Symantec Privileged Access Management

  • Private Community

  • 1.  Load Balancer recomendations

    Posted Feb 21, 2018 10:56 AM
    I have proposed an multi-site (Active-Passive) cluster with elastic load balancer directing the traffic between the sites so that an partial HA can be achieved. What type of elastic load balancer does CA recommend for this type of requirement. Any specific load balancing requirements for multi-site cluster?
    while the user traffic is hitting the load balancer, I believe it has to only redirect the HTTP/HTTPS traffic or is there any application traffic that it has to load balance? How about while we use the PAM client? On what port should the load balancer redirect the traffic while using PAM client.


  • 2.  Re: Load Balancer recomendations

    Broadcom Employee
    Posted Feb 21, 2018 11:38 AM

    Hi Manoj, The PAM appliance is accessed by users only through the HTTPS port. There is no difference between PAM client or browser sessions. The https://<PAMserver>/health.php page can be used for availability. Error 503 is returned if the node is not available to serve users. The load balancer should let the SSL connection pass through and it should have sticky client sessions, i.e. continue to connect a given client/IP to the same cluster node within a short time. This is critical e.g. if SAML authentication is configured where the connection is redirected to an external SAML IdP and once authenticated there goes back to PAM. The connection must come back to the same PAM node that redirected to the IdP. In general an existing user session is only valid on the PAM cluster node that it was established on.



  • 3.  Re: Load Balancer recomendations

    Posted Feb 22, 2018 04:58 AM

    Hello Ralf,

     

    There are 3 types of Elastic load balancer offered in AWS: Application load Balancer(Layer-7); Network Load Balancer(Layer -4); Classic Load balancer (both Layer-4,7). With the current understanding and requirement from the client, I can easily not choose network load balancer has this will not span across AZ's and work only on Layer 4.

     

    And also after reading your comments about https and both the nodes of the Multisite cluster will listen only to https, The SSL termination cannot happen at the load balancer level meaning the traffic between the load balancer and the instance cannot be http as the PAM nodes will only respond to HTTPS.  Is my understanding right here?

     

    Between Application LB and Classic LB, Which one does CA recommend for a multi-site cluster( Active-Passive node)?

     

    Additional question about passive node. The secondary site in passive mode will not server any end users https requests?

     

    Thanks,

    Manoj



  • 4.  Re: Load Balancer recomendations

    Broadcom Employee
    Posted Feb 22, 2018 09:57 AM

    Since you will be tunnelling the SSL traffic from the client/browser through the LB to the PAM server, it doesn't make sense to me to use application layer load balancing (i.e. the application layer payload is encrypted).



  • 5.  Re: Load Balancer recomendations

    Posted Feb 22, 2018 10:06 AM

    If the SSL traffic is terminated at the load balancer level. The traffic from the LB to the PAM node will be non-encrypted. And PAM instances can work only with HTTPS and they don't take HTTP traffic. I think this is reason to chose application load balancer against network load balancer.



  • 6.  Re: Load Balancer recomendations

    Broadcom Employee
    Posted Feb 22, 2018 12:24 PM

    Pearse commented on the LB type, classic LB preferred over application LB. I think you misunderstand multi-site clusters. There are no passive nodes in PAM clusters. All nodes are active, including those in secondary sites, and are meant to serve users. Please see https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/deploying/set-up-a-cluster for details. That page shows a sample cluster configuration where PAM users (that are not administrators) in fact are connected to secondary site nodes only and the primary site is accessed by PAM administrators only.