Configuration
Once the Active Load Balancer node has been installed and has moved on to the Configuration State, and the Installation Type is set, the complete cluster and each node of the cluster should get configured. This can be done by navigating to the Configuration page. However, it needs to be noted that the Configuration page is accessible over port 3636 and hence some specific steps are needed to make this page accessible. These steps are described in the Enable Configuration Page section.
Warning
If the steps indicated in Enable Configuration Page are not followed, then the Configuratin page will not be accessible. As a result, the HA would not get configured.
Enable Configuration Page
Since the Configuration page is hosted on port 3636, hence it needs to be published as an application before it can be made accessible. Follow the steps to make the Configuration page accessible
- Create a new HTTP type application with name “ClusterManagement” with the field "Application Server" set to the virtual IP address and port as 3636. Provide the URL as
http://hysecure_virtual_IP_address:3636
Note: Replace hysecure_virtual_IP_address with the virtual IP address of the cluster which was configured from the Set Install Type page for the Active Load Balancer
This application can be marked hidden (while creating it) in case admin does not want to publish this on their Launchpad.
-
Create an application group with name “ClusterAdminApps” with high security user and add the application to this application group
-
Create an Application Based Access control using Native as the authentication server for High Security Users for the SYSTEM group and assign the newly created high security application group
-
Logout from HySecure client and login again and open HySecure management console
-
Go to Host Configuration -> Global Settings page and start NTP server
-
The Configuration page will now be accessible
HA Configuration
Once the installation type of the Active Load Balancer node has been set, the remaining HA can be configured by following the steps indicated below, on the Active Load Balancer's Management console:
-
Open Management console and expand HIGH AVAILABILITY
-
Click on Configuration sub-menu to display the Configuration page
-
Configure the "Environment" section details in case of the Active Load Balancer node, as it might not be auto-filled. In case of other nodes, the information gets sync'ed up.
-
Configure the advanced HA configuration by clicking on the "ADVANCED HA CONFIGURATION" button and filling the relevant information.
-
Add information about other nodes by clicking on the "Add" button in the "HySecure Servers" section and providing details of the other nodes. This should be added only on the Active Load Balancer node.
-
Details of all the configuration items are described in the table below
Important
-
The configuration page is accessible over port 3636. In order to access this page, follow the steps indicated in section Enable Configuration Page
-
The complete HA configuration needs to be done only on the Active Load Balancer and before setting the Installation Type of any other node.
-
The HA configuration done on the Active Load Balancer node gets automatically sync'ed to all other nodes which are configured to join the cluster, through the configuration in Set Install Type page
Environment
This block is used for configuring the HA cluster information primarily involving the load balancers.
| # | Field | DESCRIPTION |
|---|---|---|
| 1 | Virtual IP Address | This is the Virtual IP Address which gets used for the HA Load Balancing service. This IP address will be assigned automatically to the active load balancer. |
| 2 | Virtual IP Network Mask Address | This should be the netmask for the Load Balancing service |
| 3 | Primary Load Balancer server IP Address | This should be the IP address of the Load Balancer node which is expected to act as a Primary Load Balancer, on bootup |
| 4 | Backup Load Balancer server IP Address | This should be the IP address of the Load Balancer node which is expected to act as a Backup Load Balancer, on bootup |
| 5 | Load Balanced Port No. (Separated with comma) | This should have a comma separated list of port no.(s) to be used for Load Balancing service |
| 6 | Device Name (currently selected device: eth0): | This should be the interface name on the Gateway node which gets used for Load Balancing service |
Advanced HA Configuration
In order to configure advanced HA settings, click on the button ADVANCED HA CONFIGURATION in the Environment block of the Configuration page in HIGH AVAILABILTY
Details of Advanced HA Configuration screen are provided below
| SETTING | DESCRIPTION | DEFAULT VALUE |
|---|---|---|
| HIGH AVAILABILITY SETTINGS | ||
| Heartbeat interval (seconds) | Time interval for backup load balancer to check functional status of primary load balancer. | 6 |
| Assume dead after (seconds) | Backup Load Balancer will initiate failover, if primary load balancer does not respond for this number of seconds. | 18 |
| Heartbeat runs on port | Port on which heartbeat communicates with primary load balancer. | 539 |
| Monitor NIC links for failures | If enabled, network card failures are monitored | Checked |
| Syncdaemon | High availability service checks whether all the required services are running on VPN servers or not. | Checked |
| Load Balancer Service Settings | ||
| Re-entry Time(Seconds) | Length of time before active load balancer attempts to bring a real server back into the pool after failure. | 15 |
| Service timeout(Seconds) | Length of time before a real server is considered dead and removed from the pool. | 6 |
| Quiesce server | If selected, then Whenever a new real server comes online,the least connection table is reset to zero. | Yes |
| Scheduling | Select your preferred scheduling algorithm from drop-down menu. | Round robin |
| Persistence (Seconds) | Connections from same source are redirected to same HySecure gateway for the specified interval | 10 |
| CLUSTER TYPE | ||
| Routing Type | Currently supported network type for HA cluster is Direct Routing. | Direct Routing |
Click on Save button to save all the configured settings.
