ISE node group behind load balancer

Similar Messages

• ISE behind load balancer

  I have a question regarding ISE profiling servers that are placed behind a load balancer:
  If you have a ISE environment where both computers and users are being authenticated, and Machine Access Restriction (MAR) is enabled (so users can only authenticate on a previously authenticated machine), are the ISE servers aware of all succesfull computer authentications handled by the other ISE servers?
  For example:
  There are 2 ISE appliances (ISE01 and ISE02) behind a load balancer.
  A user starts up his computer, and computer authentication is handled by ISE01 (and the authentication is successful). At the moment the user logs in on that computer, the load balancer chooses ISE02 to authenticate the user.
  Will ISE02 be aware that the corresponding computer was already succesfully authenticated on ISE01, so that the user is able to log in? Or will it deny the user authentication because it thinks the computer is not (yet) authenticated and Machine Access Restrictions is enabled?
  Kind regards,
  Bert

  >> they are independant servers that just replicate their configuration.
  So a user should authenticate always with the same ISE.
  Moreover a load balancer kills profiling since profiling requires you to span some traffic to an ISE <<
  Not entirely correct.  Policy Service nodes are most certainly supported behind a load balancer which is the intention of a node group. This is often the preferred method for high availability and scaling.  In addition to supporting load distribution of RADIUS and other requests, members of a node group maintain a heartbeat to determine if a peer member should fail.  If so, the Monitoring node is queried to determine if there are any transient sessions which may require clean-up via RADIUS COA to help ensure that an endpoint is left in a defunt auth state.  LB functionality will depend on load balancer used.  Cisco ACE for example supports stickiness of RADIUS transactions based on source IP, Calling-Station-ID, or Framed-IP-Address.
  The impact of LB on profiling or other Policy Service node functions depends on the service/probe in question.  For services like client provisioning, posture, and central web auth, https redirection always occurs back to the node which terminated the RADIUS session, so LB is transparent provided direct access is permitted to the real IP for redirected https trnasactions (RADIUS tranasactions would be sent to virtual IP).
  Specific to profiling, SNMP Queries can be triggered and will be sent by Policy Service node that received the RADIUS Accounting Start packet (assumes RADIUS probe enabled) or SNMP Trap (assumes SNMP Trap probe enabled).  SPAN is only one data collection method used primarily for HTTP or DHCP capture.  Methods other than SPAN/RSPAN are available to capture this data, but if used, then it is correct that there is no specific mechansim to move SPANs from one interface to another in case of NIC or node failure.  I believe intelligent taps are available that can accomplish this, or else traffic can be mirrored to multiple nodes at the cost of duplicating profile data.
  As noted, replication of MAR cache will be added to ACS 5.4, and no, this feature is not altogether trivial due to the number of transactions and updates that must be replicated and kept in sync across each node performing RADIUS services. 
  /CH

• Site behind load balancer - Key not valid for use in specified state

  Hi,
  I have created a sharepoint application page to access an active end point on ADFS and establish a fedauth session. All works well in single server. But when the page runs behind load balancer with 2 servers, it fails with key not valid for use in specified
  state exception. Stickiness is enabled on load balancer. verified that.
  I had made few changes to config file in microsoft.identitymodel section to accomodate adfs custom login. This included removing securitytokenhandlers and issuertokenresolvers as well. Is this impacting the encryption/decryption in anyway?
  Any pointers would help.
  Reference point for my application page : http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=76

  Hi,
  As I understand, you encountered the error “Key not valid for use in specified state” when ADFS custom login.
  In order to run in Windows Azure Web Sites a Web application which uses WIF for handling authentication, you must change the default cookie protection method (DPAPI, not available on Windows Azure Web Sites) to something that will work in a farmed environment
  and with the IIS’ user profile load turned off.
  1. If you are using the Identity and Access Tools for VS2012, just go to the Configuration tab and check the box “Enable Web farm ready cookies”.
  2. If you want to do things by hand, add the following code snippet in your system.identitymodel/identityConfiguration element:
     <securityTokenHandlers>
       <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, 
               System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
              System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
  There is a similar case:
  http://stackoverflow.com/questions/19323287/key-not-valid-for-use-in-specified-state-error-for-net-4-5-mvc-4-application
  Best regards,
  Sara Fan
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• IPsec on hosts behind load balancing NAT

