluster of Access Gateways has the same configuration options as a single Access Gateway. The only difference is that for some options you need to select the Access Gateway to configure. For example, the
option allows you to set the time separately for each member of the cluster.Applying the configuration to a cluster is slightly different. You have the option to apply the changes to all servers in the cluster by selecting the Viewing and Updating the Configuration Status
in the Novell Access Manager 3.1 SP2 Access Gateway Guide.
If you prefer to apply changes to the servers one at time, you should save the changes to the configuration datastore. To do this, click
on the Server Configuration page. (The buttons on the other configuration pages save the changes to browser cache.) If your session times out before you update all servers in the cluster and the changes have been saved only in browser cache, the changes are lost and are not applied to the servers that are still in an e status.