N-node Cluster
HySecure cluster is an active-active cluster. All of the nodes can handle user connections with load balancing and hardware is utilized to the maximum.
HySecure cluster is accessed using a virtual IP address assigned to the active node (master) Cluster Manager Node.
End users connect to the virtual IP address of HySecure cluster. The Cluster Manager Node in active role receives the user connection, which redirects the user connection to gateway according to the selected load balancing algorithm. The routing of the TCP connections is at network level.
The HySecure cluster has following components:
- HySecure Gateway nodes which hands user connections and provide VPN function
- Load balancer module for load balancing user connections across HySecure Gateway nodes
- HySecure configuration database nodes which stores all user configuration and session information.
- HySecure management console is web based management console for managing all HySecure configuration
- HySecure Cluster configuration module is an add-on to HySecure management console and is enabled when HySecure Cluster is configured.
Given below is a high level component diagram of HySecure Cluster Manager Module
Failover features
HySecure cluster requires minimum two hosts (nodes) and can have maximum 14 nodes. Two of the nodes run HySecure cluster manager module. The cluster manager module runs in Active-Passive configuration. In a cluster only one cluster manager node can exist which receives all connections from end user. The HySecure cluster uses a virtual IP address to redirect all connections to Active Cluster Manager Node. The users connect to the virtual IP address. In case there is a firewall in front of HySecure cluster, port 443 on firewall must be forwarded to the virtual IP address of the cluster.
The Cluster Manager Node keeps checking the health of the other nodes and redirects the user connection to HySecure Gateway nodes which handles all connection crypto and VPN functions.
If Active Cluster Manager Node fails, the standby Cluster Manager Node acquires the virtual IP address and starts receiving user connections.
If any HySecure gateway node fails, the connections from user to the failed HySecure gateway node will terminate. If the application used by the user has reconnect function or based on user initiated reconnection, the new connection request from the application will be redirected by the Active Cluster Manager Node to the available, least loaded HySecure Gateway Node. User session information is replicated across the cluster. So in case of failure of any of the node, users are not required to authenticate with HySecure
Following is the behaviour of user connection during any failover incidence
| Failing node | User connection | User re-authentication |
|---|---|---|
| Active Cluster Manager | No impact, delay of 6 seconds during failover | No re-authentication required |
| Standby Cluster Manager | No impact, delay of 6 seconds during failover | No re-authentication required |
| HySecure Gateway Node where user connection is terminated | Application connection Dropped, reconnection to available HySecure gateway | No re-authentication required |
Load balancing features
Cluster Manager Nodes balances the user connection load across HySecure Gateway nodes. HySecure Cluster Manager has multiple load balancing algorithms:
| # | Load Balancing Algorightms | Recommended? (Yes/No) |
|---|---|---|
| 1. | Round robin (DEFAULT) | Yes |
| 2. | Weighted Lead-connections | Yes |
| 3. | Weighted round robin | Yes |
| 4. | Least connection | No |
| 5. | Locality based Least-Connection Scheduling | No |
| 6. | Locality based Least-Connection Scheduling ( R ) | No |
| 7. | Destination Hash Scheduling | No |
| 8. | Source Hash Scheduling | No |
Network Communication Details
Following is the network communication between different cluster node. It is highly recommended to deploy all cluster nodes in a single subnet in the DMZ.
Following is the network communication in between different cluster node and SMTP.
SMTP servers should be reachable from all HySecure servers in HA cluster. Please make sure that SMTP port (25 or 587) should be reachable from all HySecure gateway.
Following is the network communication in between different cluster node and SMS gateway.
SMS gateway should be reachable from all HySecure servers in HA cluster. Please make sure that SMS gateway port should be reachable from all HySecure gateway.
