Synchronizing User Records
About User Record Synchronization
The user record synchronization feature promotes a more consistent user experience by allowing users to retain their bookmarks and individual preferences regardless of which device they log in to.
User record synchronization relies on client-server pairings. The client is the device that users log in to start their remote access. Each client is associated with one primary server and one backup server to store user record data. Clients can be individual appliances or a node within a cluster.
A server in this instance is the device that stores the user data records. Each server can be configured to replicate its user record data to one or more peer servers. Servers are identified by a user-defined logical name. The same logical name can be assigned to more than one authentication server to let you associate authentication servers of different types to the same user. For example, SA1 is an ACE authentication server with user1 who creates a bookmark to www.pulsesecure.net. SA2 is an Active Directory authentication server with the same user1. For the www.pulsesecure.net bookmark to be transferred from SA1/ACE/user1 to SA2/AD/user1 you would assign the logical name "Logical1" to both the ACE server on SA1 and the Active Directory server on SA2.
Cluster VIPs cannot be used as the IP for synchronizing between clients and peers servers.
As long as the logical name is the same, the authentication servers can be different types and different server names and still be associated with a common user. The username must be the same for user record data to be synchronized across the servers. The logical authentication server (LAS) and username combination is what uniquely identifies a user record.
The following user records are synchronized between the client and server:
•Bookmarks
•Web
•File
•Terminal Services
•JSAM
•Preferences
•Persistent cookies
•Cached passwords
User session data is not synchronized. Persistent cookies, if changed, are synchronized when the user session terminates. All other modifications to the user records are synchronized immediately. User records are stored in cache on the client node prior to being pushed to the servers.
When a user logs in to a client, their data is pulled from the associated server. The pull is performed in the background and does not delay the login process. Users using browsers that do not support JavaScript must manually refresh the index page for updated bookmarks and preferences to appear. For browsers that support JavaScript, users may see a spinning progress indicator and their home page will refresh automatically with updated bookmarks and preferences.
Clients and servers need not be installed with the same Ivanti Connect Secure software version.
User record synchronization uses port 17425. This port number is not configurable. If you are deploying across a firewall, configure your firewall to allow traffic on this port.
To set up user record synchronization, you perform the following tasks:
1.Enable user record synchronization for each participating client and server, identify which ones are the client and which ones are the server and assign a node name to each client and server.
2.Create a shared secret which is used to authenticate the client with the server and the server to its peer servers.
3.On each server, define which clients and peers are allowed to communicate with the server.
4.On each client, define the servers that handle records for each LAS server.
When enabling this feature, you have several options to initialize the user record database. You can:
•populate the database using user records located in the cache of the client systems.
•populate the database using user records located in the cache of the server systems.
•don't pre-populate the database but populate it as users log in and out of the client system.
If you choose the last option, users may not be able to view their saved bookmarks and preferences until the next time they log in, depending on which client they log in to.
User records may not synchronize if the time clocks on the devices are not in sync. We recommend that you use the same NTP server for each node participating in user record synchronization to keep system times accurately adjusted.
The user record synchronization feature will not start automatically after importing a system configuration that has this feature enabled. The workaround is to disable user record synchronization and then enable user record synchronization from the user interface after the configuration import.
Enabling User Record Synchronization
The first step in enabling user record synchronizing is to define the node name and the shared secret used to authenticate between the clients and the servers:
1.Select System > Configuration > User Record Synchronization > General.
2.Select the Enable User Record Synchronization check box.
3.Enter a unique node name. This name is used when associating a client with a server and is different from the logical name assigned to a server. This node name is also not the same as the cluster node name.
4.Enter the shared secret and confirm it.
The shared secret is the password used to authenticate the client with its servers and the primary server with its peer servers. Use the same shared secret for all clients and servers participating in user record synchronization.
5.Select whether this node is client only or if this node acts as both a client and server.
6.Click Save Changes.
If you need to make any changes in this window at a later time, you must deselect the Enable User Record Synchronization check box and click Save Changes. Make your edits, select the Enable User Record Synchronization check box and save your changes.
Once you enter a name and shared secret, you cannot clear these fields.
Configuring the User Record Synchronization Authentication Server
To set up the authentication server you must define its logical name:
1.Select Authentication > Auth Servers.
2.Click the name of the authentication server you want assign a LAS name.
By assigning the authentication server a LAS name, all users that authenticate using the authentication server are associated with this LAS. In this instance, we are referring to the client nodes, not the user record synchronization server nodes.
3.Select the User Record Synchronization check box.
4.Enter a logical name to identify this server.
This allows you to share user record data across authentication servers on different devices. By assigning a LAS name to an authentication server, you are implicitly assigning it to all users that authenticate with that auth server. The combination of the user's login name and their LAS name uniquely identifies the user's user record across all user record synchronization servers.
5.Click Save Changes.
Configuring the User Record Synchronization Server
To set up the user record synchronization server you must define its peer nodes (optional) and the clients that can access this server.
1.Select System > Configuration > User Record Synchronization > This Server.
