Clustering

Cloud Secure SSO solution is supported with Active/Active and Active/Passive Cluster Deployments.

It requires load balancing of VPN connections and SAML requests across all the Cluster nodes.

For generic Clustering Configurations, refer to Ivanti Connect Secure Administration Guide.

The deployment scenarios and configurations specific to Cloud Secure are described below:

Cloud Secure Active/Active Cluster Deployment

Cloud Secure Active/Passive Cluster Deployment

DNS Server Configuration

Cloud Secure Active/Active Cluster Deployment

For Active/Active Cluster support, external Load balancer does load balancing of VPN connection requests to all the external interfaces of cluster nodes. The configurations on Internal DNS server is required for load balancing the SAML AuthN requests for L3 VPN. However, for L4 vpn the host entry configurations on respective Ivanti Connect Secure nodes are required for handling the SAML AuthN requests.

In an Active/Active PCS cluster the user sessions are synchronized across cluster nodes. Hence if a VPN connection is established with one cluster node, the session details are available on all the Active/Active cluster nodes. If a user has a VPN connection with one Ivanti Connect Secure node and SAML AuthN request is on another Ivanti Connect Secure node, the SSO to SAML SP is provided by using cluster synchronized session.

  • SSO is not supported on Configuration-Only Cluster since the user sessions are not synchronized across cluster nodes.
  • If one of the Ivanti Connect Secure cluster nodes (whose IP address is returned first in DNS response) fails, browser tries with second IP address. If it is reachable, SAML AuthN request is handed to second cluster node. This way in failover scenario, SSO is provided by other Ivanti Connect Secure node in Active/Active cluster.
  • For Active/Active cluster, “Alternate Host FQDN” entry should be resolved to internal IP address of all cluster nodes by the internal DNS server for L3 VPN. In case of L4 VPN, host entries should be added for the respective Ivanti Connect Secure nodes to resolve the Alternate host FQDN to internal interface IP. Navigate to system >network >hosts for adding the host entries.
  • For re-use VPN functionality to work in Active/Active cluster deployment, the internal IP addresses of all the cluster nodes should be added as split tunnel resources.

Cloud Secure Active/Passive Cluster Deployment

Ivanti Connect Secure uses a virtual IP (VIP) address to address the cluster pair. If the active node fails, the passive node takes over the VIP address and provides SSO access.

For re-use VPN functionality to work in Active/Passive cluster deployment, the internal VIP address should be added as split tunnel resource.

DNS Server Configuration

Admin should add the host entries on the Internal and External DNS server as described in the table below.

DNS Server Configuration

 

Cluster FQDN for SAML

Alternate Cluster FQDN for SAML

Active/Active Cluster

External DNS

Load Balancer IP Address

Load Balancer IP Address

Internal DNS

NA

Internal IP Address of all nodes

Active/Passive Cluster

External DNS

VIP External Address

VIP External Address

Internal DNS

NA

VIP Internal Address

For One Arm Deployment, Virtual Port IP address of all nodes should be added in the DNS server.