This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Load Balancer setup for TPAM

Hi

we have 3 TPAM Appliances. One is working as primary and other two working as active replicas.

Please let us know if we can setup a network load balancer (VIP) for these 3 appliances so that When we hit the VIP URL it should redirect the requests to all 3 appliances.

Please share your thoughts on this. Thank you. 

Parents
  • Yes. setting up an external load balancer is possible. I have customer who have used Altieon and F5 to do this.

    While One Identity do not provide or support any configurations non of the engineers have had an issue configuring the load balancer to provide the virtual IP and have it direct traffic to the appropriate appliance.

    The load balancer needs to use the TPAM status page to work out which appliance is up and what its operational status is.

    https://ipaddress or FQDN of appliance you wish to check/status 

    This returns a basic test page that you can then build into you load balancer configuration to provide the functionality you need. Here are examples from a primary and replica.

    Primary:

    Appliance Name:  TPAMCONSOLE_Primary

    Cluster Role:          Primary

    Run Level:               Operational

    Replication Status:              Replicating

    State:          Healthy

    Last Update:           Fri Jan  3 09:38:00 2014

     

    Replica:

    Appliance Name:  TPAMCONSOLE_Replica

    Cluster Role:          Replica

    Run Level:               Operational

    Replication Status:              Standby

    State:          Healthy

    Last Update:           Fri Jan  3 08:42:00 2014

    You can build your load balance filter rules around the information provided by the status page. I the simplest case if you do not get a response form the primary directing traffic to one of the other appliances. Or building a more complex filter that can look for no response from the primary and changes to the operational status of replica to make decisions as to where to send the traffic.

    Remember also that TPAM will not respond to a Ping and cannot be configured to do so. 

    If you work out what you would like the load balancer to do then you can talk to the team who look after the configuration and show them the above I am sure that they will be able to help you achieve the results you are after.

    Tim

  • Thank you very Much Tim for your Detailed explanation.

    could you please confirm if we can have all 3 appliances /TPAM interface available behind the VIP.

    Also as you mentioned if we configure /status URLS of all 3 TPAM appliances behind the VIP, if primary TPAM goes down will we be able to access one of the replica TPAM interface accessible when we hit VIP URL. Please confirm. 

Reply
  • Thank you very Much Tim for your Detailed explanation.

    could you please confirm if we can have all 3 appliances /TPAM interface available behind the VIP.

    Also as you mentioned if we configure /status URLS of all 3 TPAM appliances behind the VIP, if primary TPAM goes down will we be able to access one of the replica TPAM interface accessible when we hit VIP URL. Please confirm. 

Children
  • Yes you can load balance as many TPAM appliance as you want. The key is working out exactly what you want to achieve and build the rules/filters on the load balancer accordingly.

    So if you were to configure  your TPAM replica's to automatically fail over then the TPAM replica's watch dog process would automatically promote the appliance when its failed over state. This would be reflected by the status page of the replica changing. You could then trigger a re-direct based on the change of the wording.

    However I have a feeling you are not fully aware of how the TPAM cluster works. You need to read up on this to allow you to work out what you need in your environment. Very difficult to define requirements for you via a forum.

    Key points to remember:

    You have 1 authoritative Primary in a TPAM cluster. 

    You cannot authenticate to any replica TPAM web interface. While in replica operating mode a replica only accepts delta's from the Primary.

    Replica that is promoted IS NOT an authoritative Primary unless you manually promote it.  

    When a Replica is promoted it allows you user to authenticate to the TPAM web I/F that is normally blocked BUT you have a limited management functions available and auto password management is disabled. This can lock accounts with a post release re-set failure message until and paradmin user manually resets them.

    So when you design your load balance rules you can decide where the traffic is routed.

    I would suggest that by default the fist rule should check to see if the Primary is responding to a status page request. If so traffic then goes to the Primary. 

    If primary does not respond then you could send traffic to a replica without any other checking.

    You could expand on this to take into account the address of the incoming IP and decide to route traffic to one the closest TPAM.

    Maybe if you have multiple sites with a load balancer on each you will need to take this into account when planning your model. You could then cater for WAN outages.

    Lots of options. You need to define one that meets your requirements and needs.

    Tim

  • Thank you Very Much Tim for your detailed explanation