Does Policy server supports external load balancer for userstore/policy store ?

Document ID : KB000011357
Last Modified Date : 14/02/2018
Show Technical Document Details

Does Policy server supports external load balancer for userstore/policy store ?

Policy Server : r12.0 and above (validated until r12.7 )

There are several reasons why "hiding" the directories from siteminder by putting them behind a 3rd party load-balancing or failover device will not give you optimal load-balancing ,nor high-availability.

  1. Siteminder has its own load-balancing and failover capabilities built-in. By using them, you allow SM to keep track of which directory is not responding, etc. This will allow SM to use its own logic to route traffic to the proper LDAP. 

  2. The SM Policy Server establishes persistent TCP/IP connections to its policy store LDAP and user store LDAPs. This means that the Load Balancer will not be able to redirect any requests to another Directory since all requests are sent over the same persistent connections. 

  3. SM keeps status on the directories by monitoring the health of them periodically via a single persistent connection (called the "ping" thread). Unless this connection receives an error, SM will not know there is anything wrong with the directories hidden behind the Load Balancer and continue to send requests to potentially "dead" connections. With a Load Balancer in place, SM could easily have its 3 connections spread over 2 or more directories causing SM to get invalid data back from the Ping thread. 

  4. By using only a single Load Balancer to connect to, SM ,Policy Server will only open 3 connections TOTAL to all the User Stores -- regardless of how many are hidden behind the Load Balancer. This will often cause performance issues on the Policy Server because it will not have enough open connections to service all the requests and cause the User Store database layer to be under utilized. 

  5. Customers often attempt to work around issue #4 by spoofing SM into opening more connections to the Load Balancer by listing the Load Balancer multiple times in the User Directory configuration. When doing that and in the case of an User Directory outage, SM will "tear down" the persistent connections to the Directories and attempt to re-connect them. The Load Balancer will then properly send the new connection requests to the available Servers. However, because these connections are persistent, SiteMinder will NEVER send any requests to the other User Stores once they are brought back online because SM will think that it has its connections re-established.

All in all, there Load Balancer causes more problems than it solves. The reasons listed above are why we do not recommend putting load balancer between the PS and the User Stores.