Two-Node HA Cluster

This setup involves two nodes working together to provide redundancy and ensure that services remain available even if one node fails.

Unlike a single-node cluster, a two-node HA cluster is designed for production environments and offers improved reliability and uptime. A two-node High Availability (HA) cluster deployment suits small to medium-sized businesses.

There are 4 stages of deployment in a two-node cluster:

1. Installing HySecure VM
2. Post VM installation (Preboot execution)
3. Installing HySecure Client
4. Configuring Cluster Services
   1. Preparing the first node
   2. Preparing the second node

Deployment Architecture

Prerequisites

• Download the latest HySecure ISO image.

• Three free Static IP addresses on the LAN:

  1. Primary node: To be assigned to the primary node of HySecure.
  2. Secondary node: To be assigned to the secondary node, which is essential for configuring the cluster.
  3. Floating IP: To be assigned for the load balancing.

• A Windows system having access to the HySecure node on port 443 (for HySecure configuration) with an HTML5-supported browser (Microsoft Edge, Google Chrome, or Mozilla Firefox) for post-installation configuration.

Note

This is required for the setup to use an HTML5-supported browser. Make sure the browser on the system meets the requirements outlined by HySecure.

• DNS server IP address: The IP address of the DNS server that the HySecure gateway will use for domain name resolution. This ensures that HySecure can resolve domain names to IP addresses.

• NTP Server address: The Network Time Protocol (NTP) server address that HySecure will synchronize with. This is crucial for maintaining accurate time across the network and ensuring that certificates and system logs are properly timestamped.

• External certificate in PEM format with private key: You can optionally use an external SSL/TLS certificate (in PEM format) with a private key for secure HTTPS connections to HySecure.

Network Ports

Source	Destination	Purpose	Port No	Protocol
HySecure nodes	HySecure nodes	Internal management (file sync, monitoring, real-time status, clustering, etc.)	22; 443; 539; 939; 3306; 3636; 4002; 5536; 5124	TCP
HySecure nodes	AD/LDAP	User authentication	389 or 636	TCP
HySecure Web nodes	AD/LDAP	User authentication	389 or 636	TCP
HyLite Portal or HySecure Client	HySecure nodes	User login	443	TCP

Sizing Guidelines

The sizing of the cluster depends upon the number of sessions.

For more details refer to the Sizing Guidelines.

Deployment Steps

Installing HySecure VM

1. Create a VM with 4 vCPU, 2GB Memory, and 60 GB vDisk. Attach the latest version of the HySecure ISO image to VMware ESXi 6.x/7.x/8.x or Hyper-V. Here, for demonstration purposes, we have created a HySecure VM on VMware ESXi.

   

   

2. Power On the VM. The installation will begin automatically.

   

   

3. Upon completion, the VM will reboot automatically, and the login screen will be presented.

   

4. Enter the credentials and the numeric option as shown in the image.
   Enter 1 to modify the Network Configuration.

   

5. Enter 1 to manually configure a static IP address. Enter IP address, Netmask, and Gateway details.
   Enter Y to save the configuration.
   Enter R to go to the previous menu.

   

6. Enter 2 to set the Hostname.

   

7. Enter Y to save the configuration.
   . Press Enter to continue.

Following the above steps, you have successfully installed the HySecure VM using the HySecure bootable installation ISO image.

Post VM installation (Preboot execution)

After successfully installing the HySecure VM, the next step includes preboot execution. This will ensure that the VM is correctly configured and prepared for operational use.

The following steps will guide you through the necessary actions to complete the post-installation setup and prepare the HySecure VM.

1. Open the Web browser and enter the website address as the static IP configured on the VM. For example, browse https://10.10.208.16 and click on Configure HySecure Now.

   

2. Check the I accept the terms and conditions box and click Submit.

   

3. Select the configuration type Installing HySecure Gateway on Physical Host/Virtual machine from the System Configuration window and click Submit.

   

4. Set the Hostname, DNS server IP address, Time Zone, and NTP Server, and click Submit.
   

   Note

   • Configure the internal NTP Server. Internet access is required to reach the external NTP server.
   • NTP Server configuration is a must to ensure TIME on all nodes in the cluster are in sync.

   

5. Select the Configuration Method for the gateway as Setup a New Installation and click Continue.

   

6. On the Certificate Authority Mode selection window, select Default Accops Internal CA and click Submit.

   

7. Navigate to the SSL certificate creation platform provided by the Certificate Authority (CA).

8. Enter the details to Create SSL Certificate. The CA created is used to create a certificate for HySecure admin, which is called a Security Officer Account (SO account). Click Submit and wait for a few seconds for the operation to complete.

   

9. A success message and the Passphrase will be displayed. Copy the Passphrase before closing the browser window.

   

10. Repeat the above steps for adding the additional node of the HA cluster setup and complete the pre-boot execution steps on the rest of the nodes.

Note

Remember to enter a unique User ID for each node during SO account creation.

After completing the preboot process, the next essential step is to install the Windows HySecure Client.

Installing HySecure Client

The Windows HySecure Client is imperative for secure access to the HA admin console. This ensures that all administrative operations are executed securely, thereby protecting the cluster from unauthorized access and potential security threats.

