Cloud Access Manager 8.1.4 - How To Configure for High Availability

Cloning the proxy host

To clone the proxy host

1. Provision a new host alongside the existing Cloud Access Manager proxy host in the DMZ. For simplicity, we recommend that the host is of the same hardware and operating system type as the existing host, however no technical limitation applies. If you are using hosts with different hardware, the load balancer in front of the proxy hosts may require additional configuration to weight the number of requests in favor of the more powerful host.

2. On the new proxy host either:

   • Mount the Cloud Access Manager software ISO

   or

   • Extract the Cloud Access Manager software ZIP file to a temporary location.
3. Start the Autorun and navigate to the Install section.
4. Click Install on the Cloud Access Manager Proxy.
5. Accept the License Agreement and then click Next.
6. Enter the hostname of the first Security Token Service (STS) host you installed, for example the primary STS host.
7. Enter the shared secret for your Cloud Access Manager environment and click Install. The shared secret is defined during the configuration of the first STS host. To find the shared secret click Fallback Password and Shared Secret in the Settings section of the Cloud Access Manager Administration UI.
8. The proxy installation will now start, when the installation is complete, click Close.

9. Deploy a load balancer in front of the two Cloud Access Manager proxy hosts to distribute the traffic between the two hosts. This should be a layer 4 load balancer to allow Cloud Access Manager to handle the Secure Sockets Layer (SSL) connections from the users. Using a layer 7 load balancer, for example, would require the SSL connections to be terminated on the load balancer itself rather than on the Cloud Access Manager proxy hosts.

   Update the network configuration to route traffic destined for the external fully qualified domain names used by the Cloud Access Manager proxy hosts to the VIP address of the load balancer, rather than the primary proxy host as before.

   NOTE: The load balancer must have sticky IP enabled to ensure users always use the same proxy host unless in a failover situation.

   NOTE: If you use a reverse proxy server or load balancer in front of One Identity Cloud Access Manager, you must ensure that all headers required by Cloud Access Manager are maintained at all times. For instance, Cloud Access Manager injects JavaScript into app pages to manage session idle timeout and at the same time sets no cache headers on the response. It is essential to maintain the no cache headers at all times for Cloud Access Manager to function as designed. Removing or changing the no cache headers may cause session management issues, for example when a user uses the Back button on their browser.

10. From within the Cloud Access Manager Administration UI, click the Configuration Status icon in the top-right corner. Verify that you can see each Cloud Access Manager host and that the status of the components on each host is running and configured.

Verifying the new proxy host

To verify that the new proxy host is working correctly

1. Verify that users can log in to the Cloud Access Manager portal as normal.
2. Stop the Cloud Access Manager proxy service on the existing proxy host, so that only the new proxy host is running.
3. Verify that users can still log in to the Cloud Access Manager portal as normal.

4. Open the Cloud Access Manager proxy log on the new proxy host, CloudAccessManagerProxy.log Search the log for entries containing the userid used to verify access to the portal. This will confirm the user was using the new proxy host. Also verify that the log entry contains the user’s IP address, typically their public IP address. If the IP address is that of the load balancer, the load balancer configuration may need to be updated to preserve the original client IP address rather than using its own.

   NOTE: The private IP address for internal users is only visible if you have configured your internal DNS to resolve the proxy’s hostname to the private IP address of the proxy load balancer.

5. Restart the Cloud Access Manager proxy service and stop the Cloud Access Manager proxy service on the new proxy host.
6. Verify that users can still log in to the Cloud Access Manager portal as normal.
7. Open the Cloud Access Manager proxy log on the existing proxy host, CloudAccessManagerProxy.log. Search the log for entries containing the userid used to verify access to the portal. This will confirm the user was using the existing proxy host rather than the new host. Verify that the log entry contains the user’s IP address, typically their public IP address.
8. Restart the Cloud Access Manager proxy service.
9. From within the Cloud Access Manager Administration UI, click the Configuration Status icon in the top-right corner. Verify you can see each Cloud Access Manager host and the status of the components on each host is running and configured.