What is the recommended method to determine if a PVWA is unavailable and should be disabled in a load balancing pool?
What is the recommended method to determine if a PVWA is unavailable and should be disabled in a load balancing pool?
The best method to determine if a PVWA is unavailable and should be disabled in a load balancing pool is to monitor Port 1858 on the PVWA server. Port 1858 is often associated with the application's API endpoints, which provide a more reliable check of the PVWA's operational status and its ability to communicate with the vault. Monitoring Port 443 could indicate that the web server is running, but it does not ensure the PVWA's full functionality, especially its connection to the vault.
Unable to find a specific reference for CyberArk’s “recommendation” however traffic to the PVWA (IIS) over port 443 (SSL) will return a 200 status indicating it is still available even if it can’t talk to the vault preventing users from being able to authenticate. If instead port 1858 (e.g. https://<PVWA>/PasswordVault/api/settings/authentication) is monitored this will prevent the NLB directing users to PVWAs when they can’t talk to the vault. Therefore I’m inclined to think that B. is the best answer. https://www.reddit.com/r/CyberARk/comments/f2x60v/f5_health_check/ https://timschindler.blog/application-health-checking-and-load-balancing-cyberark-privileged-vault-web-access-with-haproxy#heading-setting-up-haproxy:~:text=Even%20without%20a%20connection%20to%20the%20Vault%20the%20PVWA%20still%20loads
So, you mean A. Monitor Port 443 on the PVWA server
i think correct answer is A. https://www.reddit.com/r/CyberARk/comments/vkt3xb/pvwa_load_balancin_poll/