High Availability Deployment Blueprint

The following is an example of how to deploy Host Access for the Cloud in a highly available, scalable, and secure manner. While the details of every deployment will differ, for example you may be deploying three or more session servers, the goal here is to provide a known good starting point and to answer common deployment questions.

Architecture

This deployment consists of:

• Session server load balancer
• Two or more session servers
• MSS load balancer
• Three or more MSS servers
• Terminal ID Manager
• LDAP or identity management server
• Host/mainframe

Deployment benefits

With this example, you will see:

• Capacity for up to three thousand host sessions and the ability to be scaled as needed
• High availability of key services; minimizing single points of failure and distributing load by means of load balancers
• The ability to handle the failure of one session server and one MSS simultaneously without a significant drop in the performance of the web client, due to built-in headroom
• Authentication and authorization options for MSS
• Secure communication through HTTPS

Steps when deploying

A number of deployment steps require configuration in the MSS Administrative Console.

We recommend you follow these steps when deploying:

1. Learn about the basics of deployment
2. Provision resources based on system requirements and sizing guidelines
3. Install MSS and create a cluster
4. Configure MSS load balancer
5. Install session servers
6. Configure session server load balancer
7. Configure authentication and authorization
8. Verify deployment

You’ve learned about the basics of deployment, system requirements and sizing guidelines in previous sections.

Installing MSS

See the MSS Installation Guide for complete instructions.

Install three MSS servers and configure each of them for clustering. There is documentation that can step you through the process:

1. Open ports on the firewall. Ports used by MSS and Host Access for the Cloud are listed here.
2. Install MSS and then the Host Access for the Cloud components for MSS by running the Host Access for the Cloud install program on each MSS server.
3. Add each server to a cluster.
4. On each MSS server, configure general settings, security settings, and other settings as required.

More information

• Ports
• MSS Installation Guide
• MSS Clustering

Configuring an MSS load balancer

Use these values when configuring the MSS load balancer:

• Load balancing algorithm: Least Connections (or something similar)

• Session persistence:

  Configure the MSS load balancer to stick on existing cookies and URL parameters in the order specified below:

  • Stick on cookie SESSIONID
  • Stick on URL parameter sessid (only necessary if Single sign-on through IIS is configured as the authentication method)
  • Stick on cookie JSESSIONID
  • Stick on URL parameter jsessionid

• Health check endpoint: https://<mss-server>/mss/actuator/health

• TLS: Configure TLS and install certificates as needed.

More information

• MSS Using a Load Balancer

Installing session servers

Install two or more session servers.

For each session server:

1. Open ports on the firewall. Ports used by MSS and Host Access for the Cloud are listed here.
2. Install the session server. During installation, choose to use a remote MSS server, and enter the MSS load balancer address and port.
3. Import the session server certificate into each MSS’s trusted subsystem trust store: system-trustcerts.bcfks. This is done automatically for you on the MSS server that the load balancer chose during installation, but must be done manually on the other servers. It is best practice to import or verify its presence on each MSS server.

More information

• Ports
• Installing and Upgrading
• Securing Connections

Configuring session server load balancer

Use these values to configure the load balancer:

• Load balancing algorithm: Least Connections (or something similar)
• Session persistence: Enabled - use JSESSIONID or a new cookie. Unlike the MSS load balancer you are not required to use the existing JSESSIONID cookie.
• Health check endpoint: https://<session-server:7443>/actuator/health For the session server in particular, be cautious when you are configuring how to determine a node has failed and what to do once it has failed. If there are users still connected to the instance, those users may lose their host connections. To avoid marking an instance as failed too early, consider increasing timeouts or retries. Some load balancers provide a “drain mode”, which allows existing users to stay connected, but will direct new users to other instances.
• TLS: Configure TLS and install certificates as needed.

Configuring authentication and authorization

See Authentication and Authorization for details on choosing and configuring authentication and authorization

Verifying the installation

After installing and configuring all components, you’ll want to:

• Log into the MSS Administrative Console (through the MSS load balancer).
• Navigate to Manage Sessions > Add a New Session and create a test session.
• Assign the test session to a test user.
• Log into the session server as the test user, through the session server load balancer.
• Verify that the assigned session is available, opens, and can connect.

Configuring single sign-on (optional)

Following are a few additional considerations when configuring single sign-on in an high availability deployment.

SAML (Security Assertion Markup Language)

The MSS Administrator Guide has SAML authentication instructions.

1. Import the MSS load balancer certificate into each MSS servletcontainer.bcfks as a trusted certificate.
2. Update the management.server.url in each MSS container.properties file to use the MSS load balancer address.
3. Set the management.server.callback.address property in each MSS container.properties file to an address that the session server, for a specific MSS, can reach.
4. Restart the MSS servers.
5. Log on to the Administrative Console of the active MSS server to configure the SAML Authentication. Confirm that the MSS load balancer DNS is used in the Assertion consumer service prefix URL field and add the MSS load balancer and Host Access for the Cloud load balancer DNS to the SAML whitelist

6. Download and edit the service provider metadata to insert each MSS server address as AssertionConsumerService, and import the updated metadata into the SAML identity provider. For example:

     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mss-loadbalancer:8443/mss/callback/SAML2Client" index="0"/>
     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mss-server-1:8443/mss/callback/SAML2Client" index="1"/>
     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mss-server-2:8443/mss/callback/SAML2Client" index="2"/>
     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mss-server-3:8443/mss/callback/SAML2Client" index="3"/`
   

X.509

The MSS Administrator Guide has X.509 configuration instructions.

In each case the certificate used must have a Subject Alternative Name (SAN) that contains all MSS server DNS names, along with the load balancer DNS name.

1. Verify that the firewall on the MSS server allows HTTP traffic on the mutual authentication port; 8003 is the default.

2. In each MSS:

   • Replace the certificate of the servlet-engine entry in the servletcontainer.bcfks files.
   • Replace the certificate of the system entry in the system-keystore.bcfks files.
3. Import the certificate into each session server’s trustcerts.bcfks file as a trusted certificate.
4. Restart MSS and session servers.
5. Configure both the MSS and HACloud load balancers for TLS passthrough.
6. Configure X.509 authentication as documented here: How to Configure X.509 Authentication.

Configuring the Assigned Sessions list

You have the option to use the Assigned Sessions list to launch new sessions. To do this additional configuration is needed:

• Configure the MSS load balancer to stick on first the SESSIONID and then the JSESSIONID cookies. It is important to configure the stickiness in that specific order.

• Access to the Assigned Sessions list must be through the same MSS load balancer that the HACloud session server uses to connect to MSS.

More information:

• Providing Access to Host Sessions
• Using Load Balancers