F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

commsmonkey_172's avatar
commsmonkey_172
Icon for Nimbostratus rankNimbostratus
Dec 09, 2010

Dual server site affinity at the GTM level

I have an interesting requirement for 'bonded server' site affinity at the GTM response level.

 

 

The flow spec is as follows:

 

 

1. Client requests service via https://Service

 

2. If client is not authenticated they are redirected to https://serviceAuth

 

3. https://ServiceAut server requests and validates the user's credential and then redirects the web client back to the https://Service server with a reference to a federated credential (i.e. SAML token).

 

 

 

What we see in the server logs is that authentication fails if the web client is not redirected back after authentication to the https://Service server in the same site as the https://ServiceAuth server. This is because the https://Service server cannot retrieve the SAML token as it does not know of the https://ServiceAuth server in the other site.

 

 

Topology wise I have 2 DCs each with a GTM (eg, NS1 and NS2) and identical WideIPs.

 

I do not use cross-site pooling; pools remain local to the datacentre.

 

How do I ensure that the Service VIP and the Authentication VIP for the same service always have an affinity relationship at the GTM level?

 

 

Cheers,

 

 

 

Comms
config
design

1 Reply

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Dec 16, 2010
    I'm not sure how to handle that in GTM, but you could at the LTM layer insert a site-specific cookie on the response and redirect upon further requests if sent to the wrong site. Anyone else?