search cancel

Cannot RDP from PAM cluster using the F5 Load Balancer

book

Article ID: 189240

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When a PAM Cluster is accessed via an external (F5) Load Balancer, the following behavior has been observed:
We cannot open RDP sessions to windows devices when using the PAM Client. However, we can if we use the Internet Explorer WEB Interface with a working Java plugin.
Both, the PAM Client and the IE WEB Interface work as expected, if the PAM internal VIP, or the address of a specific PAM cluster node, is used instead of using the F5 Load Balancer VIP.

Cause

The load balancer did not have source IP persistence set, and it was configured to terminate the incoming connection from the PAM client and establish its own secure connection to the PAM server. This causes a problem with tampering checks on the PAM client used to verify that the connection to the PAM server is direct and not tampered with.

Environment

Product: Layer 7 Privileged Access Manager.
Version: 3.x

Resolution

Make sure the following settings are configured in the F5 Load Balancer:

  1. Source IP persistence. This is required because a PAM user session is only valid on the cluster node that processed the user authentication.
  2. F5 must not establish its own secure connection to the chosen PAM servers. After configuring 'pass-through' connections, the PAM Client is able to successfully establish RDP and other access sessions to end points. 

 

Additional external load balancer considerations:

- The external load balancer should route connections to individual cluster nodes, not site VIPs, to avoid a mix of external and internal load balancing.

- The TTL setting on the load balancer should be significantly larger than the maximum duration of a user logon process. We recommend a setting of 120 s.

- The load balancer should use the health check discussed in our online documentation, e.g. here, to determine which cluster nodes are currently available to users.

Additional Information

See also: