Solved: Authentication issue using vShield Loadbalancer an...

--Norton-- · ‎07-03-2013

I have a strange issue with my Loadbalancer FW rules.

My client facing port is VMNIC-1

My Cell server facing port is VMNIC-2

I have configured the FW rules to allow HTTPS traffic from VMNIC-1 to VMNIC-2

This allows me to see the Portal page without issue.

When I type in my username and password I get an authentication error and it fails to authenticate me.

If I change the FW rule to allow HTTPS from VMNIC-1 to Any it works!

I thought the authentication route should be from the VC facing port of the Cell server and handled at the backend?

I dont know why the authentication is requiring the client HTTPS to be able to access somewhere other than just the portal nic of the Cell server?

I am slowly opening ports to different servers etc to see what is causing this but I thought I'd post on here in case anyone can give a better description as to the authentication model involved.

--Norton-- · ‎07-03-2013

OK This is the solution for your firewall rules on a loadbalancer for cell servers.

Do not use auto rules

Configure HTTPS access from External to vse (This is the vshield services iin this case loadbalancing)

Configure HTTPS access from the vse to the explicit IP addresses of your cell servers.

I believe this now means that your request comes into the vse (Vshield Edge) which then does the load balancing aspect before forwarding to the IP addresses you have specified for the cell servers.

There are NO Any Any configurations and the default rule is set to deny.

Hope this helps someone out there.

Norton

View solution in original post

--Norton-- · ‎07-03-2013

If I configure Traffic from the External VMNIC-1 to the vse portgroup option then it works.

Is this because it is a load balancer and the services for load balancing are Edge services?

The auto rule allows vse to Any Any which I dont think is actually blocking or controlling anything?

--Norton-- · ‎07-03-2013