Azure Single-Node Cluster

A single-node cluster deployment option involves setting up a cluster on one node, simplifying the process, and reducing hardware requirements.

A single-node cluster does not offer high availability, making it unsuitable for production environments. This deployment type is primarily intended for testing and proof of concept (POC).

Following are the stages of deployment in a Standalone Single-node cluster:

1. Deployment of HySecure VM
2. Post VM Deployment (Preboot execution)
3. Installing HySecure Client
4. Configuring Cluster Services

Deployment Architecture

Prerequisites

• Azure Portal access with contributor rights to allow the creation of virtual machines (VMs).
• Three free Static IP addresses on the LAN:
  1. Primary node: To be assigned to the primary node of the HySecure.
  2. Secondary node: To be assigned to the secondary node, which is essential for configuring the cluster.
  3. Floating IP: This is to be assigned for the load balancing.

Note

In a single-node cluster, this is only necessary for assignment purposes. We will not configure the secondary node in this instance.

• Access the HySecure node on port 443 using a Windows system with an HTML5-supported browser, such as Microsoft Edge, Google Chrome, or Mozilla Firefox, for post-installation configuration.

Note

It is required for the setup to use an HTML5-supported browser. Make sure the browser on the system meets the requirements outlined by HySecure.

• DNS server’s IP address: The IP address of the DNS server that the HySecure gateway will use for domain name resolution. This ensures that HySecure can resolve domain names to IP addresses.
• NTP Server address: The Network Time Protocol (NTP) server address with which the HySecure will synchronize. This is crucial for maintaining accurate time across the network and ensuring that certificates and system logs are correctly timestamped.
• External certificate in PEM format with a private key (Optional): You can optionally use an external SSL/TLS certificate (in PEM format) with a private key for secure HTTPS connections to the HySecure. HySecure can also create a self-signed certificate post-installation for Security Officer user login if an external certificate is not available.

Network Ports

Source	Destination	Purpose	Port No	Protocol	If the port is not open
HySecure Client	HySecure Virtual IP	User login, app launch	On the gateway 443 port is to be reachable	HTTPS	User login fails
Windows System	HySecure Node	Admin login for administration, app launch	443	HTTPS	User login fails

Sizing Guidelines

A Single node cluster deployment is recommended only for Proof of Concept and testing.

For more details refer to the Sizing Guidelines section.

Deployment Steps

Deploying HySecure VM

The following steps will guide you through the necessary actions to complete HySecure Deployment:

1. Log into the Azure Portal:

   • Go to https://portal.azure.com and sign in with your Azure account.

2. Navigate to Virtual machines:

   • Select Virtual machines from the Azure services section. You can also type Virtual machines in the search bar.
   • On the Virtual machines page, click on the + Create button and Select Azure virtual machines.

3. Configure Basic Settings: In the Basics tab, configure the following Instance details:

   • Subscription: Select your Azure subscription.
   • Resource Group: Select an existing resource group or create a new one (e.g. CLOUD-SETUP-RG).
   • Virtual machine name: Name your VM (e.g. HYSECURE-NODE01).
   • Region: Select the location where your VM will be hosted (e.g. Central India).
   • Availability options: Select based on your need (e.g. No infrastructure redundancy required).
   • Image: Select the operating system image (e.g. Accops HySecure Gateway v5.4 GA Build 5427 - x64 Gen1).
   • Size: Select a VM size based on your workload requirements.

   

4. Under the Administrator account, enter a username, such as cloud user and a password. The password must be at least 12 characters long.

   

5. Configure Disk Settings: Navigate to the Disks tab, and select your OS disk type (e.g., Standard SSD, Premium SSD).

   

6. Configure Networking: In the Networking tab, configure the following:

   • Virtual network: Select an existing network or create a new one.
   • Subnet: Select a subnet within the virtual network.
   • Public IP: Assign a public IP if you want external access.
   • NIC network security group (NSG): Set inbound/outbound rules to control the network access.

   

7. In the Management tab, configure the additional options such as Auto-shutdown to set a specific time for automatically shutting down the VM.

   

8. In the Monitoring tab, Enable the diagnostics options for troubleshooting.

   

9. Review and Create: Once all the settings are configured, click Review + create.

   

Post VM installation (preboot execution)

After successfully deploying the HySecure VM, the next step includes preboot execution. This will ensure that the VM is correctly configured and prepared for operational use.

The following steps will guide you through the necessary actions to complete the post-installation setup and prepare the HySecure VM.

1. Open the Web browser and enter the website address as the static IP configured on the VM. For example, browse https://10.0.0.4 and click Configure HySecure Now.

