OIM 11g behind F5 Load Balancer

Similar Messages

• How to install licenses on 2 RDSH servers behind F5 load balancer

  I want to setup 2 separate RDSH servers behind a F5 load balancer.  The load balancer is there to spread out the compute load between 2 VM servers as the application the users are using are somewhat "heavy" in nature.  I have 10 users
  who will potentially need access all at the same time.  How do I install the 10 licenses?  Do I install 5 on each server, or do I install all 10 on only one of the servers?

  Hi,
  You would install all 10 licenses on your RD Licensing server and point your 2 RDSH servers to that.  You may installing RD Licensing on whichever server you want, for example, on your RD Connection Broker, or a DC, or on one of the 2 RDSH servers,
  etc.
  -TP

• OIM 11g R2: Bulk load utility

  Hi all,
  I'm going to import users data to OIM 11g R2 using bulk load utility. My question is: does bulk load utility support user defined fileds (UDFs)?
  Reading the documentation I don't find any reference about UDFs or UDFs limitation, but I would be aware of any your experience before starting.
  Thank for support,
  Daniele

  It should support. Bulk load loads the data directly into database table using sql loader. So as long as you have UDF column in USR table and you have specified it in csv file, i believe it should work.

• ISE node group behind load balancer

  I'm trying to gather info on distributed deployment w/ multiple PSN nodes.
  Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.
  Q1:
  Node group config requires multicast.
  Cisco ACE LB doesn't support multicast, except in brige mode.
  How do people support distributed deployment in node group behind Ciso ACE?
  Q2:
  User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272
  What if we need more than 4 PSN nodes to support our network & user base?
  Q3:
  Has anyone been able to implement distributed deployment between two datacenters behind GSS?
  If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.
  thx!

  I have had close to zero experience with LBs so my answers will be limited:
  Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication
  Q2: You will have to create a new node group with a new multicast address
  Q3: No help here
  Couple of other things to remember:
  1. The nodes must be layer 2 adjacent
  2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients
  3. You must perform sticky
  4. The Load balancers must be listed as NADs in ISE
  Hope this provides some help to you.
  Thank you for rating!

• ISE behind load balancer

  I have a question regarding ISE profiling servers that are placed behind a load balancer:
  If you have a ISE environment where both computers and users are being authenticated, and Machine Access Restriction (MAR) is enabled (so users can only authenticate on a previously authenticated machine), are the ISE servers aware of all succesfull computer authentications handled by the other ISE servers?
  For example:
  There are 2 ISE appliances (ISE01 and ISE02) behind a load balancer.
  A user starts up his computer, and computer authentication is handled by ISE01 (and the authentication is successful). At the moment the user logs in on that computer, the load balancer chooses ISE02 to authenticate the user.
  Will ISE02 be aware that the corresponding computer was already succesfully authenticated on ISE01, so that the user is able to log in? Or will it deny the user authentication because it thinks the computer is not (yet) authenticated and Machine Access Restrictions is enabled?
  Kind regards,
  Bert

  >> they are independant servers that just replicate their configuration.
  So a user should authenticate always with the same ISE.
  Moreover a load balancer kills profiling since profiling requires you to span some traffic to an ISE <<
  Not entirely correct.  Policy Service nodes are most certainly supported behind a load balancer which is the intention of a node group. This is often the preferred method for high availability and scaling.  In addition to supporting load distribution of RADIUS and other requests, members of a node group maintain a heartbeat to determine if a peer member should fail.  If so, the Monitoring node is queried to determine if there are any transient sessions which may require clean-up via RADIUS COA to help ensure that an endpoint is left in a defunt auth state.  LB functionality will depend on load balancer used.  Cisco ACE for example supports stickiness of RADIUS transactions based on source IP, Calling-Station-ID, or Framed-IP-Address.
  The impact of LB on profiling or other Policy Service node functions depends on the service/probe in question.  For services like client provisioning, posture, and central web auth, https redirection always occurs back to the node which terminated the RADIUS session, so LB is transparent provided direct access is permitted to the real IP for redirected https trnasactions (RADIUS tranasactions would be sent to virtual IP).
  Specific to profiling, SNMP Queries can be triggered and will be sent by Policy Service node that received the RADIUS Accounting Start packet (assumes RADIUS probe enabled) or SNMP Trap (assumes SNMP Trap probe enabled).  SPAN is only one data collection method used primarily for HTTP or DHCP capture.  Methods other than SPAN/RSPAN are available to capture this data, but if used, then it is correct that there is no specific mechansim to move SPANs from one interface to another in case of NIC or node failure.  I believe intelligent taps are available that can accomplish this, or else traffic can be mirrored to multiple nodes at the cost of duplicating profile data.
  As noted, replication of MAR cache will be added to ACS 5.4, and no, this feature is not altogether trivial due to the number of transactions and updates that must be replicated and kept in sync across each node performing RADIUS services. 
  /CH

