Symantec Privileged Access Management

  • Private Community

  • 1.  How configure a second network card at PAM

    Posted Dec 19, 2017 04:11 PM
      |   view attached

    Hi Communitie 

     

    We are currently in the process of installing and configuring the PAM solution for a customer. At the architecture level, the solution is distributed in 2 data centers, geographically
    located in different cities. For each data center there are 2 PAM Appliance, for a total of 4, which must be configured in high availability. The customer needs the balancing to be done by the PAM solution, but when
    configuring the virtual ip the documentation indicates that both the VIP and the cluster members
    must be under the same red segment therefore, VIP can not guarantee high availability and
    replication of the solution. The customer additionally     requires that the case of the failure of the devices of a data
    center, the data center alternate ensure access and administration of the endpoints of managed
    devices.
    As an alternative, i try to configure a second network card through the GB2 network
    interface, but it does not respond to ping.  I have some questions that I would like to help me solve:  How can you establish high availability of the PAM solution between the 2 data centers? Can you configure another network card over the GB2 network interface?  The attached image can give an idea of the architecture and the problem.  Any idea about it is welcome



  • 2.  Re: How configure a second network card at PAM

    Posted Dec 20, 2017 12:25 PM

    JulianRiano,

     

    Hello, 

     

    My first question is, does the customer have an external load balancer?  If so, I would recommend the following:

     

    Datacenter 1 (PAM-001 and PAM-002) configured as a primary master site cluster with a VIP for the Datacenter, something like (DC1-PAM.company.com) and Datacenter 2 (PAM-003 and PAM-004) also configured with a VIP similarly (DC2-PAM.company.com).  At this point, for full failover, you could utilize an external load balancer with weighting of 98% for Datacenter1 and 2% for Datacenter2. This would allow a single VIP controlled by an external load balancer to automatically direct traffic to the DR site should the primary site go down and leverage a single URL for access such as PAM.company.com.

     

    If the customer does not have an external load balancer for their network, then you would have the two VIPs to direct traffic, but end users would need to know to switch the URL to the alternate site in the event of an outage. 

     

    Cheers!

    David



  • 3.  Re: How configure a second network card at PAM

    Posted Dec 20, 2017 02:22 PM

    Hi David

     

    The customer does not have an external load balancer for their network. if i configure two VIP how i can get instant replica of data  at the two datacenter?

     

    Thanks

     

    Julian



  • 4.  Re: How configure a second network card at PAM

    Posted Jan 17, 2018 08:59 AM

    Hello David,

     

    I may not have understood the HA clustering within PAM completely, so please excuse if this a silly question.

     

    What about the data replication from primary site cluster to secondary site cluster. How does that work? At a given point of time if the users are connecting to Primary site VIP all the DB will be written on both the cluster nodes of primary site as they will active-active synchronized. but during failure of the primary site how does the data in primary site be replicated.

     

    Thanks,

    Manoj



  • 5.  Re: How configure a second network card at PAM

    Broadcom Employee
    Posted Jan 17, 2018 11:29 AM

    Hi Manoj, while the primary site is down there is nothing to be replicated. No credential changes will be possible. Synchronization is discussed in the online documentation, e.g. at https://docops.ca.com/ca-privileged-access-manager/3-0-2/EN/deploying/set-up-a-cluster/cluster-synchronization-promotion-and-recovery.

    Also note the following paragraph in https://docops.ca.com/ca-privileged-access-manager/3-0-2/EN/deploying/set-up-a-cluster/cluster-configuration:

     

    5. Under Multi-Site, determine the behavior of the secondary site when the primary site is unavailable. To change the behavior globally, first turn off the cluster. The options for the secondary site are:

    • Operationally Safe
      • Users can view passwords from the local CA PAM database.
      • Users can continue to access devices and create sessions to devices.
      • All workflow functions are disabled. These functions are check-in/check-out, dual authorization, credential rotation, Service Desk integration, reason to view credentials.
    • Security Safe
      • Users cannot create sessions to devices that are configured for auto-logon using Credential Manager. 
      • Users cannot view passwords.

