Environment
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Linux Novell Identity Server
Clustering of Linux Access Gateway Servers and Identity Servers behind an L4 switch
Situation
Customer had a cluster of Identity (IDP) servers and Linux Access
Gateway (LAG) servers running behind an L4 switch. The base URL for
the identity server was running over HTTPS on TCP port 8443.
iptables was then used to redirect these requests to TCP port 443
using the following syntax (defined in the documentation):
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.1.1.1:8443 (where 10.1.1.1 was the IP address of the IDP server)
When the users tried to access the LAG protected resources, they would immediately get a Tomcat 404 error reported back from the LAG eSP.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.1.1.1:8443 (where 10.1.1.1 was the IP address of the IDP server)
When the users tried to access the LAG protected resources, they would immediately get a Tomcat 404 error reported back from the LAG eSP.
Resolution
Do NOT run the iptables command to redirect the TCP ports on the
LAG - it is ONLY required on the IDP server. Removing the iptables
command from the LAG allowed the protected resource pages to be
displayed without any errors.