Symantec Privileged Access Management

Hi guys, I will setup a WAN cluster in PAM - one node for each Datacenter - with an external Load Balancer. As for configuring the Cluster on each node, is the VIP on main node still mandatory?

I am guessing of configuring PAM cluster just with the IPs of the nodes, and let the external LB manage the VIP for user's access.

Any hints or best practices?

Thanks in advance and kind regards,

Dario

Hi Dario

Yes, you need to specify a cluster VIP or it will not recognize it is a cluster. But actually, if you are using an external load balancer that may be a 169.254.X.X IP address.

Does this help ?

Hi Dario,

Since you are using an external load balancer the VIP defined in PAM is going to be useless. However, currently it is required that SOMETHING is put into the VIP field, or else it will not start the cluster. We usually recommend putting an unused IP in the field that will not effect your network. We also recommend that you DO NOT put the Load Balancer VIP in there, as it could cause problems.

Based on the fact that this will be in separate data centers you should review the following doc page for considerations on that. Also, since you are still in the beginning phases of this, you may want to wait for 2.8.2 to be released before you do too much with clustering as it will be introducing a new feature which is meant to improve clustering in WAN: Multi-Site Clustering.We do not have a firm date on 2.8.2 release yet, but it is expected to be released very soon.

WAN Clustering Info:

Set up Clusters for High Availability Deployments - CA Privileged Access Manager - 2.8.1 - CA Technologies Documentation 

Hope this helps!

-Christian

Hi Christian, many thanks for your info.

I've already checked that page, but my network skill is not so strong to evaluate if that requirement is a problem or not. From the network diagram they provided me, I can see a VLAN to go outside each DC, so I am guessing it is fully supported.

In my humble opinion, WAN cluster with a single node per DC is the worst cluster I can imagine, but they decided this deployment options, even if I tried to discuss with them about "sticky sessions" and HA concepts... 

Hi Christian,

I have two appliances to work on cluster. 

Customer has an external loab balancer to work active - active with  CA PAM, but customer request me that VIP must set in loopback of each appliances. To make that I have to access SSH to appliances (This is no possible).

Any idea?

Regards,

Ricardo S.

Hi Ricardo.

There should be no need for SSH here. If your requirement is specifically to use the loopback address then just set the VIP to 127.0.0.1.

As Miquel mentioned earlier, you could also use a Link Local address in the 169.254.0.0/16 range . This is not the "loopback address" but creates a similar black-hole situation where the address is not reachable and won't harm the network. Wikipedia provides a pretty good description of Link-local address.

Go with the option that best meets your (customer's) needs. 

-Chrisitan

Hi lutch01,

I did set 127.0.0.1 to field VIP of CA PAM's cluster settings, LB External (F5) has another VIP and I cannot access to PAM throug LB external's VIP.

Customer is insisting that they need LB External's VIP must be set in both CA PAM's loopback interface to work well the balancing. It is correct o exist another way to work with LB External?

Thanks much.

Ricardo.

Hi Ricardo,

You should NOT put the VIP of the F5 into PAM. This could cause competition between PAM and the F5 over who will be able to own that IP. As is stated in the documentation link provided earlier in this thread: "You must provision a VIP, but users, programs, and clients can ignore it, and only use the load balancer." When using an External LB the VIP of PAM should not really matter because it will never be used.

It sounds like the External LB may not be configured properly. On the External LB you should be pointing to each individual PAM appliance's own IP, never the VIP.

-Christian

Thank you Miquel. This help a lot