GTM and SSL VPN

Question

This could almost be considered a pre-sales question but I wanted to reach out to the community here. 
&nbsp;  
&nbsp; I was wondering if anyone had exposure using a GTM to load balance geographical distanced SSL VPN (in this senario, juniper SA). 
&nbsp;  
&nbsp; So my deployment strategy is as above. Now my iRule question is as follows. 
&nbsp;  
&nbsp; I want to only purchase 50 users on site a, and 50 users on site b. 
&nbsp; I know you can create an irule which tracks connection counts, what my question is, can this iRule influence the GTM. 
&nbsp;  
&nbsp; So I want 100 users total. 50 site a, 50 site b. I want the GTM to support the geolocalization and send users to their respective closest node. However, when that node starts to fill, I want to start to influence users to use the other site which should have connections to support the load. 
&nbsp;  
&nbsp; By doing this, I can reduce my licensing costs, still support dynamic failover, and maintain 100 user count. 
&nbsp;  
&nbsp; Thanks. 
&nbsp;  
&nbsp; --J

hooleylist · Answer

Hi Justin, 
&nbsp;  
&nbsp; That's a novel approach.  I think you'd actually want to track open sessions--not connections.  A single user could easily have many TCP connections open to an SSL VPN.   
&nbsp;  
&nbsp; I haven't tried this before, but I wonder if you could use an SNMP-based external GTM monitor to weight the two pool members based on an SNMP query for the number of active user sessions each VPN server holds.  Does the Juniper SA provide session counts via SNMP?  The default SNMP monitor would just mark the pool member down if it doesn't respond to the SNMP request.  You'd need to use a custom script to poll the members for active sessions and then adjust the member priority using bigpipe, tmsh or iControl. 
&nbsp;  
&nbsp; Aaron

justin_adrian_3 · Answer

Correct, I probably was using the incorrect term.  
&nbsp;  
&nbsp; Forgive me, as it has been a long time since I actually have done this manually. I forget if you mark the node down manually, it would allow existing sessions to continue, but deny new correct? 
&nbsp;  
&nbsp; I was hoping for a bit more elegant solution to directly influence the GTM directly. 
&nbsp;  
&nbsp; Ideally, what I would truly like to do is put a loaded weight. 1 to 1 below say 10 users. Then go 2-1 at 15, 3-1 at 20 etc.. to get a better balance. With 25 users i am not worried about load at this point. However, this is a new offering we are looking to provide. As a result, we may have 5k users eventually per node.  
&nbsp;  
&nbsp; I will check on the SNMP, it sounds like I do have some solutions which is a good thing. I need to set up my lab with this deployment and see what my options are. 
&nbsp;  
&nbsp; --J

kevin_51676 · Answer

I've setup a GTM and the SSL VPN using Topology as a Load Balancing Option, have that working perfect. However, I have not tried to add into that the 2nd layer of load balancing.  
&nbsp;  
&nbsp; You might look into the Limit Settings for devices, such as Current Connections, that might help you out. Otherwise you could add a health monitor to the GTM which would monitor the connections and return a "signal" if your at your limit thus marking that instance down. However, if you mark that instance down your current clients will be moved to a different instance when they preform a new DNS lookup (which could be frequent depending on the TTL for that WIP). 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Kevin

Forum Discussion

GTM and SSL VPN

3 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

SSL Profiles

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

SSL protocol mismatch

SSL Profiles Part 6: SSL Renegotiation