NetIQ Access Manager 3.2 Support Pack 2 applied
Strong network level security enabled only allowing access to specific resource from certain IP addresses
Despite this, the healthcheck reported in iManager for this working AG shows that many of the Web servers are DOWN. Traces show that the heartbeat requests from the AG to the Web servers are using the primary IP address for the web server healthchecks, that are all being blocked at the Firewall. There is no option to change the source IP address of the outgoing request to be a specific interface for the healthchecks as we do with the 'Make Outbound Connection Using'option above when users access the web server.
The following is an example of how to do this:
iptables -t nat -A POSTROUTING -d 10.10.10.10 -s 192.168.1.1 -j SNAT âto-source 192.168.1.9
This rewrites our source address to look like the packets are coming from 192.168.1.9 instead of 192.168.1.1, but only when packets are destine for 10.10.10.10. The above example can be further locked for for specific interfaces (-o eth0), specific TCP ports (-m tcp --dport 80) if needed.