IPsec on hosts behind load balancing NAT

Similar Messages

• Site behind load balancer - Key not valid for use in specified state

  Hi,
  I have created a sharepoint application page to access an active end point on ADFS and establish a fedauth session. All works well in single server. But when the page runs behind load balancer with 2 servers, it fails with key not valid for use in specified
  state exception. Stickiness is enabled on load balancer. verified that.
  I had made few changes to config file in microsoft.identitymodel section to accomodate adfs custom login. This included removing securitytokenhandlers and issuertokenresolvers as well. Is this impacting the encryption/decryption in anyway?
  Any pointers would help.
  Reference point for my application page : http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=76

  Hi,
  As I understand, you encountered the error “Key not valid for use in specified state” when ADFS custom login.
  In order to run in Windows Azure Web Sites a Web application which uses WIF for handling authentication, you must change the default cookie protection method (DPAPI, not available on Windows Azure Web Sites) to something that will work in a farmed environment
  and with the IIS’ user profile load turned off.
  1. If you are using the Identity and Access Tools for VS2012, just go to the Configuration tab and check the box “Enable Web farm ready cookies”.
  2. If you want to do things by hand, add the following code snippet in your system.identitymodel/identityConfiguration element:
     <securityTokenHandlers>
       <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, 
               System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
              System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
  There is a similar case:
  http://stackoverflow.com/questions/19323287/key-not-valid-for-use-in-specified-state-error-for-net-4-5-mvc-4-application
  Best regards,
  Sara Fan
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• ISE node group behind load balancer

  I'm trying to gather info on distributed deployment w/ multiple PSN nodes.
  Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.
  Q1:
  Node group config requires multicast.
  Cisco ACE LB doesn't support multicast, except in brige mode.
  How do people support distributed deployment in node group behind Ciso ACE?
  Q2:
  User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272
  What if we need more than 4 PSN nodes to support our network & user base?
  Q3:
  Has anyone been able to implement distributed deployment between two datacenters behind GSS?
  If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.
  thx!

  I have had close to zero experience with LBs so my answers will be limited:
  Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication
  Q2: You will have to create a new node group with a new multicast address
  Q3: No help here
  Couple of other things to remember:
  1. The nodes must be layer 2 adjacent
  2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients
  3. You must perform sticky
  4. The Load balancers must be listed as NADs in ISE
  Hope this provides some help to you.
  Thank you for rating!

• Virtual Hosts for Load Balancing

  Hi all,
  So I have two identical servers, that have SOA Suite installed pointing to the same database. (RHEL 4) I have configured the mod_oc4j.conf file for round robin, and then I created a virtual host on the httpd.conf file to point to the load balance hardware.
  It worked! But with a slight issue. The Load Balance server is orasoaqa.tmpw.net:7777, which opens the main Application Server page. However, when I click on BPEL console, or ESB, it continues using the orasoaqa.tmpw.net:7777 virtual, which of course, breaks even trying to login.
  What am I missing here? Here's the entry I added to mod_oc4j.conf:
  Oc4jSelectMethod roundrobin:local
  Here's the entry I added to the httpd.conf on server 1:
  Port 7777
  Listen 7777
  NameVirtualHost XXX.XXX.XXX.XXX:7777
  <VirtualHost orasoaqaapp101.ma.tmpw.net:7777>
  ServerName orasoaqa.tmpw.net
  ServerAlias orasoaqaapp101.ma.tmpw.net
  Port 7777
  </VirtualHost>
  and on server 2:
  Port 7777
  Listen 7777
  NameVirtualHost XXX.XXX.XXX.XXX:7777
  <VirtualHost orasoaqaapp102.ma.tmpw.net:7777>
  ServerName orasoaqa.tmpw.net
  ServerAlias orasoaqaapp102.ma.tmpw.net
  Port 7777
  </VirtualHost>
  Yes, the port for Application Server and the port on the Load Balancer are exactly the same, I hope this isn't the issue.
  Any help would be greatly appreciated.
  Thanks!
  Message was edited by:
  CooperHawkes