2.Enter the peer server's node name and IP address, then click Add. To specify more than one peer server, enter each server's node name and IP address individually and click Add. There is no limit on the number of peer servers you can add.
Data is replicated from the primary or backup server to its peer servers. If the primary is not available, user data is sent to the backup. User data is then replicated to the peer servers.
3.For each client you want synchronized with this server, enter the client's name and IP address and click Add.
Once added, peer servers will have a colored icon next to their name indicating their connection status. Node status is provided to client nodes and LAS mapping servers as well.
|
Color |
Description |
|
Green |
Connecting |
|
Yellow |
Connecting |
|
Gray |
Not connected |
Configuring the User Record Synchronization Client
To set up the client, you select the primary and backup server you want this client to synchronize with:
1.Select System > Configuration > User Record Synchronization > This Client.
2.Select the LAS name you want to synchronize and enter the primary IP of the user record. If you prefer to synchronize with any available server, select Any LAS.
3.Enter the primary and optionally a backup server's IP address and then click Add.
Even if you select Any LAS, you must enter a primary server IP address.
Once added, the primary and backup servers have a colored icon next to their name indicating their connection status.
Configuring the User Record Synchronization Database
With the Database tab, you can delete inactive records from the client cache, retrieve statistics about the database, export and import the data and remove user data from the server's database.
To configure the database:
1.Select System > Configuration > User Record Synchronization > Database.
2.Select Auto-delete inactive synchronized user records from the Cache to remove inactive user records from the cache. This option does not remove user records from the user record database.
When this option is selected, the system performs a check every 15 minutes and deletes user records that meet all of the following criteria:
•There are no active user sessions associated with the user record.
•The user record does not have any custom settings, or the latest version of the user record has been synchronized with the user record database.
•The authentication server associated with the user record database does not have type "local". For example, the "System Local" auth server that is part of the default configuration of the system has a "local" type, so any user records associated with that auth server will not be auto-deleted. However, user records associated with external authentication servers like Radius or LDAP may be deleted, depending on the two prior criteria.
3.Select Auto-delete user records from the local synchronization database that have been idle for X days to permanently remove user records from the database located on the server. Enter the number of days user records must be inactive before being deleted.
In this instance, "inactive" means that no client has pulled the user record or pushed any modifications to the user record in X days.
4.Click Retrieve Statistics to display the number of records in the database. You cannot edit or view records in the database.
5.Under Export, you export user records to a file. The user records can be exported from the user record database, or from the cache. The exported file can be used to pre-populate the user record database on another node.
•Enter the LAS name of the user records you want to export. If you leave this field blank, all user records are exported. If you enter a LAS name, only user records with the entered LAS name are exported.
•To encrypt the exported data, select the Encrypt the exported data with password check box and enter the password.
•Click Export to export the user records from the specified source (cache or database). You will be prompted where to save the file.
6.Under Import, you import user records into the synchronization database. The user records can be imported from a file or from the cache. Use the Import operation to pre-populate the user record database with user records exported from another node, or with user records from the cache.
•Click Browse to locate the exported file and enter the password if the exported file was encrypted with a password.
•Select the Override Logical Auth Servers in imported user records with check box to replace the LAS name in each imported user record with the LAS name entered.
For example, you change the LAS name, use this option to update the user records with the new name.
•Click Import.
7.Under Delete, specify which user records to permanently remove from the user record database. The options you select apply only to the user record database associated with this server.
•Select User record with login name and Logical Auth Server to remove a specific record. The login name and LAS name together uniquely identify a user record. Select this option to remove that record (if it exists).
•Select User records with Logical Auth Server to delete all user records with the specified LAS name.
•Select All user records to permanently remove user records from the database on this node.
•Click Delete.
Scheduling User Record Synchronization Backup
You can configure periodic backups of the user record database. User record synchronization backup can be enabled only on a user record synchronization server.
To back up the user record database:
1.Ensure the system is set up as a user record synchronization server. See System > Configuration > User Record Synchronization.
2.Select Maintenance > Archiving > Archiving Servers.
3.Select the Archive User Record Synchronization Database check box.
4.Specify an archive schedule. Through the options, schedule archives on any combination of weekdays including weekends.
If you schedule an archival operation to occur during the hour that your system switches to Daylight Savings Time (DST) the operation may not occur as scheduled. For example, if your system is set to change to DST at 1:00 a.m. and you have scheduled an archival operation to occur at any time between 1:01 a.m. and 1:59 a.m., the operation is not accomplished, because at 1:00 a.m. the system clock is moved forward to 2:00 a.m. and the system never reaches your archival time for that date.
5.Define a specific time when you want the system to archive data or elect to archive data every hour, which produces twenty-four files with unique timestamps.
We recommend you schedule an archival operation during hours when traffic is light in order to minimize its impact to your users. The automatic archiving process compresses files and, if the system is busy, can degrade performance for users. Also, a cluster node may appear unresponsive if the system is busy with traffic and performing archiving simultaneously.
6.Provide a password if you want to encrypt user record synchronization database archives with a password (optional).
7.Click Save Changes.