When we plan to implement enterprise solution two things are point of concern
1) Highly available systems ( remove single point of failure / provide redundancy )
2) Distributing load on more than one systems
As we know WorkspaceOne Connectors have responsibility to sync users, groups from Active Directory and provide authentication services for users to launch SAML Integrated applications
Considerations: We have 4 connector servers that we will use to remove single point of failure and providing redundancy along with load balancing for load.
Two Connector servers will serve Internet traffic and another two will take care of intranet (internal) traffic.
For security reasons internal connectors will be used for AD sync, they will be domain joined.
For external traffic another two connectors will talk to RSA servers.They will not be talking to any internal services.
To make sure our connectors are highly available and there are no single point of failure we have options to put their services behind a Network Load balancer and Passing User traffic to a virtual IP rather than directly on to one of the connectors.
1) Configuration at load balancer end
a) VIP Virtual IP and related DNS entry to make sure that traffic is posted to the VIP
We need to configure two VIPs, One in DMZ load balancer and One in internal Load balancer and respective DNS entries should be done over internet DNS and intranet DNS.
b) Server Pool (where you will add your connectors more than one)
We need to configure Two server pools one for internal traffic and one for external traffic.
We will add external connectors to the external pools and add internal connectors to the internal pool.
c) Server Monitor (which will be used to monitor services running on connectors)
Server monitors are applied on server pools, with some more information about how load balancer identify the services running on the connector servers.
Server monitors are needed to make sure faulty connector is out of service, the moment, services are not fine on it.
a simple configuration and architecture as below will help to understand more on this.
As explained in diagram , UI server makes decision based on network user is coming from.
Workspace One End Configuration:
We define that in Workspace One Identity Providers
Identity providers are internal policies that define if user connections will go to internal or external VIPs in addition to authentication mechanism like RSA , Kerberos , NTLM etc.
below example helps us to understand the same.
above example shows IDP provider setup where it explains the traffic flow to IDP host name which is our internal vip and connector behind that is connector 1 its only applicable for internal traffic and users are directory users.
This is how we control workflow and traffic using network load balancer to separate internal and external traffic along with removing single point of failure for Workspace One Deployment.