  Seeing that you have an external load balancer available, you really should not be trying software load balancing. Windows NLBS is a software based load balancing and is not really dependent on the physical/virtual hosting of the OS. There are certain gotchas
  w.r.t the NLB modes since they depend on network protocols such as arp, propagation of MAC addresses and usage of the MAC in the L2 routing tables of network devices.
  You should be taking the help of the cloud service provider as ONLY they would have an understanding of their underlying networking infrastructure such as VLANS. addressing, routing rules and such.
  You could also refer to the VMware support forum for KB's such as
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006580
  Most importantly, NLBS is a base OS related service and you're more likely to get a response in the Windows Server Forum. In the specific case of BizTalk, the Windows NLB is only used for hosting the out of process services such as those associated with
  HTTP/s Receive, orchestration published as schemas, web services (asmx) and/or WCF endpoints.
  Regards.

• Load-balancing nat-t connections to VPN concentrators

  I'm currently using a CSS to provide redundancy across some nat-t VPN RAS sessions to some VPN concentrators (in different geographical areas) This works fine, but because I have to create content rules for both UDP 500 and UDP 4500 traffic, I'm concenred that if I move to a genuine load-balanced arrangement instead of merely redundancy, the CSS units might decide to direct UDP500 traffic from a remote user to one concentrator, and the subsequent UDP4500 traffic to another. I tried port ranges and a single content rule - no success. Does anyone know how to associate 2 udp content rules to enforce traffic symmetry, or will a default srcip balancing rule see the concentrator balance traffic based on srcip globally across all content rules?

  if you do balance srcip, the CSS will use a hash and this hash function should be the same for all the content rules, so giving you the same results.
  A single layer3 content rule with advanced-balance sitcky-srcip should work as well.
  Regards,
  Gilles.

• Access Manager 6 2005Q1 naming service behind load balancer

  Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
  Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
  All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
  The load balancer VIP is setup in active/failover mode so all requests go to one server. We implemented it this way because our load balancers do not support SSL with cookies.
  The data returned to the agent from a call to the naming service contains the host name of our AM hosts instead of the load balancer VIP. Subsequent calls from the agent to AM bypass the load balancer and go directly to one of the AM hosts.
  We are looking to upgrade our load balancers to a version that supports cookies with ssl in order to take advantage of the second AM host.
  How do we configure AM so the values returned by the naming service contain the load balancer VIP instead of the actual AM host names?

  Bernhard,
  We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
  Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
  AMAgent.properties
  com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
  com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
  AMConfig.properties
  com.iplanet.am.server.protocol=https
  com.iplanet.am.server.host=am.mydomain.com
  com.iplanet.am.server.port=443
  com.iplanet.am.console.protocol=https
  com.iplanet.am.console.host=lb-mydomain.com
  com.iplanet.am.console.port=443
  com.iplanet.am.profile.host=lb-mydomain.com
  com.iplanet.am.profile.port=443
  com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
  com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
  tionservice
  If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
  Thanks,
  Craig

• ISE behind load balancer

  I have a question regarding ISE profiling servers that are placed behind a load balancer:
  If you have a ISE environment where both computers and users are being authenticated, and Machine Access Restriction (MAR) is enabled (so users can only authenticate on a previously authenticated machine), are the ISE servers aware of all succesfull computer authentications handled by the other ISE servers?
  For example:
  There are 2 ISE appliances (ISE01 and ISE02) behind a load balancer.
  A user starts up his computer, and computer authentication is handled by ISE01 (and the authentication is successful). At the moment the user logs in on that computer, the load balancer chooses ISE02 to authenticate the user.
  Will ISE02 be aware that the corresponding computer was already succesfully authenticated on ISE01, so that the user is able to log in? Or will it deny the user authentication because it thinks the computer is not (yet) authenticated and Machine Access Restrictions is enabled?
  Kind regards,
  Bert

