CA Identity Manager: Can the Active Directory Connector point to an F5 load balancer
search cancel

CA Identity Manager: Can the Active Directory Connector point to an F5 load balancer

book

Article ID: 96520

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

Can an F5 load balancer be configured in front of AD domain controllers, and let connector connect to F5 instead of directly to an AD server? 

Environment

Release:
Component: IDMGR

Resolution

Pointing an Active Directory connector at an F5 load balancer instead of an AD server is not a supported configuration. 

When the AD Connector is operating against the AD system it is not just a single transaction. For example the ADD ACCOUNT is really composed of lots of steps such as (create account, set password, set useraccountcontrol, set groups, set custom attributes, create mailbox, etc) and if hitting an F5 load-balancer then those request could be getting spread out and then you could have AD replication delays between domain controllers. Furthermore the request sent to the Exchange Server includes the AD host we used for creating the account and so we would be telling Exchange to use the F5 in that case which again could lead to problems and latency/timing issues.

What would be more ideal is configuring the endpoint.dns file on the Connector Server managing the AD endpoint so that there is just a few domain controllers listed which are all available and have good replication to each other.