Reference Architecture Sun Remote Gateway
Installation
How and where does the Gateway get installed? This seems to be the question that comes up the most and a logical starting point for this technical “how to”. The Gateway installs as a Windows Service and should be installed on a Windows 2000 server, do not install it on NT with Active Directory Client Extensions installed. Why? I have tried this in the past and had some issues, the Engineering team doesn’t advise it either.
The Gateway binds to the directory through a serverless bind thus needs to be installed on systems that know about the Domain. Does this mean it has to be on a Domain Controller? No, the Gateway can be installed on any system matching the criteria above.
When the Gateway is installed as a service, it typically runs as the local system account. If you change this then you will need to add a couple of rights to the users, “Act As Operating System” and “Bypass Traverse Checking”. This is not to get confused with the Active Directory Administrator account used by the resource adapter. These are tow entirely different things. The Gateway Service Account does need the ability to Run Actions and Create Home Directories. There are other configuration possibilities but by far these are the most common.
Trusts
What about Trusts? Trust present some issues but generally speaking as long as the Gateway is in the same forest as the domain to be managed or there is a trust between domains the bind will succeed. Note, this is also spelled out in the product documentation.
Why use the LDAP hostname? LDAP hostnames are generally a good idea and I would recommend configuring it where possible. The concept is that when you specify the LDAP hostname you are basically telling IDM to bind to a specific Domain Controller. However, per the product documentation and my experience you do NOT have to give a Domain Controller. If you give a DNS name of the AD Domain instead of an IP address and the Gateway system is configured to return multiple IP’s then you avoid having to point IDM LDAP hostname to a specific domain controller. Why does that matter? It matters in that you can essentially have fault tolerance at the Domain Controller level.
High Availability
High Availability and Fault Tolerance are also of concern when deriving the Identity Manager logical architecture and in respect to this topic the Sun Remote Gateway. The Gateway should NOT be load balanced! Instead I recommend two Gateway servers (or more depending on function and scale) behind a network device capable of handling active/passive modes, this is commonly handled by a load balancer but I do not want to give the perception that these Gateways should be load balanced. Configure Identity Manager to point to the network device and let the network device determine which Gateway to use based on availability. I would not recommend OS clustering or attempting to cluster the Gateway, it is really not required in most cases.
Server Specifications
Server Specs are another question that is brought up quite a bit as well. The answer to this question is not very straight forward. However, generally speaking, the following is very common:
Pentium 4 3.x ghz dual core
2 gigs of RAM
Logical Diagrams
The following diagrams illustrate common configurations.
Single Domain Configuration
You will notice in the diagram above Sun Identity Manager is configured to administer one AD Domain. This design is most common and is very stable. The network device IP is configured in the Resource Adapter, in the event a Gateway Server fails the router automatically redirects traffic to the appropriate Gateway Server.
Multiple Domain Configuration
Multiple Domain Configuration - Highly Available
Good One Chris.
Posted by Esesve on October 03, 2007 at 01:19 AM CDT #
When you say for high availability to point the router to the active Gateway and let it fail over to the hot spare should the first one go down, could not as easily do this with a load balancer in an identical active/passive setup? Does it specifically have to be a function of the router?
Posted by Rene on October 03, 2007 at 09:57 AM CDT #
Good question. The reason I am pointing at a router in this diagram is that you do not want any load balancing to occur between the Gateway instances. Therefore, a load balancer really isn't needed, all that is required is a router. That being said if you have a load balancer you could certainly set it up to do active/passive, as long as the traffic is routed to only one Gateway instance and does NOT route traffic in a "round robin" fashion.
Posted by Christopher Timmerman on October 03, 2007 at 10:04 AM CDT #
Good and very useful article! In the last diagram that has a pair of gateway servers for each AD domain, does each pair consist of one active and one passive server, or is there only one active server period? I'm guessing the former would be true, since otherwise there would be more redundancy than necessary (redundant redundancy?), however the diagram is does not make this clear either way.
Posted by Ben on October 03, 2007 at 02:52 PM CDT #
I am mostly concerned with providing 100% availability and being able to patch servers. We thought would use an F5 BigIP and set it up for fail over. My question is can you safely switch from one side to the other without data loss. Will issuing a -k on the service allow the work that is processing to complete? How would you sequence these actions?
Posted by Joe on October 03, 2007 at 02:53 PM CDT #
As a side note, the IdM gateway was recently certified to run on VMWare images in production (IdM Version 7.0 I believe). This can allow the reference architecture to implemented without incurring large hardware costs.
Posted by Rick Zimbelman on October 03, 2007 at 03:04 PM CDT #
Good point Rick.
In response to the previous question. How do you ensure the service is finished doing what it is doing prior to killing it? I would think that you could do a -k but I have never tried. In my expierence this has not been an issue. Most patches are done off hours when AD/IDM activity would be very low. In an SPE enviornment this would be a challenge.
Additionally you could use a scheduler service to kill the service at a given time. You could configure your f5 to switch to the redundant server, wait 10 minutes or however long, kill the service and patch the box.
Other than that I am not sure. Like I said it has not been an issue to date.
Posted by Christopher Timmerman on October 03, 2007 at 03:26 PM CDT #
I have changed the post to remove the word router and replace it with network device.
Posted by Christopher Timmerman on October 12, 2007 at 12:42 PM CDT #
Chris,
Great article. Do you have something similar (reference architecture) for the deployment of Sun Identity Manager in a high availability configuration?
Thanks
Posted by Steve on February 06, 2008 at 10:43 AM CST #
Chris,
Just came across your site and this is a very helpful article. I'd like to second the previous poster's request as I'm trying to put together a proposed architecture that runs in HA.
Thanks
Posted by Richard on February 19, 2008 at 04:19 AM CST #
I have successfully configured this in a customer environment but did not make use of the trusted relationship in order to provide redundancy. Configuring an AD adapter with domain A gateway I could manage domain B accounts.
But I have my doubts with gateway HA regarding TCP connections made from one AD resource adapter to a gateway if it fails
If the gateway for domain B fails, how does the adapter know that it can
access domain B via gateway from domain A? You need a network device in front. (We one implemented an idm gateway in a microsoft cluster for this purpose).
I think the main issue is the gateway failover management part, not the trusted config, some customers don´t even want to have the trusted config in their domains.
In my opinion, it would be great that the AD resource adapter could be configured with a primary and secondary gateway IP/hostname, similar to what the LDAP resource adapter does.
Posted by Hector Jimenez on February 17, 2009 at 04:13 PM CST #
Hi,
Thanks for a great article.
I have a question regarding running activesync on the resources.
If a change is natively made on an AD user on one domain controller
and the gateway is running on another, will IDM see the change?
Thanks,
John I
Posted by John on June 30, 2009 at 08:20 AM CDT #
If I understand your question correctly, you are asking if you configure AD Active Sync to a specific domain will the gateway pick up the change even if it is sitting on a different domain controller? I hope that is your question :-) Unfortunately, this isn't a straightforward answer. For example did you configure AD with the LDAP Hostname? For the most part the answer is yes, but here is some information for you to look into that will help:
http://docs.sun.com/app/docs/doc/820-6551/gijax?a=view
Specifically the area on configuring Active Synch and child domains. You can always ping me at my email address as well (chris.timmerman@sun.com).
Posted by Christopher Timmerman on June 30, 2009 at 08:35 AM CDT #
this is cool, this is what we want dude......
Posted by links of london on November 28, 2009 at 08:18 PM CST #