Symantec Access Management

We are looking at using the 12.7 Access Gateway (formerly CA Secure Proxy Server) as virtual web agent platform but now have concerns of it can be clustered or be set up for a failover so that there are fewer chances of a production down event. Has anyone attempted to set up a failover server or know if it is possible?

We theorized that since it doesn't hold a database of its own and makes a connection to the policy server it must leech the data from the policy store and thus could be redundant without the need for manual duplication. Would this be correct?

There's currently no failover/load balancing functionality within the product. The recommended way to deploy Access Gateway is to place this component into your network to work in conjunction with load balancing devices.

At the same time, you could setup a Access Gateway instance to talk to multiple policy server instances for redundant purposes.

So our setup would be similar to this diagram but lack the firewall before the two load balancing devices before the web farms. Our idea was to use a load balancer in front of two access gateway servers both connecting back to two clustered policy servers to create redundancy.

In the case of federation is there any relevant change or concern with this design?

Makesh summarized Part-A of the question which focus on FO / LB.

I'll take elaborate on Part-B.

It is unclear as to what data are we taking about with specific i.e. Access Policy Data OR CA AG Configuration Data. You do hint Policy Store, but alas Policy Store can also hold more than just Access Policy in this case. So I'm going to talk about both so as to give you an extended preview.

Access Policy Data : This is stored in Policy Store. Hence it is retrieved as you described.

CA AG Configuration Data : OOB resides on the filesystem that CA AG is configured. Thus OOB configuration being filesystem based plus being nuclear to each CA AG instance, are manually synced by hand on individual CA AG OR use individual proxuyi to manage / administer individual instance. If we want to administer / manager a Cluster of CA AG using a Single ProxyUI, then we switch the solution to a Group Based Solution. Here we can group "n" number of CA AG into Clusters. Once Clustered all configuration data is saved into Policy Store instead of filesystem. NOTE : This Cluster is only for configuration purposes. Once clustered all CA AG in the cluster retrieve their configuration from Policy Store. Thus we can use a single ProxyUI to manage / administer multiple CA AG. But be careful of what CA AG instances you cluster e.g. you cannot cluster two CA AG running on two different ports. Again their are Pros and Cons in each approach (e.g. if you are having a DevOPS methodology then sync using scripting individual CA AG sounds appropriate rather than UI).