Maintain consistent connections
To ensure persistent and consistent connections for applications that require session continuity, admins can enable either connector stickiness or client IP address stickiness, depending on the type of application (Web, SaaS, or TCP). Secure Private Access supports both connector stickiness and client IP address stickiness.
- Connector stickiness ensures that after a client establishes a connection with the Connector Appliance, all subsequent requests from the same client are directed to the same source (Connector Appliance).
- Client IP address stickiness ensures that requests from a particular client IP address are consistently routed to the same back-end server.
Connector or client IP address stickiness can be enabled while creating the applications.
- For Web and SaaS applications, admins can enable the Maintain consistent connections option.
- For TCP applications, admins can choose between Client IP and Connector ID stickiness, depending on their requirement.
For details, see the following sections:
Important:
- Client IP address stickiness feature is in Preview.
- To enable client IP address stickiness, admins must configure client internal IP address pools. The IP address pool is essential for assigning a unique IP address to a user and the associated device. The devices from the customer resource location can tunnel traffic to a specific logged-in user’s device using the client’s internal IP address. For details, see Client internal IP address pools.
Connector stickiness
Some applications require connector stickiness, meaning all requests, starting from the initial login and including subsequent interactions, must originate from the same source (the same Connector Appliance). In such cases, if a request is routed through a different Connector Appliance, the application might not function as expected, as it expects all requests within the session to come from the same connector IP address.
Connector stickiness applies only to a specific user session. If the same user launches the app again, the traffic might be routed to a different Connector Appliance. Connector Appliances are selected randomly from the available appliances in a given resource location. Additionally, if a Connector Appliance goes down, the connection is redirected to another appliance within the same resource location.
Connector stickiness is particularly important in the following scenarios:
- NTLM protocols, which depend on the IP address to maintain session state and track authentication context. If a request is routed through a different connector, NTLM authentication may fail, leading to errors or failed logins.
- Applications based on passive FTP, which require connection stickiness to ensure that both the control and data connections are consistently routed to the same back end server. Without this stickiness, the FTP session might fail.
For information on enabling connector stickiness for the applications, see the following topics:
Client IP address stickiness - Preview
When a client connects to the back-end server through load balancing across multiple Connector Appliances in a resource location, the traffic source IP address might be a different Connector Appliance IP address. Different IP addresses might result in the following problems:
- TCP/UDP applications: Some applications require a continuous session with the same client and the server. If the source IP address differs, then those application launches fail. Applications, such as passive FTP, active FTP, and a few WebServers, require IP address affinity (stickiness).
- Security and monitoring systems: These systems might find it difficult to track and analyze traffic if the source IP address keeps changing frequently.
To maintain the source IP address affinity/stickiness, the client internal IP address stickiness can be configured for the TCP/UDP applications (client-to-server). With the client IP address stickiness, a unique internal IP address is assigned to the user session at the time of login. This IP address is used instead of the Connector Appliance IP address in the resource location. This allocation ensures that all the connections from the client to the back-end server use the source IP address as the client internal IP address that is assigned at the time of login. The client IP address stickiness maintains session persistence regardless of the Connector appliance that is used during the connection.
For enabling client IP address persistence, see Enable client IP address stickiness for TCP/UDP applications.
Prerequisites
Ensure that the IP address pools are created. The IP address pool is essential for assigning a unique IP address to a user and the associated device. For details, see Client internal IP address pools.
Enable client IP address stickiness for TCP/UDP applications
Perform the steps as outlined in the topic Support for TCP/UDP apps.
In the App Details section, enable or disable the client IP stickiness by selecting one of the following values in Maintain consistent connection.
- Do not use: The application does not require any persistence. The application can work with any source IP address.
- Client IP: The application uses the same source IP address for the client with each connection.
- Connector ID: The application connects to the same connector appliance with each session.
Note:
To enable client IP address stickiness, select the same resource location that was used when creating the internal IP address pool, and ensure that the same resource location is set in the App Connectivity section.