  Hi,
  I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
  I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
  So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
  On the side where the traffic comes from i allways see a debug output like this:
  ar  1 05:23:54.294: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
      local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
      remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
      protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
  195.10.0.1 is my global address for the FTP server
  on the side where the encryption should be terminated i allways see an output like this:
  *Mar  1 05:23:54.130: map_db_find_best did not find matching map
  *Mar  1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
  But i can see that there is a crypto map for address 10.0.10.1
  RA#sh cryp map
  Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
  I tried to use some of the NAT traversal techniques for IPSec but without any success.
  If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
  Thanks, Adrian

  This is a lab scenario and i want to test for my learning how IPSec would work in such a case.
  I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
  I have configured 2 loopback. on R1: 100.1.1.1
  on R2: 200.1.1.1
  R1:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.1.1
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.0.2
  R2:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.1.2
  Now when i ping from R1:
  ping 200.1.1.1 source 100.1.1.1
  its not successful. Why doesnt it work any idea ?

• ISE 1.2 and load balancing...

  I'm looking into configuring load balancing behind F5's. I know this can be done and have read the documentation on what is required. I still have a couple of questions about it:
  1. When you load balance the RADIUS traffic do you have to create separate VIP's for the auth and accounting ports (1812 & 1813)?
  2. Are there good configuration examples out there for VIP Configs and setting up the VIP's to run in routed mode?
  3. Are there any caveats or lessons learned that other people have experienced besides what is documented?
  Thanks.

  jgroup is how db sync/ replication work in 1.2, which replace the queuing mechnism in 1.1.
  but this should not be related to PSN LB? do you mean you want to lb requests between several PSNs?
  using F5 or ACE can help, also 1.2 support wildcard certificate will help address the cert warning problem.
  Sent from Cisco Technical Support iPad App

• Do i need to configure failover group for load balancing? srs3.1

  hello
  we are installing ssrs3.1 on two sunfire v210 for 20 sunrays
  do i have to configure a failover group in order to have load balancing?
  thx

  thx a lot..
  finally yes it needs the failover to work with load balancing

• Patch applying on Two node application server(load balancing)

  Hi,
  We have Two aplication servers with load balancing with PCP.
  I want to know about applying patches order.
  First patch has to be applied on primary applicaton node.
  and next it has to be applied on secodary application node.
  Please confirm.
  Regards,
  maleem

  maleem wrote:
  Hi Mapps,
  We do not have shared aplicaton Tier. I think in that case we have to apply patches on both applicaton nodes.
  am i right? please correct me if i am wrong.
  Regards,
  maleem
  Correct.
  Thanks,
  Hussein

• Access Manager 6 2005Q1 naming service behind load balancer

  Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
  Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
  All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
  The load balancer VIP is setup in active/failover mode so all requests go to one server. We implemented it this way because our load balancers do not support SSL with cookies.
  The data returned to the agent from a call to the naming service contains the host name of our AM hosts instead of the load balancer VIP. Subsequent calls from the agent to AM bypass the load balancer and go directly to one of the AM hosts.
  We are looking to upgrade our load balancers to a version that supports cookies with ssl in order to take advantage of the second AM host.
  How do we configure AM so the values returned by the naming service contain the load balancer VIP instead of the actual AM host names?

  Bernhard,
  We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
  Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
  AMAgent.properties
  com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
  com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
  AMConfig.properties
  com.iplanet.am.server.protocol=https
  com.iplanet.am.server.host=am.mydomain.com
  com.iplanet.am.server.port=443
  com.iplanet.am.console.protocol=https
  com.iplanet.am.console.host=lb-mydomain.com
  com.iplanet.am.console.port=443
  com.iplanet.am.profile.host=lb-mydomain.com
  com.iplanet.am.profile.port=443
  com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
  com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
  tionservice
  If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
  Thanks,
  Craig