  >> they are independant servers that just replicate their configuration.
  So a user should authenticate always with the same ISE.
  Moreover a load balancer kills profiling since profiling requires you to span some traffic to an ISE <<
  Not entirely correct.  Policy Service nodes are most certainly supported behind a load balancer which is the intention of a node group. This is often the preferred method for high availability and scaling.  In addition to supporting load distribution of RADIUS and other requests, members of a node group maintain a heartbeat to determine if a peer member should fail.  If so, the Monitoring node is queried to determine if there are any transient sessions which may require clean-up via RADIUS COA to help ensure that an endpoint is left in a defunt auth state.  LB functionality will depend on load balancer used.  Cisco ACE for example supports stickiness of RADIUS transactions based on source IP, Calling-Station-ID, or Framed-IP-Address.
  The impact of LB on profiling or other Policy Service node functions depends on the service/probe in question.  For services like client provisioning, posture, and central web auth, https redirection always occurs back to the node which terminated the RADIUS session, so LB is transparent provided direct access is permitted to the real IP for redirected https trnasactions (RADIUS tranasactions would be sent to virtual IP).
  Specific to profiling, SNMP Queries can be triggered and will be sent by Policy Service node that received the RADIUS Accounting Start packet (assumes RADIUS probe enabled) or SNMP Trap (assumes SNMP Trap probe enabled).  SPAN is only one data collection method used primarily for HTTP or DHCP capture.  Methods other than SPAN/RSPAN are available to capture this data, but if used, then it is correct that there is no specific mechansim to move SPANs from one interface to another in case of NIC or node failure.  I believe intelligent taps are available that can accomplish this, or else traffic can be mirrored to multiple nodes at the cost of duplicating profile data.
  As noted, replication of MAR cache will be added to ACS 5.4, and no, this feature is not altogether trivial due to the number of transactions and updates that must be replicated and kept in sync across each node performing RADIUS services. 
  /CH

• Livecycle Connector to Sharepoint behind load balancer

  In the environment of our customer, there is a load balancer in front of 2 sharepoint servers.
  Then the PDF document is uploaded from the Livecycle server to sharepoint (via the load balancer).
  However, occasionally it will fail to place the PDF to the folder specified, and placed on the outermost folder in sharepoint. 
  May we have any hint to fix the problem?
  Thanks.
  Raymond

  Trevor,
  I'm sorry to say that extending the Default zone to, say, Internet, did not change the behavior... even with the introduction of host header information.  Could it be something to do with my use of ports?  I am very new to SharePoint. Should I
  be extending the applications (I have many on the same server) and use host header information in place of using any explicit port information when creating these extended zones?
  Tommy S. Armstrong II

• OAM Webgate Ip validation problem caused by load balancer...

  Hi all,
  In my topology, i have 5 webgates on 5 OHS web servers running in reverse proxy mode . Those web servers are behind load balancer. Since load balancer is working in proxy mode, all requests seems to be coming from load balancer vip and this prevents ip validation at webgate side . Does anybody think that it is possible to solve this issue without changing load balancer configuration..
  Regards,

  Hi,
  Randat, how can i reconfigure ip validation against x-forwarded-for? A custom authz plugin, or only a configuration change ? I'll keep on searching on this solution, but if you can share your solution , it'll be appriciated..
  Ambarishmitra, i want to use ip validation but since all requests are coming from single ip i can't distinguish client ip's, that's my problem..
  Thank you both,
  Regards..

• Prevent Load Balancing in a Remote Desktop Services Deployment

  We need to prevent two Remote Desktop Session Hosts from load balancing between each other. Currently they are load balanced and users dont have a means of ensuring they end up on a particular server. Is there anyway that we can accomplish this?
  Cheers

  Hi,
  You can try below group policy might useful in your case.
  Computer configuration>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host>RD Connection Broker
  Use RD Connection Broker Load Balancing: Disable
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• How to monitor targets which are controlled by LOAD BALANCING mechanism

  Hi,
  I have installed Enterprise Manager 10.1.0.3 and upgraded it to 10.1.0.5. Then i have applied the Application plug-in patch for managing Oracle Applications.In my environment, we have two concurrent managers and four forms servers which are using Load Balancer.Please let me how to manage these concurrent managers and forms servers in that scenario.Would highly appreciate your suggestions regarding the same.Thanks in advance.
  Regards,
  Vamsi Manyam

  This note shows how to configure OEM behind a load balancer.
  The question was how to use OEM, not behind a load balancer, to monitor other targets which are behind one or different load balancers.
  For example, to monitor :
  Forms on server A and B behind load balancer LB1.
  Forms on server C and D behind load balancer LB1.
  Forms on server E and F behind load balancer LB2.
  Gary

