Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

CSM and Tivoli Access Manager


I was wondering if anyone has deployed IBM Tivoli Access Manager in an environment with a load balancer (especially with CSM module).

We have a 6513 with CSM that supports over 20 serverfarms for regular http and https traffic. We are going to use the above product for more security and better access management for one of our web sites. This product has few components with WebSeal to be the main one who gets the request (incoming traffic to a web site) and then does authentication and authorization based on connections to LDAP and a Policy Server.

The first thing I can think is to direct the traffic from firewall (PIX) to this webseal box first and then after it has done its job, just forward it to the VIP on the CSM, so being like an extra box between the PIX and CSM for that specific web site's traffic (and just needs to have the web site's VIP as its default gateway).

If you have any input or link to more information, it will be much appreciated.



P.S. I did not find anything specific to load balancers in the related documents on the IBM web site.


Re: CSM and Tivoli Access Manager

We have just deployed multiple Access Manager environments behind a pair of CSS 11503 for redundancy. The CSS's are configured inline with a pair of 6513's. We have also done this with the older Local Director LD416.

In general to configure WebSEAL behind a load balancer. Setup a virtual address on the front side of the load balancer. This will be the address you will tunnel or nat all the outside traffic to.

Bind the Virtual Address to the address(es) of the WebSEAL servers. In order to keep session state use an IP sticky mode. Otherwise unless you have failover cookies setup, the remote user will loose their session when they come back into the site on another connection.

Then use a single WebSEAL junction with multiple servers to load balance backend resources.

Allow through what ever ports WebSEAL is configured to listen on, usually 80/443, on the front side.

In general it will be internet -> PIX -> 6513 -> CSS -> WebSEAL -> webservers.

CreatePlease to create content