When a PAM Cluster is accessed via an external (F5) Load Balancer, the following behavior has been observed:
We cannot open RDP sessions to windows devices when using the PAM Client. However, we can if we use the Internet Explorer WEB Interface with a working Java plugin.
Both, the PAM Client and the IE WEB Interface work as expected, if the PAM internal VIP, or the address of a specific PAM cluster node, is used instead of using the F5 Load Balancer VIP.
The load balancer did not have source IP persistence set, and it was configured to terminate the incoming connection from the PAM client and establish its own secure connection to the PAM server. This causes a problem with tampering checks on the PAM client used to verify that the connection to the PAM server is direct and not tampered with.
Make sure the following settings are configured in the F5 Load Balancer:
Additional external load balancer considerations:
- The external load balancer should route connections to individual cluster nodes, not site VIPs, to avoid a mix of external and internal load balancing.
- The TTL setting on the load balancer should be significantly larger than the maximum duration of a user logon process. We recommend a setting of 120 s.
- The load balancer should use the health check discussed in our online documentation, e.g. here, to determine which cluster nodes are currently available to users.