Note

1. Remember that the Administrative privileges are NOT supported on Mac and Linux platforms.
2. It is recommended to use the latest version of HTML 5-supported browsers like Edge, Chrome, or Firefox to access the HySecure Management Console.

Follow the steps below to install HySecure Client:

1. Download HySecure Client:

   1. From the Windows system, open an HTML5-supported web browser (Microsoft Edge, Google Chrome, or Mozilla Firefox).
   2. Enter the HySecure VM IP address to access the download page.
   3. Download the HySecure Client.

   

2. Install the HySecure Client (Admin privileges required):

   1. Locate the downloaded executable file and run it.
   2. Follow the installation wizard steps to complete the installion.

3. Launch the HySecure Client:

   1. After installation, launch the HySecure Client by entering the HySecure VM IP address in the client interface.
   2. Select the option Login with a digital certificate.
   3. Click Action to enroll the Security Officer (SO) account.

   

4. Enter the Passphrase and Set a Password:

   1. Enter the Passphrase that was created during the preboot execution process.
   2. Set a new password for the Security Officer (SO) account.
   3. Click Submit to complete the enrollment.

   

5. Login and Access the Management Console:

   1. Open a HySecure client instance. Select the box Login with a digital certificate and enter the password. Click Login.
   2. The browser will open automatically and display the HySecure Management Console.

   

6. Close the browser and log out from the HySecure Client.

7. Set Up Standby Node:

   1. Repeat the above steps to set up another standby node in the HA cluster.
   2. Ensure consistent configuration across both nodes to maintain high availability.

By following the above steps, you will successfully install and configure the HySecure Client, enroll the Security Officer account, and set up the standby node, ensuring a reliable and secure HA cluster environment.

Configuring Cluster Services

In high-availability (HA) clustering, Active, and Standby nodes play crucial roles in ensuring continuous service availability and fault tolerance.

Here, we will briefly explain the Active and Standby nodes in an HA cluster and understand the failover mechanism.

• Active Node: The Active node in an HA cluster serves client requests, runs applications, processes data, executes transactions, and handles user interactions. It is the primary instance responsible for ensuring that services are operational and accessible.

• Standby Node: The Standby node in an HA cluster is ready to take over operations from the Active node in case of failure or planned maintenance. It mirrors the configuration and state of the Active node to ensure seamless continuity of services and monitors its health status to assume the Active role when needed quickly.

• Failover Mechanism: A failover mechanism switches roles between Active and Standby nodes in an HA cluster. When the Active node encounters hardware failure, software crash, or scheduled maintenance, the Standby node is automatically promoted to the new Active node, ensuring uninterrupted end-user services.

Active and Standby nodes are crucial for maintaining uninterrupted service delivery in HA clustering. Their coordinated operation and failover capabilities are essential for business continuity and meeting SLAs in various industries and applications.

Configuring First Node

Prepare the first node as the active node

1. Launch the Accops HySecure Client and log in to the first node as a Security Officer(SO)user in Active Gateway at 10.0.0.4. After a successful login, the HySecure Gateway management web console will be automatically launched in the browser.

   

2. Create an HTTP application from the HySecure Management Console:

   1. Navigate to Apps > Add.

   2. Add a new HTTP-type application and set the Application Server Address as the virtual IP address and set Application Port as 3636. Provide the URL as http://hysecure_virtual_IP_address:3636

      

   3. Navigate to Apps > App Groups > Add. Create a High-Security application group and add the application created above to this group.

      

3. Create an ACL policy for the SO user to access the Assigned application.

   1. Navigate to Policies > ACL > Add. Create an Application Based Access control using Native as the Authorization Server for high-security users for the SYSTEM user group and assign the newly created High-Security application group.

      

      

4. Logout from the VPN client and re-login.

The SO user can now access the Cluster Configuration.

Configuring Second Node

Prepare the second node as the standby node and join to the existing cluster

1. Launch the HySecure Client and log in as a Security Officer(SO) on the second node.

   

2. From the management console navigate to Settings > Cluster and click Configure.

   1. In the Installation Details section select the Join node to cluster option. Select role of node as Backup Load Balancer(also HySecure Gateway).

   2. Enter the Cluster Details:

      • Virtual IP: Same as configured during the cluster creation.

      • Netmask: Enter the Subnet mask.

      • Select Virtual Interface: Select the virtual interface option eth0.

      • Click Submit.

   

   The following STATUS will appear after enabling the cluster: Successfully converted to HA Primary Node.
   

   

3. Close the browser and log out from the client. Re-login to the HySecure Client using the certificate of the Active Node.
   

​

Note

• All the available nodes will be visible under Cluster Information on the Dashboard.
• After a cluster is formed, only the Active Node SSL Certificate is required to log in to Standby & Web/Real nodes.

Conclusion

In this way, a Two-node HA cluster deployment offers a viable solution for small to medium businesses seeking to enhance the reliability and availability of their production environments.

By carefully following the deployment steps and considering the limitations, a balanced approach to high availability can be achieved, ensuring that the critical services remain accessible even in the event of a node failure.