• Livecycle Connector to Sharepoint behind load balancer

  In the environment of our customer, there is a load balancer in front of 2 sharepoint servers.
  Then the PDF document is uploaded from the Livecycle server to sharepoint (via the load balancer).
  However, occasionally it will fail to place the PDF to the folder specified, and placed on the outermost folder in sharepoint. 
  May we have any hint to fix the problem?
  Thanks.
  Raymond

  Trevor,
  I'm sorry to say that extending the Default zone to, say, Internet, did not change the behavior... even with the introduction of host header information.  Could it be something to do with my use of ports?  I am very new to SharePoint. Should I
  be extending the applications (I have many on the same server) and use host header information in place of using any explicit port information when creating these extended zones?
  Tommy S. Armstrong II

• Windows 7: Service unknown when using load balancing group

  I try to run SAP GUI 7.10 on Windows 7. I use a load balancing group to connect to the server. The direct access to one of our cluster nodes works ok, but when clicking the link to the load balancing group says "load balancing error on logon 88: connection to messaging server not possible (rc=9)" (translated from german).
  What is happening here? It works good on Windows XP. Do I have to use another saplogon.ini or something?
  Thanks for any help!

  Is it ok to deactivate UAC in a company?
  That's something your M$ group must decide.
  It sounds like a good security feature but as we see here it´s a pain in the @$$ for administrators...
  Well - the purpose of it is to disable the ability of malware and virusses spreading around. I consider it as a security breach if a local user is able to simply copy files to the operating systems main directory. A user working with a frontend PC should not have local administrator rights at all; all software requiring this badly designed.
  If you use the SAPGUI installation server you can distribute services, saplogon.ini etc. using the installation server provided service without the need of users having to have local administration rights:
  Note 512040 - Distributing "services", "saplogon.ini", and similar files.
  I just think that "administrators" must learn to do work properly as designed with operating systems without just "copying files around" in system directories (and I don't exclude me in that context).
  Markus

• JOLT JSL Load Balancing ?

  Hello
  Question: If I have hundreds of JOLT clients accessing Tux services behind a
  firewall, can/should I load balance across multiple JRLYs? Has anyone done
  this with a Cisco, F5 or other load balancer? Or have you instead just
  tinkered with the "appAddress" on the JOLT client.
  Here's why I ask:
  From the JOLT 1.2 documentation...
  - Under normal conditions, only one JRLY can communicate with one JRAD.
  - A JRAD can only point to one JSL.
  So given the constraints above, it would look something like...
  JRLYx ------||-------JRAD-------------JSL/JSH (Node X)
  FireW
  JRLYy ------||-------JRAD-------------JSL/JSH (Node Y)
  If all JOLT requests to go one JRLY, they will pound the JSL/JSH on one
  node. So load balancing would be preferred and I'd like to do something
  smarter than defining half the clients with appAddress=JRLYx and the other
  half with appAddress=JRLYy.
  Thanks for taking the time to read this. I would imagine I'm not the first
  to run into this.
  -Jon

  Jolt, by definition, requires a Tuxedo setup. By specifying multiple
            addresses in the appaddrlist, the Jolt connection pool will distribute
            the connections across the addresses supplied. So yes, the appaddrlist
            is only used to establish the physical connection. The JoltPoolManager
            will hand out the connections in such a way as to distribute the load
            across the existing connections.
            Hope this helps,
            Robert
            Laurent Nel wrote:
            > Robert Patrick <[email protected]> wrote:
            > >The Jolt connection pool can be configured to distribute
            > >its connections
            > >across multiple JSL on multiple machines (by specifying
            > >more than one
            > >address in the appaddrlist argument in the configuration
            > >of the pool).
            > >Obviously, once a request is sent from WLS to a specific
            > >JSH process,
            > >Tuxedo load-balancing is used to determine which Tuxedo
            > >server will
            > >process the request.
            >
            > So, does this requires a Tuxedo setup ?
            > I would like to know if it is possible to do load-balancing using
            > only the appaddrlist of the Jolt pool ?
            > My understanding of this list is that it is used only to determine
            > to which tuxedo server the jolt client is going to open a connection.
            > The online doc says that the server is choosen 'randomly' (I guess
            > that it means in a unpredictable way).
            >
            > Laurent
            

• OAM Webgate Ip validation problem caused by load balancer...

