Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
1
Replies

CSM and Tivoli Access Manager

aafkhami
Level 1
Level 1

‎03-22-2004 10:23 AM

Hi,

I was wondering if anyone has deployed IBM Tivoli Access Manager in an environment with a load balancer (especially with CSM module).

We have a 6513 with CSM that supports over 20 serverfarms for regular http and https traffic. We are going to use the above product for more security and better access management for one of our web sites. This product has few components with WebSeal to be the main one who gets the request (incoming traffic to a web site) and then does authentication and authorization based on connections to LDAP and a Policy Server.

The first thing I can think is to direct the traffic from firewall (PIX) to this webseal box first and then after it has done its job, just forward it to the VIP on the CSM, so being like an extra box between the PIX and CSM for that specific web site's traffic (and just needs to have the web site's VIP as its default gateway).

If you have any input or link to more information, it will be much appreciated.

Thanks,

Ali

P.S. I did not find anything specific to load balancers in the related documents on the IBM web site.

Labels:
0 Helpful
1 Reply 1

Not applicable

‎04-05-2004 10:07 AM

We have just deployed multiple Access Manager environments behind a pair of CSS 11503 for redundancy. The CSS's are configured inline with a pair of 6513's. We have also done this with the older Local Director LD416.

In general to configure WebSEAL behind a load balancer. Setup a virtual address on the front side of the load balancer. This will be the address you will tunnel or nat all the outside traffic to.

Bind the Virtual Address to the address(es) of the WebSEAL servers. In order to keep session state use an IP sticky mode. Otherwise unless you have failover cookies setup, the remote user will loose their session when they come back into the site on another connection.

Then use a single WebSEAL junction with multiple servers to load balance backend resources.

Allow through what ever ports WebSEAL is configured to listen on, usually 80/443, on the front side.

In general it will be internet -> PIX -> 6513 -> CSS -> WebSEAL -> webservers.

0 Helpful
Customers Also Viewed These Support Documents