How does PAM determine the "least-loaded member" in a cluster site?

book

Article ID: 131271

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

How does PAM determine the "least-loaded member"? 

Can the PAM cluster node load balancing redirection be conditioned in any of the following ways?
- Round robin among the member nodes 
- Weighting - Node_1 (xx%), Node_2 (yy%), ... Node_N (zz%) 

Environment

CA Privileged Access Manager 3.x

Resolution

The cluster is always available for all users through this virtual IP address. The primary appliance uses its defined VIP, and redirects user requests to the least-loaded member of the cluster.

The least-loaded node is determined by the combination of User sessions and Access sessions.
For example, a node with a single user logged in but having many RDP or SSH sessions running in parallel may be found to be more busy than a node with 3 users logged on but each user having only a single (or none) connection to target devices. 
So, it may occur that one node has more connected users than the other to keep the overall cluster load balanced among them.

The native PAM load balancer does not support any other redirection than the one previously mentioned. So it is not possible to condition it in any way.
Alternatively, a third party load balancer providing more advanced features, can be used in order to obtain conditional access to the nodes based on other criteria.

Additional Information

See also: Add a Cluster Site