• OIM 11g - Issue with Bulk Load Utility for Account Data

  Hi,
  We are trying to load the account data for users in OIM 11g using bulk load utility.
  We are trying to load the account data for resource "iPlanet". For testing purpose, we made one account entry in csv file and run the bulk load utility. After the bulk load process completes, we have noticed that resource is provisioned to the user multiple times and multiple entries have been created in process form table.
  We have tried to run the utility multiple times with a different user record each time.
  The out put of the below sql query:
  SELECT MSG FROM OIM_BLKLD_LOG
  WHERE MODULE = 'ACCOUNT' AND LOG_LEVEL = 'PROGRESS_MSG'
  ORDER BY MSG_SEQ_NO;
  is coming as follows:
  MSG
  Number of Records Loaded: 126
  Number of Records Loaded: 252
  Number of Records Loaded: 504
  Number of Records Loaded: 1008
  Number of Records Loaded: 2016
  Number of Records Loaded: 4032
  We have noticed that each time the number of records loaded is increased to double from the records loaded in last run even when the csv file contains only one record.
  Provided below are the parent and child csv file entries.
  Parent file:
  UD_IPNT_USR_USERID,UD_IPNT_USR_FIRST_NAME,UD_IPNT_USR_LAST_NAME,UD_IPNT_USR_COMMON_NAME,UD_IPNT_USR_NSUNIQUEID
  KPETER,Peter,Kevin,Peter Kevin,
  Child file 1:
  UD_IPNT_USR_USERID,UD_IPNT_GRP_GROUP_NAME
  KPETER,group1
  Child file 2:
  UD_IPNT_USR_USERID,UD_IPNT_ROL_ROLE_NAME
  KPETER,role1
  Can you please throw some insight on what could be the potential cause for this issue and how it could be resolved?
  Thanks
  Deepa
  Edited by: user10955790 on Jun 25, 2012 6:45 AM

  Hi Deepa,
  I know from 'User load' perspective that is required to restart Oracle Identity Manager when we need to reload data that was not loaded during the first run.
  So, my suggestion is restart it before reload.
  Reference: http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/bulkload.htm#CHDEICEH
  I hope this helps,
  Thiago Leoncio.

• ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

  Hello guys
  Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
  Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
  I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
  Thanks in advance
  Sayre

  Hello Sayre-
  For Question #1:
  Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  You can configure Radius and Profiling to be enabled on other interfaces
  Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  Take a look at this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
  For Question #2
  If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
  The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
  –Option 12—HostName of the client
  –Option 60—The Vendor Class Identifier
  After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
  Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
  On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  I hope this helps!
  Thank you for rating helpful posts!

• How to configure RZ12  and SM59 ABAP connection settings when we have work with Load Balancing servers rather than a specific server .

  Hi ,
  If we have a specific server say 10.10.10.10 (abc.co.in) on which we are working, Then under RZ12 we make the following entry  as :
  LOGON GROUP          INSTANCE
  parallel_generators        abc.co.in_10         ( Lets assume : The instance number is 10 )
  Now in SM59 under ABAP Connections , I am giving the following technical settings:
  TARGET HOST          abc.co.in
  IP address                  10.10.10.10
  Instance number          10
  Now if we have a scenario of load balancing servers with following server details (with all servers on different instance numbers ) :
  10.10.10.11    
  10.10.10.13
  10.1010.10
  10.10.10.15
  In this case how can we make the RZ12 settings and SM59 settings such that we don't have to hardcode any IP Address.
  If the request is redirected to 10.10.10.11 and not to 10.10.10.10 , in that case how will the settings be.
  Regards,
  SHUBHAM

  Hi,
  No one using FMS behind a load balancer? No one using RTMPT?

