Maintain consistent connections
To ensure persistent and consistent connections for applications that require session continuity, admins can enable either connector stickiness or client IP address stickiness, depending on the type of application (Web, SaaS, or TCP). Secure Private Access supports both connector stickiness and client IP address stickiness.
- Connector stickiness ensures that after a client establishes a connection with the Connector Appliance, all subsequent requests from that client are directed to the same source (Connector Appliance).
- Client IP address stickiness ensures that requests from a particular client IP address are consistently routed to the same back-end server.
Connector or client IP address stickiness can be enabled while creating the applications.
- For Web and SaaS applications, admins can enable the Maintain consistent connections option.
- For TCP applications, admins can choose between Client IP and Connector ID stickiness, depending on their requirement.
For details, see the following sections:
Important:
- Client IP address stickiness feature is in Preview.
- To enable client IP address stickiness, admins must configure client internal IP address pools. The IP address pool is essential for assigning a unique IP address to a user and the associated device. The devices from the customer resource location can tunnel traffic to a specific logged-in user’s device using the client’s internal IP address. For details, see Client internal IP address pools.
Connector stickiness
Some applications require connector stickiness, which means that all requests for a user session, including the initial login and the following requests come from the same Connector Appliance (the same IP address). If a request is routed through a different Connector Appliance, the application might not function correctly.
- Connector stickiness is specific to a particular user session. If the same user opens the app again, the traffic can be routed to a different Connector Appliance.
- Connector Appliances are chosen randomly from the available Connector Appliances in a given resource location.
- If a Connector Appliance fails, the connection is redirected to another appliance in the same resource location.
Connector stickiness is particularly important in the following scenarios:
- NTLM protocols, which depend on the IP address to maintain the session state. If a request is routed through a different connector, NTLM authentication may fail, leading to errors or failed logins.
- Applications based on passive FTP, which require connection stickiness to ensure that both the control and data connections are routed to the same back-end server. Without this stickiness, the FTP sessions might fail.
For information on enabling connector stickiness for the applications, see the following topics:
Client IP address stickiness - Preview
When a client connects to the back-end server through load balancing across multiple Connector Appliances in a resource location, the traffic source IP address might appear as a different Connector Appliance IP address. This discrepancy in the IP addresses might lead to issues such as the following:
- TCP/UDP applications: Certain applications require a consistent session between a specific client and server. If the source IP address changes, these applications might fail to launch. Applications such as passive FTP, active FTP, and some WebServers rely on IP address affinity (stickiness) to function correctly.
- Security and monitoring systems: These systems might find it difficult to track and analyze traffic if the source IP addresses keep changing frequently.
To maintain the source IP address affinity/stickiness, the client internal IP address stickiness can be configured for the TCP/UDP applications (client-to-server). With the client IP address stickiness, a unique internal IP address is assigned to the user session during login. This IP address is used instead of the Connector Appliance IP address in the resource location. This allocation ensures that all the connections from the client to the back-end server use the source IP address as the client internal IP address that is assigned at the time of login. The client IP address stickiness maintains session persistence irrespective of the Connector appliance that is used during the connection.
For enabling client IP address persistence, see Enable client IP address stickiness for TCP/UDP applications.
Prerequisites
Ensure that the IP address pools are created. The IP address pool is essential for assigning a unique IP address to a user and the associated device. For details, see Client internal IP address pools.
Enable client IP address stickiness for TCP/UDP applications
Perform the steps as outlined in the topic Support for TCP/UDP apps.
In the App Details section, enable or disable the client IP stickiness by selecting one of the following values in Maintain consistent connection.
- Do not use: The application does not require any persistence. The application can work with any source IP address.
- Client IP: The application uses the same source IP address for the client with each connection.
- Connector ID: The application connects to the same connector appliance with each session.
Note:
To enable client IP address stickiness, select the same resource location that was used when creating the internal IP address pool, and ensure that the same resource location is set in the App Connectivity section.