Layer 4 best practices for Novell Access Manager

  • 7005547
  • 26-Mar-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Linux Access Gateway

Situation

Novell Access Manager Best Practice when using a Layer 4 switch to load balance traffic

Resolution

Recommendations:
  • Enable 'Sticky-Bit' on the Layer 4 switch.
    • Enabling Sticky-Bit on the Layer 4 switch will force the session on the browser to hit one IDP and one LAG, thus eliminating the majority of the back-channel traffic between devices in the cluster.
    • Requests are handled by the device in the cluster that created the session.  If a request goes to another cluster member that server makes a request to all devices in the cluster asking for ownership of the session, and if available the request if then proxied to the server owning the session.
    • The more devices in the cluster the more back-channel traffic that can occur unless 'Sticky-Bit' is set.
  • Ensure that the LDAP timeout setting on the IDP, Active Directory (if using as a userstore), webservers and the Layer 4 switch are all set to the same value. 
    • A recommended value would be 15-20 minutes (based on an average user session).
  • TCP idle time on the LAG's need to be set lower than the LDAP timeout
    • TCP Idle timeouts need to be set lower than the LDAP timeout to clear the connection table on the lag.  Linux can fill the connection table making it almost impossible to login if the sessions are not cleared.
  • L4 health check recommendations
    • Heartbeat url checks should occur every 30 seconds
    • LAG's should be removed from service after 3 failures.  The LAG's are very resilient and can usually shutdown and restart the VMC service without the help of the L4.  (as long as the touchfile /tmp/.novmrestart does not exist)