• Access to load balanced web site

  I have a wierd problem where browsers on one subnet in my company cannot access any web sites that are load balanced in our data center.
  Other subnets can access the load balanced sites fine.
  Browsers on the subnet in question CAN access other non-loadbalanced sites within the same dc.
  Any thoughts on how to go about troublshooting?

  HI,
  have a look at the routing table of the servers.
  Is the return traffic (towards the clients) forwarded towards the loadbalancer from the servers or bypassing=
  Are you using source limitation on the loadbalancer?
  Are you using source nat?
  Please paste the config of the loadbalancer, the routing table of the servers and the source-address that gives you a hard time and we can have a look at it.
  Kind Regards,
  Joerg
  PS
  IN case of any doubts take a sniffer trace in front of the loadbalancer and behind the load balancer. If necessary additional ones at the client and at the server

• Https through load balancer breaks declarative security

  Hello,
  My desired setup is for a Jboss cluster serving requests behind a load balancer. Also I intend to use declarative security on the deployed units and have ssl client side authentication.
  I need someone to please confirm/deny the following statements:
  1) ssl has to be negotiated by the load balancer, whether hardware or software based (apache with mod_proxy/mod_jk).
  2) if using apache with mod_jk it is possible to configure it to send the client side authentication details (certificate) in such a way that jboss may enforce declarative authorization as if it had done the authentication itself. This also means that the programatic means to get the authenticated user identity described in the ejb and servlet specs will still work.
  3) there is no hardware load balancer that supports the behavior described in 2), which means that with a hardware load balancer it is impossible to use declarative authorization enforcement.
  After a whole lot testing and digging up for info, I'm quite desperate to solve this question, so if someone could help me I would be most thankfull.
  Nuno

  After further research, I think the best course of action will be to create a VLAN for the zone behind the BigIP and then create the corresponding interface in the vlan and zone. Using this links as my references in case anyone is interested. I'll post what I come up with.
  https://blogs.oracle.com/stw/entry/using_ip_instances_with_vlans
  https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common
  http://docs.oracle.com/cd/E19253-01/816-4554/816-4554.pdf # AdministeringVirtualLocalAreaNetworks
  http://docs.oracle.com/cd/E19053-01/ldoms.mgr11/820-4913-10/820-4913-10.pdf # Assign VLANs to a Virtual Switch and Virtual
  Network Device

• Issue with Site Configuration / Load Balancing

  We’re noticing strange behavior with our servers that are configured behind a load balancer. We’ve got two servers with different ports and a load balancer:
  Server1: https://host1:30003/opensso
  Server2: https://host2:30103/opensso
  Load Balancer: https://loadbalancer:30003/opensso
  When we go to the admin console, we can access Server1 without a problem, but the second time we go the load balancer sends us to Server2, and our browser returns a page not found error. We’ve traced the HTTP traffic and discovered that every other time we go to the admin console (the load balancers are configured round robin), Server2 always returns a bogus HTTP found URL. The response it provides is something like https://loadbalancer:*30103*/opensso/UI/Login (just an example).
  The issue here is that it is properly directing the end user’s browser to the load balancer DNS entry. It is not however directing the end user’s browser to the proper port. It seems to sends its own port value to the browser. Obviously when the browser tries to access this URL the Load Balancer rejects the request because it is not listening on port 30103.
  Can Multiple OpenSSO application servers (configured as a site) run from behind a load balancer when they are listening on different ports? If so, why is the application server responding to the user request with its own port, rather than that of the load balancer, yet still providing the DNS hostname entry for the load balancer the whole time.

  Major updates of Muse are targeted to release roughly every quarter. The 1.0 release was in mid-May. The 2.0 release was in mid-August. A fundamental change to image loading would only appear as part of a major update due to the engineering and testing efforts required.
  As provided in your previous thread http://forums.adobe.com/message/4659347#4659347 the only workaround until then is to reduce the number of images in the slideshow.

