pulse policy secure...the f5 load balancer efficiently distributes the incoming request across a...
TRANSCRIPT
Pulse Policy Secure F5 Load Balancer with PPS
Deployment Guide
Document
Published
September 2017
© 2017 by Pulse Secure, LLC. All rights reserved 2
Pulse Secure, LLC
2700 Zanker Road, Suite
200 San Jose, CA 95134
www.pulsesecure.net
Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks,
registered trademarks, or registered service marks are the property of their respective owners.
Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
F5 Load Balancer Configuration Guide
The information in this document is current as of the date on the title page.
END USER LICENSE AGREEMENT
The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use
of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at www.pulsesecure.net. By
downloading, installing or using such software, you agree to the terms and conditions of that EULA.”
© 2017 by Pulse Secure, LLC. All rights reserved 3
Contents Introduction ............................................................................................................................................... 4
Deployment of Active/Active Cluster and Standalone nodes ...................................................................... 4
Single Arm Mode-Active Active cluster ............................................................................................................................... 5
Configuring F5 load balancer for Single Arm Mode ............................................................................................. 5
Dual Arm Mode with Standalone nodes .............................................................................................................................. 9
Configuring F5 load balancer for Dual Arm Mode ............................................................................................... 9
© 2017 by Pulse Secure, LLC. All rights reserved 4
Introduction
A load balancer is a device that acts as a reverse proxy and distributes traffic across servers.
The F5 load balancer efficiently distributes the incoming request across a group of Pulse Policy Secure
(PPS) devices. The F5 load balancer optimizes the resource usage, maximizes throughput, minimizes
response time, and avoids overload of any single device.
In the Active/Active mode, all the machines in the cluster actively handle user requests sent by an
external load balancer or Round-Robin DNS. The load balancer hosts the cluster virtual IP (VIP) and
routes user requests to an environment defined in its cluster group based on source-IP routing.
Deployment of Active/Active Cluster and Standalone nodes
An Active/Active deployment provides load balancing and high availability. PPS relies on the F5 load
balancer for distributing the load among PPS nodes. The Active/Active cluster configuration allows
increased aggregate system throughput. It does not provide increased scalability beyond the total
licensed users. It also provides seamless failover, which is achieved by state synchronization between
the devices.
If a node goes offline, the load balancer adjusts the load on the active nodes. Users do not need to sign
in again. However, some session information entered a few seconds before the active machine went
offline, such as cookies and passwords, may not have been synchronized on the current device, in which
case users may need to sign in again. The F5 load balancer usually enforces a persistent source IP. In
this case, users are always connected to the same node.
The F5 load balancer supports the Active/Active PPS cluster in Single Arm Mode.
When F5 load balancer is deployed in Dual Arm Mode, it is advised to deploy PPS devices in standalone
mode (not in cluster). Since the PPS devices are not in cluster, sessions do not sync across the nodes
and users need to re-login in the case of fail over. Advantage of deploying nodes in standalone mode is
increased scalability and avoid the clustering overhead.
© 2017 by Pulse Secure, LLC. All rights reserved 5
Single Arm Mode-Active Active cluster
In the Single Arm Mode, the load balancer uses the self IP configured for internal ports only.
The F5 load balancer uses the following topology in the Single Arm Mode.
Figure 1: F5 load balancer in Single Arm Mode
Configuring F5 load balancer for Single Arm Mode
Use the following procedure to configure the F5 load balancer for single Arm mode.
1. On the F5 load balancer, select Local Traffic > Nodes : Node List > New Node.
Create two PPS nodes with respective IP addresses. The diagram below depicts the required
configuration on each of the nodes.
Figure 2: Configuring the PPS nodes on F5 Load Balancer
© 2017 by Pulse Secure, LLC. All rights reserved 6
2. On the F5 load balancer, select Local Traffic > Pools : Pool List
Create a common pool for both the PPS nodes (IC_Pool in this example) and select the specified
values for the following fields:
• Health Monitors: gateway_icmp
• Select Node List
• New Members: Add both PPS Nodes
• Service Port: * and All services .
