IBM Security Verify

 View Only
Expand all | Collapse all

ISAM DRP & Port exhaustion

  • 1.  ISAM DRP & Port exhaustion

    Posted Thu January 03, 2019 06:22 AM
    Hi,

    We are planning for a potential ISAM roll-out in a twin data center pattern, but during the design we came across some fundamental questions of which I'd like input on 2 of them:
    1. Active - active vs active - passive
    2. Port exhaustion

    1. Active - active vs active - passive
    The performance page clearly mentions that support is available for active/active and active/passive environments. 
    However, the deployment redbook confuses me a little since there they seem to imply that:
    • the Policy Server is always active-passive
    • the Proxy and Federation add-ons are always active-active
    In section 5 the twin data center pattern is discussed, where it is mentioned that 'The Twin Data Center topology can be through an active/active configuration, where each data center splits the production and development work and can fail over the load to the other site in the event of a disaster. '. This is explained using conceptual diagrams, where there is no mention of 'development work' (or perhaps I missed it). 

    What I'd like to know is if it is possible to have a complete active-passive setup, with immediate failover in case of failure, something along the lines of this:
                
      ACTIVE/DC1            PASSIVE/DC2
+-----------------+     +------------------+
|  +-----------+  |     |  +------------+  |
|  | Proxy     |  |     |  | Proxy      |  |
|  +-----------+  |     |  +------------+  |
|                 |     |                  |
|                 |     |                  |
|   +----------+  |     |  +------------+  |
|   |  Fed/AAC |  |     |  | Fed/AAC    |  |
|   +----------+  |     |  +------------+  |
+-----------------+     +------------------+

    Is there any documentation that I can dig in to get a clearer view on the possibilities?


    2. Port exhaustion

    In this white paper, on page 35 there is mention of port exhaustion. Somehow this is related to the max of 30000 worker threads, as explained here.
    What I could not seem to find is, if this limit is per IP address, or per ISAM (hardware) appliance. Suppose that the ISAM is given 8 IP addresses, then we have a limit of about 30k * 8 = 240k ephemeral ports and thus worker threads. This would be much more comfortable, but I'm not sure if such a calculation is valid. 

    Anyone who can shed some light on this? Or is that an inherent limit when going with physical appliances?





    ------------------------------
    Michael
    ------------------------------