SSL VPN
Reply
Trusted Contributor
ssl_boy
Posts: 186
Registered: ‎12-04-2007
0

Notifying a user which node they logged onto in a geographic cluster

Hi, I've asked TAC this but the answers I'm getting are not great (i.e. there is probably no solution) so as a last-ditch attempt I thought I'd try here.

The problem:

We have a SA4500 cluster where the nodes are in two separate locations. We use a DNS load balancer to route traffic to the most available site; this works fine. Using the Load Balancer and the IVE admin console, as an administrator we are able to tell where a given user has authenticated as this is recorded in the logs. However, we have a requirement to notify the user as to which cluster node the user has authenticated, as with the load balancer in place they have no way of knowing where their connection has been terminated.

I'm looking for a Variable such as <HOSTNAME> or <IVENODENAME> which I can place on the front page or post authentication in the UI Options "show notification window", it doesn't matter too much where as long as it's somehwere the user can easily find on the UI.

I have checked the documentation and knowledge base and can't find any reference on how to do this.

I've looked at using embedded javascript on a customised front-page to do this, but it would appear that sandbox doesn't give us enough tools to be able to work out the IP (not the URL) of the device we are connecting to OR resolve the IP (a-la DNSLOOKUP) of our primary URL.

Creating a Java applet from scratch that contained the logic "IF SERVERIP == "10.0.0.1" then Print "Welcome to London"" or "IF SERVERIP == "20.0.0.1" then print "Welcome to Birmingham"" and embedding it a custom page may be possible, but our web developer (who would be the first to admit he is not a Java expert) seems to think this would be a task of biblical proportions.

Given that we can't run anything server side on the IVE, I think I'm pretty much out of options. As this is such as minor niggle, It's unlikely that I'll get this picked up as feature request as there is not mega $$$$ attached to it.

So does anyone have any bright ideas?

TIA

Kendal

Contributor
rswinter
Posts: 102
Registered: ‎02-09-2010

Re: Notifying a user which node they logged onto in a geographic cluster

Here are a couple way-out ideas that may work... (Can't really test them myself either...) #1: If your DNS doesn't swtich betwwen the two very often, can you setup a second DNS name that follows the same datacenter as your IVE's DNS name. Then on the IVE login page, you can imbed a like to a JPG sitting on the web server in the same data center. (ive-whereami.mydomain.com/myive.jpg) #2: If you have an internal load balalncer (like an F5-BigIP), you could imbed a link in the Personalized Greeting Notification that points to a VIP. The BigIP could then look at the source ip address (internal IP of IVE) and redirects to a jpg that shows the name of the IVE... #3 Move from a Cluster to a Push enviroment and then you may get the name of the local IVE in the field. -S
Contributor
rswinter
Posts: 102
Registered: ‎02-09-2010
0

Re: Notifying a user which node they logged onto in a geographic cluster

Can anyone tell me why my posts alwayd get all run together with out the line feeds they have when I type them?
Trusted Contributor
ssl_boy
Posts: 186
Registered: ‎12-04-2007
0

Re: Notifying a user which node they logged onto in a geographic cluster

Hi,

 

Thanks for that, not a bad idea.. Sadly we don't have any hardware load balancers in the environment as I know that we would have various options then as they inevitibly would be much "smarter" and properly location aware.

 

The JPG idea is definatly feasible, equally it occured to me that I could include in a custom template a reference to the cluster status page, wouldn't be massively elegant but would at least give me something.  I'll have a play with a custom template and see if that gets us anywhere..

 

All other ideas/opinions still greatfully recieved..

 

Thanks again

 

Kendal

jjh
Contributor
jjh
Posts: 14
Registered: ‎10-06-2008
0

Re: Notifying a user which node they logged onto in a geographic cluster

You can configure a custom login page and via the template toolkit do things on the server side.

