SSL VPN Load Balancing for Access Manager
Novell Access Manager 3 is a comprehensive access control solution that provides seamless, single sign-on across technical and organizational boundaries, based on the Identity Federation standards. This product combines advanced capabilities such as multi-factor authentication, data encryption, clientless single sign-on and SSL VPN for secure access from any location, coupled with simplified deployment and administration.
Novell SSL VPN is designed to provide secure access to non-HTTP based applications inside a corporate network. Novell SSL VPN is combined with the powerful identity services of Novell Access Manager, which provides authentication and secure access to resources.
The Novell Access Manager 3 SSL VPN consists of two components which handle the user sessions, namely, the Tomcat servlet and the connection manager. The Tomcat Servlet receives the session request from proxy, validates the required attributes and informs the connection manager about the session and delivers the SSL VPN client component to the user's machine.
The SSLVPN Tomcat servlets can be configured for load balancing among multiple SSL VPN connection managers, using the Session Persistence feature of Access Gateway. This appnote describes the load balancing capabilities of the Novell Access Manager 3 SSL VPN.
- Access Gateway(Linux or NetWare)
- Identity Server
- SSL VPN Servlets
- SSL VPN Server (includes the connection manager, SOCKS Server, and the Stunnel Server)
The SSL VPN user accesses the SSL VPN service by entering the following URL in the address bar:
This URL is session-persistence-enabled and is accelerated and protected by the Access Gateway. The SSL VPN servlets and the Access Gateway are configured for round robin load balancing.
When the first user sends the connection request, the first SSL VPN servlet selects the first connection manager to serve the request. All the client components are then downloaded to the client machine. Similarly, the second connection request goes to the second servlet and the first connection manager of the second servlet. This ensures that the load is distributed equally among all the SSL VPN servlets and the connection managers.
The following figure depicts multiple SSLVPN servlets and multiple SSLVPN Connection Managers.
Figure 1 - SSLVPN servlets and SSLVPN Connection Managers
To install the SSL VPN servlet, do the following:
1. Download the SSL VPN servlet RPM.
2. Log in as root and enter the following command to install the RPM:
rpm -ivh novl-sslvpn-servlet
3. Download the server RPM and enter the following command to install it:
rpm -ivh novl-sslvpn.rpm
Make sure the device is auto-imported and configured.
Configuring the Access Gateway
To configure Access Gateway to forward the SSL VPN requests to multiple SSL VPN servlets in the round robin fashion, do the following:
1. Configure the Access Gateway to accelerate and protect the SSL VPN Servlet. For more information, see:
Figure 2 - Configuring the Access Gateway
2. In the Administration Console, select Servers > Configuration > Reverse Proxy > Web Servers.
Figure 3 - Selecting Web Servers
3. Specify the IP addresses of additional SSL VPN servlets.
4. Make sure that all the Web Servers are listening on the same Tomcat port.
5. Click the TCP Connect Options link.
Figure 4 - TCP Connect Options
6. Select the Enable Persistent Connections check box.
7. Select Round Robin for the Policy for Multiple Destination IP Addresses option.
8. Click OK and apply changes.
Configuring Individual SSL VPN Servlets
To configure individual SSL VPN servlets,
1. Open config.txt which is located in the following path:
The first line of the file contains the IP address and port number of the default server in the following format:
2. Specify the IP addresses of additional SSL VPN servlets.
Note: Add the IP address and port number of the servers in the same format in the next line. You can add a maximum of four servers to the failover group.
3. To enable load balancing among servers, set RoundRobinCluster=true
4. Save and close the file.
5. Restart the server by entering the following command:
Note: If the specified SSL VPN server is not available, the client will not be switched to the next server. An error message will be thrown, saying the server is not available. The client has to try again to access the next SSL VPN server.
The SSLVPN Tomcat servlets can be configured for round robin load balancing among multiple SSL VPN connection managers, using the Session Persistence feature of Access Gateway.