EX SSL-VPN: How to Change AD/LDAP Authentication Server Failover
03/26/2020 1060 11478
DESCRIPTION: EX SSL-VPN: How to Change AD/LDAP Authentication Server Failover
Every time a user tries to authenticate to an appliance, policyserver has to contact an authentication server in order to verify the user's credentials and grant them access to the VPN. An administrator can specify two authentication servers for an Active Directory or LDAP authentication server, a primary and a secondary. Policyserver will contact the secondary server if the primary fails to respond.
Policyserver waits for an error response from the underlying network stack on the appliance before it tries contacting the secondary authentication server. In addition, when a user tries to authenticate, policyserver always contacts the primary server first before trying the secondary server. In some environments, this behavior may not be desirable because the network stack takes too long to respond to policyserver with an error code. The end result is that the user could be sent back to a login page or the authentication could fail every time they try. Through the use of a handedit, documented below, policyserver's behavior can be changed so that it fails over to the secondary server and then uses that secondary server permanently until another failover event occurs.
This procedure can only be performed on appliance releases:
10.0.0 or later in the 10.0.x series, without hotfixes.
9.0.3 or later in the 9.0.x series, without hotfixes.
9.0.1 or 9.0.2, when using pform-hotfix-9_0_x-006 or later. The latest version of pform-hotfix-9_0_x can be downloaded from KB item #4488.
Note: If you have a high availability pair, this procedure must be performed on both appliances.
Warning Use the command line at your own risk. SonicWall strongly recommends that users not familiar or comfortable with the "vi" command or the command line contact SonicWall product support for assistance. Always back up your configuration before performing hand edits. See KB article #2500 for suggestions on enabling SSH access to the appliance and getting to the command line.
SSH to the appliance.
Change directory to the configuration directory: cd /usr/local/app/mgmt-server/datastore/pending/sysconf
Using vi, edit avconfig.xml.
In this file search for the string <activeDirectoryAuth, <ldapPwdAuth, or <ldapCertAuth. For Active Directory authentication, you should find a line that looks similar to this: <activeDirectoryAuth id="AV1226102870835IC" name="AD Auth Server">
Underneath this line, insert the following lines of text: <options> <options_item> <name>permanentFailover</name> <value>true</value> </options_item> </options>
Save this file and then close vi.
Restart the Aventail Management Console with the following command: /etc/init.d/mgmt-server restart
Make a small change to one of your authentication servers. For example, change the group caching lifetime to 1801 seconds instead of 1800 seconds.
Save that authentication server's settings and then apply your changes.