Here is the code:

<% USE CGI %>
<% CGI.server_name() %>

And here are the other cgi variables you could display:

DOCUMENT_ROOT    The root directory of your server
HTTP_COOKIE    The visitor's cookie, if one is set
HTTP_HOST    The hostname of the page being attempted
HTTP_REFERER    The URL of the page that called your program
HTTP_USER_AGENT    The browser type of the visitor
HTTPS    "on" if the program is being called through a secure server
PATH    The system path your server is running under
QUERY_STRING    The query string (see GET, below)
REMOTE_ADDR    The IP address of the visitor
REMOTE_HOST    The hostname of the visitor (if your server has reverse-name-lookups on; otherwise this is the IP address again)
REMOTE_PORT    The port the visitor is connected to on the web server
REMOTE_USER    The visitor's username (for .htaccess-protected pages)
REQUEST_METHOD    GET or POST
REQUEST_URI    The interpreted pathname of the requested document or CGI (relative to the document root)
SCRIPT_FILENAME    The full pathname of the current CGI
SCRIPT_NAME    The interpreted pathname of the current CGI (relative to the document root)
SERVER_ADMIN    The email address for your server's webmaster
SERVER_NAME    Your server's fully qualified domain name (e.g. www.cgi101.com)
SERVER_PORT    The port number your server is listening on
SERVER_SOFTWARE    The server software you're using (e.g. Apache 1.3)

-j

Juniper Networks Certified Internet Specialist (Firewall/VPN)
Juniper Networks Certified Internet Specialist (SSL VPN)
Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: Notifying a user which node they logged onto in a geographic cluster

Unfortunately, as you have found out through contacting JTAC it sounds, there is nothing on the IVE that will allow you to do this; there is no <HOSTNAME>, or similar, variable that can be used.

 

In addition, as you are aware from the same JTAC conversations, DNS load balancing is not supported on the SA devices. Is there a specific reason for using a cluster rather than separate nodes (other than ease of configuration parity)?

 

 

Trusted Contributor
ssl_boy
Posts: 186
Registered: ‎12-04-2007
0

Re: Notifying a user which node they logged onto in a geographic cluster

Hi JJH, thanks for your contribution, another poster seems to contradict you but I will give it a try in anycase as i've nothing to lose really.

 

 

 

Trusted Contributor
ssl_boy
Posts: 186
Registered: ‎12-04-2007
0

Re: Notifying a user which node they logged onto in a geographic cluster

Hi Zanyterp,

 

Things weren't looking good, hence I was looking for the more left-field solutions.

 

We are not strictly using DNS to Loadbalance, only for failover should our the primary site fail and even then it is not instanionous (about 8mins of downtime in our testing so far).  Suggesting that Juniper don't support DNS Load balancing is like saying you don't support DNS. the SA is oblivious is to what is happening externally to it, for that reason we have to have a solution to provide geographic failover since Juniper dropped the DX (at mine and my customers extreme invconvience and cost).  Having seperate nodes doesn't make sense in most cases as it increases the admin workload and the likelihood of an introduced configuration error occuring.  Furthermore, despite the cluster license changes in version 7.0 (which the last time I looked still weren't adequatly documented) seperate nodes without local load balancers doesn't give the same guarentees as having a shared cluster across two locations.  Specifcally, in the new licenseing there is a 5 day grace period before the license count drops back the surving nodes capacity.  This means that we either have to double the licensing that we need, accept that during an outage 50% of capacity will be lost, or purchase ICE licesening at signifncant cost.  The problem for us is that some customers we have a 2 week wait time before we can get into there data centre (crazy I know).  We have recently had a problem with a cluster node which would intermittetly crash and require a cold boot before restarting, the case went on for 4 months before the issue was resolved, during that time would have been at 50% capacity for most of the duration.  Whilst the new licesning scheme offers a new solution, it's not going to be right for everyone and I think a lot of -CL licenses will still be sold.

 

The primary reason we have DNS failover versus local balancers is cost; an in the cloud service costs about $4000/year to maintain, the cheapest, nastiest hardware load balancers I could find which met the spec were ~$20,000 all in for the first year, the preffered F5 solution was ~$60,000.

Moderator
cbarcellos
Posts: 198
Registered: ‎07-11-2008
0

Re: Notifying a user which node they logged onto in a geographic cluster

Please see this KB http://kb.juniper.net/KB17848 for more information on why DNS load balancing is not a supported configuration.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.