CA Identity Manager: Can the Active Directory Connector point to an F5 load balancer
book
Article ID: 96520
calendar_today
Updated On:
Products
CA Identity ManagerCA Identity GovernanceCA Identity Portal
Issue/Introduction
Can an F5 load balancer be configured in front of AD domain controllers, and let connector connect to F5 instead of directly to an AD server?
Environment
Release: Component: IDMGR
Resolution
Pointing an Active Directory connector at an F5 load balancer instead of an AD server is not a supported configuration.
When the AD Connector is operating against the AD system it is not just a single transaction. For example the ADD ACCOUNT is really composed of lots of steps such as (create account, set password, set useraccountcontrol, set groups, set custom attributes, create mailbox, etc) and if hitting an F5 load-balancer then those request could be getting spread out and then you could have AD replication delays between domain controllers. Furthermore the request sent to the Exchange Server includes the AD host we used for creating the account and so we would be telling Exchange to use the F5 in that case which again could lead to problems and latency/timing issues.
What would be more ideal is configuring the endpoint.dns file on the Connector Server managing the AD endpoint so that there is just a few domain controllers listed which are all available and have good replication to each other.