RELOAD SERVICE
When any of the HA configuration is changed and saved, be it part of the Environment, Advanced Configuration or changing the nodes, the HA services will need to be loaded again by clicking on the RELOAD SERVICE button.
HySecure Servers
This block is used for configuring the nodes which are expected to be part of the HA cluster. The node configuration under this section comprises of its name, IP address and the weight.
- Enter Virtual Hostname in the Virtual Hostname field. This will become the hostname of the cluster. This hostname will be used to generate all SSL certificates.
- If you want to publish the VPN gateway over Internet, using a valid SSL certificate, this hostname should be publicly routable and SSL certificates will be generated with this hostname.
Warning
Information on all nodes forming part of the HA cluster needs to be added in this section, before these nodes are configured for their respective Installation Type
Synchronized Data
Following data is synched between the cluster nodes
| Configuration | Details | Synch Details | Synch Duration |
|---|---|---|---|
| Main HySecure configuration | All user, application, access control related data and other data stored in database | From Active to Standby node as database synch | within 5 minutes (/home/fes/ha_interval.conf) |
| Cluster configuration | Active node, Standby node and Gateway configuration | Only from Active to other nodes in cluster | On first time cluster join and every modification Within 2 minutes /home/fes/ha_interval.conf |
| Client Settings | HySecure client related configuration | From modification node to all node | On every modification |
| HyLite Settings | HyLite setting | Active to standby | 5 mins |
| SSL Certificates | Upload external SSL certificate | Active to standby | |
| HySecure License | HySecure license | Active to standby and other node. | 5 mins |
| Gateway state | HySecure gateway state. | Active to standby and other node. | 5 mins |
Data non-synchronized
Following data is not synched between the cluster and must be done on each node manually.
| Gateway binary upgrades | HySecure gateway binary | Not Synched. Upgrade each gateway manually | |
|---|---|---|---|
| /etc/hosts, | Host file for name resolution | Not Synched. Manually create hosts file entry on each gateway. | |
| /etc/resolve.conf | DNS Server settings | Not Synched. Manually create setting on each gateway | |
| NTP Settings | NTP configuration for date and time on each gateway | Not Synched. Manually start NTP on each gateway. | |
| HyLite License | HyLite license | Not able to sync, HySecure admin need to upload HyLite license on each node manually | |
| SSL Settings | SSL setting on HySecure gateway | Not able to sync, HySecure admin need to this setting on each node manually | |
| Global Settings | HySecure gateway configuration | Following option not able to sycn Connection KeepAlive, SSL Version 3.0 Support and Current SSL timeout | 5 mins |
Synchronized Files
Following files are synched across the cluster
| File Name/ Directories | Synch or not | Purpose of file | Interval of synch (customizable) | Any specific direction |
|---|---|---|---|---|
| /etc/sysconfig/ha/lvs.cf | Synch | Cluster configuration | 5 minutes | Sync between active and standby, not on real VPN node. |
| /home/fes/public/portal/act/apptab.html /home/fes/public/portal/act/loginPage.htm /home/fes/public/portal/act/logoutclient.html | Synch | Portal web page | 5 minutes | Sync changes like brandname |
| /etc/httpd/conf/httpd.conf | Synch | Web server configuration file | 5 minutes | On all nodes |
| /etc/logrotate.d/ves | Synch | Logrotate configuration file, Log archive setting, not on real VPN node | 5 minutes | On all nodes |
| /home/fes/public/tseclientinfo.js /home/fes/public/verinfo.js | Synch | Client global login profile setting | 5 minutes | On all nodes |
| /home/fes/.byPassSiteList | Synch | VPN by pass URL lists | 5 minutes | On all nodes |
| /home/fes/localmail.txt /home/fes/csrmail.txt /home/fes/resetpassmail.txt | Synch | Emails template | 5 minutes | On all nodes |
| /home/fes/ntp_command | Synch | NTP server setting | 5 minutes | On all nodes |
| /home/fes/smsconf.settings | Synch | HyID OTP settings | 5 minutes | On all nodes |
| /home/fes/features.status | Synch | Internal | 5 minutes | On all nodes |
| /home/fes/mysqldump/ | Synch | [Database | Database replica on each node,Missing on real VPN nodes | 10 minutes |
| /home/fes/fescommon/ | Synch | VPN configuration and SSL certificates. | 5 minutes | On all nodes |
| /var/lib/mysql/mysql/ | Synch | Database configuration, Missing on real VPN node. | 10 minutes | On Active and Standby |
| /etc/hosts | [Not | Not Synch | Name resolution | - |
| Log files | Pushed | All the log files | instantly | From Active to Standby |