Hello All, hope you are all doing well.
I have situation here, looking for your inputs. I using isam v9.0.5 with few webseals in dmz and few in intranet. I have 4 policy servers in cluster. but webseals are not in cluster and DSC is not enabled. WebSEAL session management is done using the old method of fail-over cookie and F5 persistent cookie. I am thinking of clustering webseals now and also hoping to leverage DSC. here my queries: 1) Can I simply add both the dmz and non-dmz webseals to the existing policy server cluster as restricted nodes? Or 2) do I need to have different cluster for webseals alone? Or 3) can I just configure the master and slave webseals and enable DSC (without adding to cluster)?  I heard DSC is better than the old methods of session management via failover and F5 sticky sessions, is there any striking benefit you can highlight if I leverage DSC? any expected issues or disadvantages you can think of in doing this clustering exercise? sorry, there are so many questions in here. 

Thanks,
Raj.

------------------------------
Rajkumar
------------------------------

Rajkumar,

The first recommendation that I would make is that you only use the DSC if you actually need it.  The DSC provides additional capabilities (single-sign-off and concurrent user login restrictions), but comes at a cost of increased environment complexity and decreased performance.  For a full comparison between the failover cookie approach and the DSC refer to the product knowledge centre: https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/wrp_config/concept/con_dsc_advantages.htm

If you do decide to use the DSC you can follow one of two approaches:
1. Have all WebSEAL appliances join the same cluster as restricted nodes.  This makes the configuration of the DSC capability much simpler and mostly auotmated;
2. Keep the WebSEAL appliances outside of the cluster, and enable the DSC for external access.  Manual configuration is then required to enable the WebSEALs to use the DSC.

I personally don't see any real benefit in creating a separate cluster for the DSC.

I hope that this helps.

------------------------------
Scott Exton
IBM
Gold Coast
------------------------------

Original Message:
Sent: Thu August 13, 2020 12:31 PM
From: Rajkumar Godi
Subject: webseal (wrp) clustering approach

Hello All, hope you are all doing well.
I have situation here, looking for your inputs. I using isam v9.0.5 with few webseals in dmz and few in intranet. I have 4 policy servers in cluster. but webseals are not in cluster and DSC is not enabled. WebSEAL session management is done using the old method of fail-over cookie and F5 persistent cookie. I am thinking of clustering webseals now and also hoping to leverage DSC. here my queries: 1) Can I simply add both the dmz and non-dmz webseals to the existing policy server cluster as restricted nodes? Or 2) do I need to have different cluster for webseals alone? Or 3) can I just configure the master and slave webseals and enable DSC (without adding to cluster)?  I heard DSC is better than the old methods of session management via failover and F5 sticky sessions, is there any striking benefit you can highlight if I leverage DSC? any expected issues or disadvantages you can think of in doing this clustering exercise? sorry, there are so many questions in here. 

Thanks,
Raj.

------------------------------
Rajkumar
------------------------------

Original Message:
Sent: 8/16/2020 4:35:00 PM
From: Scott Exton
Subject: RE: webseal (wrp) clustering approach

Rajkumar,

The first recommendation that I would make is that you only use the DSC if you actually need it.  The DSC provides additional capabilities (single-sign-off and concurrent user login restrictions), but comes at a cost of increased environment complexity and decreased performance.  For a full comparison between the failover cookie approach and the DSC refer to the product knowledge centre: https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/wrp_config/concept/con_dsc_advantages.htm

If you do decide to use the DSC you can follow one of two approaches:
1. Have all WebSEAL appliances join the same cluster as restricted nodes.  This makes the configuration of the DSC capability much simpler and mostly auotmated;
2. Keep the WebSEAL appliances outside of the cluster, and enable the DSC for external access.  Manual configuration is then required to enable the WebSEALs to use the DSC.

I personally don't see any real benefit in creating a separate cluster for the DSC.

I hope that this helps.

------------------------------
Scott Exton
IBM
Gold Coast
------------------------------

Original Message:
Sent: Thu August 13, 2020 12:31 PM
From: Rajkumar Godi
Subject: webseal (wrp) clustering approach

Hello All, hope you are all doing well.
I have situation here, looking for your inputs. I using isam v9.0.5 with few webseals in dmz and few in intranet. I have 4 policy servers in cluster. but webseals are not in cluster and DSC is not enabled. WebSEAL session management is done using the old method of fail-over cookie and F5 persistent cookie. I am thinking of clustering webseals now and also hoping to leverage DSC. here my queries: 1) Can I simply add both the dmz and non-dmz webseals to the existing policy server cluster as restricted nodes? Or 2) do I need to have different cluster for webseals alone? Or 3) can I just configure the master and slave webseals and enable DSC (without adding to cluster)?  I heard DSC is better than the old methods of session management via failover and F5 sticky sessions, is there any striking benefit you can highlight if I leverage DSC? any expected issues or disadvantages you can think of in doing this clustering exercise? sorry, there are so many questions in here. 

Thanks,
Raj.

------------------------------
Rajkumar
------------------------------