• How to monitor targets which are controlled by LOAD BALANCING mechanism

  Hi,
  I have installed Enterprise Manager 10.1.0.3 and upgraded it to 10.1.0.5. Then i have applied the Application plug-in patch for managing Oracle Applications.In my environment, we have two concurrent managers and four forms servers which are using Load Balancer.Please let me how to manage these concurrent managers and forms servers in that scenario.Would highly appreciate your suggestions regarding the same.Thanks in advance.
  Regards,
  Vamsi Manyam

  This note shows how to configure OEM behind a load balancer.
  The question was how to use OEM, not behind a load balancer, to monitor other targets which are behind one or different load balancers.
  For example, to monitor :
  Forms on server A and B behind load balancer LB1.
  Forms on server C and D behind load balancer LB1.
  Forms on server E and F behind load balancer LB2.
  Gary

• Load balance xml config store

  Hi
  My environment is a workgroup, so failover clustering or other domain based solution are not suitable.
  I want to make the xml config store highly available:
  server1 and server2 will be behind a load balancer, both servers will have a file share named "AppFabricXmlCofigShare".
  Assuming the virtual name for the load balanced point for the servers is "VirtualServer", can I configure AppFabric caching(using the AppFabric configuration wizard) to use the xml store and point to "\\VirtualServer\AppFabricXmlCofigShare"?
  *Every update which I will make to the configuration(via PowerShell)
  I will manually update on both server1 and server2 so they will be the same.
  Logically, I can't think of a reason why it shouldn't work but here is my concern: Does AppFabric updates the config store by itself(without me initiating the update via PowerShell) for its own logic purposes?
  Do you got any other concerns about this solution?
  Thank You for your time!

  Status update:
  This solution is now well tested and deployed in production, Just remember to update both xml files when you make changes.
  For me it's a better solution than sql server based config, because AppFabric loads a lot faster after a server restarts when its config is xml than sql server based config.
  I'm still waiting for feedback from some of the Microsoft support here regarding possible issues which may occur when using this solution.
  Thanks.

• Help: AM Agent working with load balancing AM Server

  Hi,
  We are trying to set up the policy agent to work with two AM Servers behind a load balancer.
  The agent deployment document said that in the AMAgent.properties we must set
  com.sun.am.loadBalancer_enable=true
  According to the AM deployment guide(http://docs.sun.com/source/817-7644/appE_loadbalancerconfig.html),
  we also set in the AMConfig.properties something like
  com.iplanet.am.lbcookie.name=server1
  com.iplanet.am.lbcookie.value=server1
  The loading balancing just does not work. Can anyone explain how AM agent works under such an deployment
  environment? Some people say the agent can find the real server using the naming service, but the not
  much explanation can be found.
  More info on our two machines:
  The two AM servers are named server1.domain and server2.domain. The virtual LB name is server.domain.
  The two AM servers were installed using the host name server.domain. We added the servers' real name
  in the AM's fqdnMap. At the agent config file, the name service is pointing to the LB.
  Really appreciated any advices.
  Regards,
  Henry

  Thanks for your reply.
  We figured it out lately thanks to help from Bernhard.
  1) use each machine's name to install the AM servers using the same LDAP server.
  2) In AmAgent.propeties, set com.sun.am.loadBalancer_enable=true
  3) In AM server platform, add in all machine's names
  4) In Organization alias, add in two machines' name
  5) In fqdnMap, add in load balancer's name
  6) In LB, set cookie stickiness based on cookie JSESSIONID

• Load balancing http server

  Hi There,
  I want to implement a load balancer (linux virtual server) into our htmldb configuration. We currently run the http server on the same machine running oracle/htmldb. I want to split this out and use 2 seperate machines running http server behind the load balancer, both these http servers will be pointing to the same oracle database.
  The load balancer will not be using persistent sessions, therefore client requests will be sent evenly to each http server. My main question is, will I have problems with user sessions, or (as I imagine) is all the session information written to the database ?
  Thanks in advance.
  Tom

  Bill,
  There are a few things you need to consider
  1: Availability of http server. ie how many are you going to have. How are you going to access them. Load balancer, DNS round robin. These should be on different servers to the database.
  2: How are the http servers going to connect. For RAC you'll need to specify TNS connections. I'd also recommend that you look at using application partitioning using services in the RAC cluster. That way you can have Apex using a subset of nodes in the cluster .
  3: If you are going down the RAC path then I'd assume availability is a priority. You''ll need to think of standby configuration. Again this is possible with TNS configuration.
  You can do it all with Apex. RAC and Standby but it will take planning and testing.