Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SA cluster: concentrator uses real IP instead of VIP

ralvez_
Occasional Contributor
‎01-28-2011 06:26:PM
‎01-28-2011 06:26:PM

SA cluster: concentrator uses real IP instead of VIP

Hello team:

My SSL concentrators are configured as an Active/Passive cluster. I turned on a sniffer to trace a session from the concentrator (the internal interface)  to internal web resources, and found that the Active concentrator innitiates sessions with its real IP instead of the internal VIP.

¿Is this normal behavior? I want to be sure, since I have to configure policies in the firewall located between the SSL concentrator and the internal resources.

Your kind answers will be greatly appreciated.

Best regards, Rogelio

0 Kudos
Reply
3 REPLIES 3
SHKM_
Frequent Contributor
‎03-13-2008 11:41:PM
‎03-13-2008 11:41:PM

Re: SA cluster: concentrator uses real IP instead of VIP

Yes, SA use its own local interface ip address to connect to backend resource.

Thanks,

Suresh

0 Kudos
Reply
spuluka
Super Contributor
‎03-30-2009 06:20:PM
‎03-30-2009 06:20:PM

Re: SA cluster: concentrator uses real IP instead of VIP

I create a group with all three addresses, the vip and the two physical cluster members.  Then use this to write the rules for access to resources.

The other set of rules you will need is for any address pools you create for network connect or Junos pulse connections.

You will also need a nat enabled internet access rule from these addresses if you do not use split tunnel and force any internet traffic over this link.  These will be from the interface addresses.  This will also be the source address for for any web resources that go to internet servers.





Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
0 Kudos
Reply
ralvez_
Occasional Contributor
‎01-28-2011 01:17:PM
‎01-28-2011 01:17:PM

Re: SA cluster: concentrator uses real IP instead of VIP

Hi Suresh:

Thank you very much for your kind answer.

So if there is a firewall between the cluster and the backend resources, my security policies must take into account the IP addresses of both internal interfaces of the cluster devices. ¿Am I right?

TIA, Rogelio

0 Kudos
Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.