6.5 Clustering SSL VPNs by Using the Access Gateway without an L4 Switch

You can install and run the SSL VPN self-monitoring and failover scripts on each SSL VPN server in order to provide automatic monitoring and failover support for the SSL VPN servers that are behind a Linux Access Gateway.

When the health status of an SSL VPN server is bad, these scripts modify the iptables entries on that server to stop the Access Gateway from sending connection requests to that particular SSL VPN server. When the SSL VPN server health status returns to normal, the scripts remove the iptables entries and allow the Access Gateway to communicate with the SSL VPN server. You must perform the following tasks to configure load balancing and fault tolerance through the Access Gateway:

6.5.1 Configuring the Access Gateway

  1. In the Administration Console, click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

  2. Add all the SSL VPN servers that are part of the failover group as origin Web servers to the proxy service that you have defined.

  3. Click TCP Connect Options.

  4. Select Round Robin in the Policy for Multiple Destination IP Addresses field.

  5. Select Enable Persistent Connections.

  6. Save your changes and update the Access Gateway.

6.5.2 Installing the Scripts

  1. Download the tar file containing scripts for SSL VPN automatic monitoring and failover from the Additional Resources section on the Novell Access Manager documentation page. The tar file contains sslvpn-heartbeat.sh and sslvpn-heartbeat.

  2. Copy the sslvpn-heartbeat.sh script to the /opt/novell/sslvpn/bin directory in each of the SSL VPN servers.

  3. Copy the sslvpn-heartbeat file to the /etc/init.d/directory.

  4. Enter the following commands to change sslvpn-heartbeat.sh and sslvpn-heartbeat into executable files:

    chmod +x sslvpn-heartbeat.sh

    chmod +x sslvpn-heartbeat

  5. Enter the following command to run the script every time the Access Gateway is started:

    insserv /etc/init.d/sslvpn-heartbeat

6.5.3 Testing the Scripts

  1. Enter the following command to stop the SSL VPN server:

    /etc/init.d/novell-sslvpn stop

  2. Enter the following command to verify if the scripts have blocked port 8080:

    iptables -L

    The following lines are displayed if port 8080 is blocked: 

    Chain    sslvpn-heartbeat-chain (1 reference)
target    prot opt source      destination
REJECT    tcp  --  anywhere      anywhere    tcp
dpt:http-alt reject-with icmp-port-unreachable

  3. In the Administration Console, click Access Gateways > [Name of Server] > Health. The following message is displayed if the SSL VPN server is down:

    The HTTP Reverse Proxy service <reverse proxy name> might not be functioning properly. Few of the Web servers being accelerated are unreachable <sslvpn server IP Address>:8080

  4. Click Update from Server to get the latest health status of the Access Gateway.

  5. Connect to SSL VPN. Verify that your connection was sent to the SSL VPN that is running and not to the one that is marked as down by the Access Gateway.

  6. Enter the following command to start the SSL VPN server:

    /etc/init.d/novell-sslvpn start

  7. Enter the following command to verify if the script has removed the block on port 8080:

    iptables -L

    The following lines are displayed if the block on port 8080 is removed:

    Chain sslvpn-heartbeat-chain (1 references)
target    prot opt source      destination

  8. In the Administration Console, click Access Gateways > [Name of Server] > Health, then check to make sure that the SSL VPN server is up.

  9. Click Update from Server to get the latest health status of the Access Gateway.

  10. Connect to SSL VPN. Verify if your connection was sent to the SSL VPN server that was restarted. It might require several attempts before you can connect to the desired Access Gateway.

  11. Repeat Step 1 to Step 8 to verify if the SSL VPN health scripts are working on all the SSL VPN servers.