Clustering
Cloud Secure SSO solution is supported with Active/Active and Active/Passive Cluster Deployments.
It requires load balancing of VPN connections and SAML requests across all the Cluster nodes.
For generic Clustering Configurations, refer to Ivanti Connect Secure Administration Guide.
The deployment scenarios and configurations specific to Cloud Secure are described below:
•Cloud Secure Active/Active Cluster Deployment
•Cloud Secure Active/Passive Cluster Deployment
Cloud Secure Active/Active Cluster Deployment
For Active/Active Cluster support, external Load balancer does load balancing of VPN connection requests to all the external interfaces of cluster nodes. The configurations on Internal DNS server is required for load balancing the SAML AuthN requests for L3 VPN. However, for L4 vpn the host entry configurations on respective Ivanti Connect Secure nodes are required for handling the SAML AuthN requests.
In an Active/Active PCS cluster the user sessions are synchronized across cluster nodes. Hence if a VPN connection is established with one cluster node, the session details are available on all the Active/Active cluster nodes. If a user has a VPN connection with one Ivanti Connect Secure node and SAML AuthN request is on another Ivanti Connect Secure node, the SSO to SAML SP is provided by using cluster synchronized session.
- SSO is not supported on Configuration-Only Cluster since the user sessions are not synchronized across cluster nodes.
- If one of the Ivanti Connect Secure cluster nodes (whose IP address is returned first in DNS response) fails, browser tries with second IP address. If it is reachable, SAML AuthN request is handed to second cluster node. This way in failover scenario, SSO is provided by other Ivanti Connect Secure node in Active/Active cluster.
- For Active/Active cluster, “Alternate Host FQDN” entry should be resolved to internal IP address of all cluster nodes by the internal DNS server for L3 VPN. In case of L4 VPN, host entries should be added for the respective Ivanti Connect Secure nodes to resolve the Alternate host FQDN to internal interface IP. Navigate to system >network >hosts for adding the host entries.
- For re-use VPN functionality to work in Active/Active cluster deployment, the internal IP addresses of all the cluster nodes should be added as split tunnel resources.
Cloud Secure Active/Passive Cluster Deployment
Ivanti Connect Secure uses a virtual IP (VIP) address to address the cluster pair. If the active node fails, the passive node takes over the VIP address and provides SSO access.
For re-use VPN functionality to work in Active/Passive cluster deployment, the internal VIP address should be added as split tunnel resource.
DNS Server Configuration
Admin should add the host entries on the Internal and External DNS server as described in the table below.
DNS Server Configuration
|
Cluster FQDN for SAML |
Alternate Cluster FQDN for SAML |
Active/Active Cluster |
||
External DNS |
Load Balancer IP Address |
Load Balancer IP Address |
Internal DNS |
NA |
Internal IP Address of all nodes |
Active/Passive Cluster |
||
External DNS |
VIP External Address |
VIP External Address |
Internal DNS |
NA |
VIP Internal Address |
For One Arm Deployment, Virtual Port IP address of all nodes should be added in the DNS server.