    Workflow functions are not available when the primary site is down.



  • 6.  Re: How configure a second network card at PAM

    Posted Jan 18, 2018 02:24 AM

    Hello Ralf,

     

    Thanks for your response!!! My client is having all their infra in AWS and the proposed PAM solution is also in AWS. I have proposed couple of AWS instances one per availability zone and clustering established between the availability zones. Can this be example of Multi site cluster? This is production environment and for DR I have proposed cold standby with AWS instances readily waiting. And during the complete cluster failure the restoration will manual and this will achieved using scheduled backups. And things will operate from DR until the cluster issue fixed completely.

     

    Questions:-

    1. While the service is running for few days until the primary site is restored, will there be any challenges in restoring the data back to primary site since we have clustered environment in prod and standalone instance in DR?

     

    2.We have plans to deploy the Primary node of the cluster in one availability zone and secondary node of the cluster on the other availability zone for redundancy in case of failure of zones. Does CA recommend this? Or what would be the acceptable network latency level for both nodes to work with no synchronization issues?

     

    3. For having an cold standby CA-PAM in AWS instance - does this cost an additional license?

     

    Thanks,

    Manoj



  • 7.  Re: How configure a second network card at PAM

    Broadcom Employee
    Posted Jan 18, 2018 09:46 AM

    Hi Manoj,

    1. If you have a multi-site cluster with one node in the primary zone and one node in the secondary zone, there is little difference from a standalone node as far as recovery is concerned. Like you would bring up the DR instance using a DB backup, you would go back to the cluster by restoring the current DB from the DR instance on the primary cluster node while the cluster is off, and then bring the cluster back on. If the DR environment is available at all times (outside of failures or maintenance windows) it would be better to keep the DR PAM instance running and configure it as another secondary cluster site. Then you just need to make it the primary site when the other sites fail, and you change it back when those become available again.
    2. Yes, this is a multi-site scenario. Network latency would be a problem for a single-site cluster, but the multi-zone cluster is much more resilient to it.
    3. Yes, every PAM instance needs its own license. You would have to work with your CA account team on that.

     



  • 8.  Re: How configure a second network card at PAM

    Broadcom Employee
    Posted Dec 20, 2017 01:18 PM

    Hi Julian, for such a case you want to configure a multi-site cluster, here specifically 2 sites, see https://docops.ca.com/ca-privileged-access-manager/2-8-4/EN/deploying/set-up-a-cluster for details on configuring multi-site clusters. Configuration of multiple network interfaces should work. Each interface needs to be configured and enabled on the Configuration > Network > Network Settings page. There is a "RESTART NETWORKING" button on the page that you would use after changing and saving the network interface configuration.Cluster communication will only use the interface defined in the cluster configuration though. I am not sure what HA scenario you are trying to address with the second interface.



  • 9.  Re: How configure a second network card at PAM
    Best Answer

    Broadcom Employee
    Posted Dec 20, 2017 01:23 PM

    Hi Julian,

     

    I see that you are using virtual appliances. Virtual appliances have some caveats when attempting to add network cards. Any network cards should be added BEFORE the first time you ever boot the system. Attempting to add another NIC after may cause catastrophic problems with PAM depending on your version. This is a actually related to the licensing control feature because PAM sees that the hardware has changed & assumes it has been tampered with. I believe the catastrophic results no longer happen in the 3.x branch, but the 2.x definitely still has this happen.

     

    Please see this doc for more information on my statements:

    Is it possible to add additional NIC cards to a virtual CA PAM appliance? 

     

    Related Documentation:

    "NICs: One interface. Add extra required interfaces before initial boot."

    Installation Requirements - CA Privileged Access Manager - 3.0.2 - CA Technologies Documentation 

     

    Hope this helps,

    Christian Lutz

    Support Engineer

    CA Technologies - North Ameirca