Symantec Privileged Access Management

  • Private Community

  • 1.  CA PAM - VIP requirement

    Posted Aug 04, 2016 08:53 AM


    Hello All,

     

    While placing CA PAM appliances(Two) in the same Data Center for fail-over purposes, will these require a VIP defined on the F5 load balancer or will this be handled via the CA PAM appliance or application?

     

    Cheers,



  • 2.  Re: CA PAM - VIP requirement

    Posted Aug 07, 2016 12:58 AM

    I have a setup two appliance in cluster and defined 1 VIP on Loadbalancer and It works perfectly.

    Just to note CA PAM appliance works in Active/Active configuration not the Active/Sandby, You will have both appliance ready to receive user request at a same time. Load balancer will play a vital role of distributing traffic among both appliance. Just double check the Load balancing method you wish to configure, I recommend using round robin with sticky client IP address.

     

    For your question regarding VIP on PAM , I think it is used for internal communication , Don't think that will do load balancing of User traffic---Eager to see reply from support or development team on this point.



  • 3.  Re: CA PAM - VIP requirement

    Broadcom Employee
    Posted Aug 07, 2016 11:42 AM

    If leveraging the appliance load balancing(via defined vip but no external load balancer) internally when a user connects it will pass their connection to the appliance in the cluster with least number of active sessions to devices. 



  • 4.  Re: CA PAM - VIP requirement

    Posted Aug 08, 2016 01:10 AM

    What is the best practice? Using Internal LB mechanism or 3rd party LB.



  • 5.  Re: CA PAM - VIP requirement

    Posted Aug 08, 2016 10:36 AM

    Thanks Adam.

     

    If we have an external loadbalancer, does that mean it is just a pass through only to the primary CA PAM appliance (which does the real load balancing between its cluster memebers)?

    (or)

    can we have both the CA PAM appliance configured in loadbalancer and they both can receive requests as per the logic/algorithm defined in the loadbalancer?



  • 6.  Re: CA PAM - VIP requirement
    Best Answer

    Posted Aug 09, 2016 12:34 AM

    Yes, You can configure both appliance in loadbalancer and both can receive request as per the logic/algorithm defined at a same time in active/active. There are some advantages in using external load balance i.e one can monitor health of the appliace and based on that load balancer will send traffic to the the appliance which is more efficient at that moment, In addition to that there are n number of load balancing algorithm which you can pick and choose as per the requirement.



  • 7.  Re: CA PAM - VIP requirement

    Broadcom Employee
    Posted Sep 01, 2016 04:37 AM

    Hi Tara,

    Is your original question already answered? If yes, can you please mark this question as answered?

    Thank you,

    Lluis Domenech

    CA Support Delivery Manager