Figure 3: Creating Pools on F5 Load Balancer
3. On the F5 load balancer, select Local Traffic >Virtual servers : Virtual Server List.
Configure three virtual servers for the internal VIP that communicates with the switch for HTTPS,
UDP-1812 and UDP-1813 services.
For each virtual server, select the following values for the fields for each pool created.
• VLANs and tunnel: Internal
• Source Address translation: Auto Map
© 2017 by Pulse Secure, LLC. All rights reserved 7
Figure 4: Configuring Virtual Server on F5 Load Balancer
4. On the PPS admin console, select Endpoint Policy > Network Access > RADIUS Client.
Configure the F5 load balancer internal self IP as RADIUS client in the cluster nodes.
Figure 5: Configuring RADIUS Client on PPS
5. On the PPS admin console, for each PPS node, select Network > Load balancer.
Enter the F5 load balancer VIP as Internal IPv4 Address and select the Between endpoints and
Pulse Policy Secure.
© 2017 by Pulse Secure, LLC. All rights reserved 8
Figure 6: Configuring Load Balancer on PPS
6. On the switch, configure the F5 load balancer internal VIP (7.0.0.60) as the RADIUS server.
© 2017 by Pulse Secure, LLC. All rights reserved 9
Dual Arm Mode with Standalone nodes
In this deployment, the F5 load balancer uses the self IP configured for both internal and external ports.
The F5 load balancer uses the following topology in the Dual Arm Mode.
Figure 4: F5 load balancer in Dual Arm Mode with Standalone nodes
Configuring F5 load balancer for Dual Arm Mode
Use the following procedure to configure the F5 load balancer for Dual Arm mode.
1. On the F5 load balancer, select Local Traffic > Nodes : Node List > New Node
Create two PPS nodes with respective IP addresses. The diagram below depicts the required
configuration on each of the nodes.
Figure 7: Configuring the PPS nodes on F5 Load Balancer
© 2017 by Pulse Secure, LLC. All rights reserved 10
2. On the F5 load balancer, select Local Traffic > Pools : Pool List > IC_Pool.
Create three pools, one for each PPS node (PPS-1 and PPS-2) and a common pool (IC_Pool).
Select the specified values for the following fields:
• Health Monitors: gateway_icmp
• Select Node List
• Service Port: * and All services
Figure 5: Creating Pools on F5 Load Balancer
Note: PPS-1 has only one node-7.0.0.51, and PPS-52 has only node-7.0.0.52. However,
IC_Pool has both the nodes PPS-1 and PPS-2.
3. On the F5 load balancer, select Local Traffic >Virtual Servers : Virtual Server List.
Configure five virtual servers.
Three virtual servers for the main external VIP (26.1.1.147) that communicates with the switch for
HTTPS, UDP-1812 and UDP-1813 services
One virtual server for the additional VIPs (26.1.1.148,26.1.1.149) that communicates with each
individual standalone node on HTTPS.
For each virtual server, ensure to select the following values for the fields for each pool created.
• VLANs and tunnel: Enabled on
• Source Address translation: None for HTTPS and Auto Map for UDP
© 2017 by Pulse Secure, LLC. All rights reserved 11
Figure 6: Configuring Virtual Server on F5 Load Balancer
4. On the F5 load balancer, select Network > Routes > External-Route.
Click Properties to configure the External Route IP address.
Figure 7: Configuring External-Route
5. On the PPS admin console, select Endpoint Policy > Network Access > RADIUS Client.
Configure the F5 load balancer internal self IP as RADIUS client in the cluster nodes.
© 2017 by Pulse Secure, LLC. All rights reserved 12
Figure 8: Configuring RADIUS Client on PPS
6. On the PPS admin console, for each PPS node, select Network > Load balancer.
Enter the F5 load balancer VIP as Internal IPv4 Address and select the Between endpoints and
Pulse Policy Secure.
Figure 9: Configuring Load Balancer on PPS -7.0.0.51
Figure 10: Configuring Load Balancer on PPS -7.0.0.52
© 2017 by Pulse Secure, LLC. All rights reserved 13
7. On the switch, configure the F5 load balancer External VIP (26.1.1.147) as the RADIUS server.