Load Balancing
By default, the Password Manager service will be running on each Bravura Pass server. However, only one server hostname may be provided to each transparent synchronization interceptor. If multiple Bravura Pass servers are operating, it is usually desirable to balance the transparent synchronization load between them dynamically and provide for transparent fail-over.
Round-robin DNS, or assigning multiple address records to a hostname, can be helpful for load balancing. In this configuration, an additional hostname should be set up with a record for each Bravura Pass server, and this hostname should be provided to the transparent synchronization interceptor installed on each target system. Target systems will then choose from the list of servers each time they make a request. This method does not provide fail-over.
Transparent synchronization requests can also be handled by a load balancer. Though no specific load balancer is endorsed for this purpose, the following criteria for its configuration apply:
No heartbeat should be done on either of the ports used by
idpm. Useloadbalancerstatusto probe the health of nodes.Persistent or sticky connections are required. Having once connected, a host’s traffic should be directed to the same server for considerably longer than the maximum request time. 3-5 minutes is suitable for most environments.
The traffic must be load balanced as a raw TCP stream. As it is encrypted, the load balancer should attempt no translation or validation on it.
The load balancer’s address facing the Bravura Pass server must be configured in the list of IP addresses from which Password Manager service will allow requests.
A firewall should restrict access to the load balancer so that only those hosts intended to be sources of transparent synchronization events may connect to the Password Manager service service. The CIDR bitmask option provided in the Password Manager service service configuration is ineffective if hosts can connect through a load balancer.
If using load balancers, do not configure any SSL options for transparent synchronization traffic. SSL options should only be configured on load balancers for WebUI traffic, not transparent synchronization. Transparent synchronization is encrypted using a proprietary encryption algorithm. Contact support@bravurasecurity.com for more details.