  Hi all,
  In my topology, i have 5 webgates on 5 OHS web servers running in reverse proxy mode . Those web servers are behind load balancer. Since load balancer is working in proxy mode, all requests seems to be coming from load balancer vip and this prevents ip validation at webgate side . Does anybody think that it is possible to solve this issue without changing load balancer configuration..
  Regards,

  Hi,
  Randat, how can i reconfigure ip validation against x-forwarded-for? A custom authz plugin, or only a configuration change ? I'll keep on searching on this solution, but if you can share your solution , it'll be appriciated..
  Ambarishmitra, i want to use ip validation but since all requests are coming from single ip i can't distinguish client ip's, that's my problem..
  Thank you both,
  Regards..

• How to monitor targets which are controlled by LOAD BALANCING mechanism

  Hi,
  I have installed Enterprise Manager 10.1.0.3 and upgraded it to 10.1.0.5. Then i have applied the Application plug-in patch for managing Oracle Applications.In my environment, we have two concurrent managers and four forms servers which are using Load Balancer.Please let me how to manage these concurrent managers and forms servers in that scenario.Would highly appreciate your suggestions regarding the same.Thanks in advance.
  Regards,
  Vamsi Manyam

  This note shows how to configure OEM behind a load balancer.
  The question was how to use OEM, not behind a load balancer, to monitor other targets which are behind one or different load balancers.
  For example, to monitor :
  Forms on server A and B behind load balancer LB1.
  Forms on server C and D behind load balancer LB1.
  Forms on server E and F behind load balancer LB2.
  Gary

• Load balancing to a WLS 8.1 cluster with BigIP 9.0

  We are experiencing a problem load balancing to our 8.1 cluster using f5's 1500 with BigIP 9.02. The cluster is not configured with any failover capability; we are have configured the BigIP with active cookie insertion persistence; all is well untill we take down one of the nodes in the cluster; any session associated with that node via the load balancer is bounced repeatedly between the two remaining nodes; the only solution appears to be to close all browser instances and open a new one. Has anyone experienced this behavior and have some suggestions ?

  We are experiencing a problem load balancing to our 8.1 cluster using f5's 1500 with BigIP 9.02. The cluster is not configured with any failover capability; we are have configured the BigIP with active cookie insertion persistence; all is well untill we take down one of the nodes in the cluster; any session associated with that node via the load balancer is bounced repeatedly between the two remaining nodes; the only solution appears to be to close all browser instances and open a new one. Has anyone experienced this behavior and have some suggestions ?

• Load balancing and cluster

  Please help on this,
  Steps I have created
  1. Install Portal on node A
  2. Create j2ee cluster instance on node B pointing to node A
  3. Software load balance both the nodes
  Even after load balancing the two portal nodes,if I shutdown Portal node A dispatcher,then the portal node B dispatcher will automatically shutdown, since the portal node B is a j2ee cluster for Portal node A.In this case how the URL will work from node B ? Please explain

  I did portal install on server A. I  started dispatcher and I am logging with the URL http://ServerA:52100/irj on server A. And I did install of J2EE cluster on another server called ServerB. I started Server B's dispatcher. When I am starting Server B's dispatcher in Server A I am able to see another time Element joined.The URL for the serverB is http://ServerB:52100/irj. When I created users on Server A, I am able to see the users on Server B.When server B goes down or if dispatcher of B stopped even then Server A is working because it is independent install. But when the Server A goes down which is the main server then the additional J2EE cluster node that is Server B is going down automatically because it is dependent on Server A. But I want to make it as complete high availability of failover,means if Server A goes down it should fail over to Server B and if Server B goes down it should fail over to Server A. I understood we can do software load balancing from windows level or hardware load balancing to get the high availability. But now with my existing installs, I want to make failover to work, please suggest me which is the best way to do without changing any of the existing installs.
  My environment is :
  Operating system: Windows 2003 Enterprise Edition
  Data base: SQL 2000(Already configured as cluster)
  Portal: EP6.0 SP2