• Virtual Machine Load Balancing

  I have two Server 2012 R2 Hyper-V servers running in a cluster and I have VMM 2012 R2 running in the environment. I want to setup my cluster so the VM's will load balance between my two hosts. How can I go about doing that? I've read that it's possible
  but I've been unable to figure out how to get the hosts to load balance.
  Vincent Sprague

  Hi Vincent,
  the feature you want to use is SCVMM Dynamic Optimization.
  here is the official Technet Documentation for this topic:
  http://technet.microsoft.com/en-us/library/gg675109.aspx
  Here is a Youtube Video on it:
  http://www.youtube.com/watch?v=dd4UDeKuAvk
  and here is some background Info on it:
  http://kristiannese.blogspot.de/2013/05/intelligent-placement-and-dynamic.html
  Regards,
  Benedict

• Data Centre Interconnection - firewall and load balancer deployment

  Hi all,
  I've read lots of Cisco docs/white papers on DCI - Layer 2 extension between DCs, but as yet I cannot find any decent information on how best to deploy firewalls and load balancers in such a design. I've seen refs to FHRP isolation on Nexus 7k (and possible 6k if you use DCI block) but nothing on the services elements.
  The services element seems to be a complete minefield here:
  - active/standby across sites, or deploy resilient pairs in each site?
  - how to align optimal traffic flows inbound and ooutbound (RHI, SNAT, etc.)
  - best practice suggestions ideally.
  Cisco DCI docs seem to always gloss over the fact that most customers would have to deal with firewalls and load balancers here, and simply refer to 'coming soon' for that info.
  If anyone has any good suggestions/links to docs explaining detailed implementation info would be much appreciate
  Thanks
  Phil

  You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• SRP541W WAN Load Balancing and NAT

  Hello All,
  New to the forums. Thanks for taking the time to read my post. I recently switched my office over from a RV042 to SRP541W. We have 2 DSL lines and have used the Load Balance feature on the RV42 to make the best of the connecton speeds. When setting up the SRP541W when i select load balancing it tells me NAT should be disabled. Why is that? I see a place to input static routes but Im not entirly sure what needs to be done here to set this up correctly. Any input would be appriciated. Also right off the bat we had some issues with access to Google Docs and Mail. I think its becuase those sites dont like seeing access from multiple IPs (fromt the Dual WAN) so I set up a entry in Policy Routing directing all traffic from port 443 to go through one WAN, is this the right way to do this?
  Thanks!
  Mike-

  Dear Mike,
  Thank you and welcome to the Small Business Support Community.
  It is possible to configure load balancing with NAT, however in this case, remote internet servers will potentially see sessions from remote hosts behind the SRP541W coming from different source IP addresses (the WAN IP addresses), causing the sessions to be reset unexpectedly.
  The Policy Routing setting you setup is exactly what I would do in your case.
  I hope these answer your question and please do not hesitate to reach me back if there is anything else I may assist you with.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• Load balancing on the local host only (6.40 Java)

  Hello!
  When configuring load balancing for Web AS 6.20 (Java), the property "LocalLoadBalancing" was available in the ServiceManager of the dispatcher. See Note 772561.
  This property is not available in Web AS 6.40 (SP14).
  How can I now ensure that a dispatcher does not connect to a server process on another physical server?
  // Mikael

  Hi Mikael,
  In Web AS 6.40 this property is invalidated by the new <b>instance-based</b> cluster concept. In other words, when installing a Web AS 6.40 system you're installing instances (i.e. one central services instance, one java central instance, and 1-n dialog instances). A Web AS 6.40 instance contains one dispatcher and 1-n servers. The installation software (SAPinst) lets you install an instance on the same physical host only. Therefore, in 6.40 all servers that are behind the J2EE dispatcher are <b>always</b> on the same physical machine => the behavior of the LocalLoadBalancing property.
  In 6.20, the installable unit is a dispatcher/server, and you can choose to distribute them to different physical hosts => the need to have the LocalLoadBalancing property to control remote/local LB.
  Hope this explains things a bit.
  P.S. In case you need more info about the cluster architecture of the Web AS Java 6.40, you can have a look <a href="http://help.sap.com/saphelp_nw04/helpdata/en/2e/611724f410254ca12a3f396ec5ae85/frameset.htm">here</a>.