   

2. Accept the License Agreement. Check the I accept the terms and conditions box and click Submit.

   

3. Select the configuration type Installing HySecure Gateway on Physical Host/Virtual machine from the System Configuration window and click Submit.

   

4. Set the Hostname, DNS server IP address, Time Zone, and NTP Servers, and click Submit. Set an SSH password for the gateway. If you prefer not to set a password, check the Use Default Password option.

   

   Note

   • Configure the internal NTP Server. Internet access is required to reach the external NTP server.
   • NTP Server configuration is a must to ensure TIME on all nodes in the cluster are in sync.

5. Select the Configuration Method for the gateway as Setup a New Installation and click Continue.

   

6. On the Certificate Authority Mode selection window, select Default Accops Internal CA for self signed certificate by HySecure gateway. Else select External CA to upload an External certificate in PEM format with a private key if it is available. Click Submit.

   

7. Navigate to the SSL Certificate creation platform provided by the Certificate Authority (CA).

8. Enter the details to Create SSL Certificate. The CA created is used to create a certificate for HySecure admin, which is called a Security Officer Account (SO account). Click Submit and wait for a few seconds for the operation to complete.

   

9. A success message and the Passphrase will be displayed. Copy the Passphrase before closing the browser window.

   

The preboot execution post-VM deployment is now complete.

Installing HySecure Client

After completing the preboot process, the next essential step is to install the Windows HySecure Client.

The Windows HySecure Client is imperative for secure access to the HySecure management console. This ensures that all administrative operations are executed securely, thereby protecting the cluster from unauthorized access and potential security threats.

Note

1. Administrative privileges are NOT supported on Mac and Linux platforms.
2. It is recommended to use the latest version of HTML 5-supported browsers like Edge, Chrome or Firefox to access the HySecure Management Console.

Follow the steps below to install the HySecure Client:

1. Download HySecure Client:

   1. From the Windows system, open an HTML5-supported web browser (Microsoft Edge, Google Chrome, or Mozilla Firefox).
   2. Enter the HySecure VM IP address to access the download page.

   3. Download the HySecure Client.

      

2. Install the HySecure Client (Admin privileges are required):

   1. Locate the downloaded executable file and run it.
   2. Follow the installation wizard steps to complete the installation.

3. Launch the HySecure Client:

   1. After installation, launch the HySecure Client by entering the HySecure VM IP address in the client interface.
   2. Select the option Login with a digital certificate.

   3. Click Action to enroll the Security Officer (SO) account.

      

4. Enter the Passphrase and Set a Password:

   1. Enter the Passphrase that was created during the preboot execution process.
   2. Set a new password for the Security Officer (SO) account.

   3. Click Submit to complete the Enrollment.

      

5. Login and Access the Management Console:

   1. Open a HySecure client instance. Select the box Login with a digital certificate and enter the password. Click Login.

   2. The browser will open automatically and display the HySecure Management Console.

      

The HySecure Client is now installed successfully.

Configuring Cluster Services

To create and configure cluster services on the HySecure VM, follow the steps below:

1. Launch the HySecure Client and log in as a Security Officer (SO). To create a new cluster from the HySecure Management console, navigate to Settings > Cluster then click Configure.

   1. Click the option Create a new cluster and select the role of the node as Active Load Balancer.

   2. Enter the following Cluster Details:

      • Virtual IP: Any unused IP address on the network. It should be from the same subnet of the HySecure VM.
      • Netmask: Enter the Subnet mask.
      • Select Virtual Interface: Select the virtual interface option eth0.
      • Click Submit.

      

      The following STATUS message will appear after enabling the cluster: Successfully converted to HA Primary Node.

      

2. To configure the newly created cluster from the management console:

   1. Navigate to Apps > Add.

   2. Add a new HTTP-type application, set the Application Server Address as the virtual IP address, and set the port as 3636. Provide the URL as http://hysecure_virtual_IP_address:3636.

      

   3. Navigate to Apps > App Groups > Add. Create a High-Security application group and add the application created above to this group.

      

   4. Navigate to Policies > ACL > Add. Create an Application Based Access control using Native as the Authorization Server for high-security users for the SYSTEM user group and assign the newly created High-Security application group.

      

      

   5. Navigate to Settings >Services Config > Gateway State and change the Gateway state to Run State.

      

   6. Log out from the HySecure Client and re-login. The Configuration page will now be accessible.

   7. Navigate to Settings > Cluster > Configure. If the page does not appear, open a new tab in the browser and type the URL: http://HySecureIP:3636/secure/global_settings.php

      

   8. Enter the Environment details and click Save.

      • Virtual IP Address and Netmask: Same as configured during the cluster creation.
      • Primary IP Address: The static IP address assigned to the HySecure VM.
      • Backup Static IP Address: Any unused Static IP address from the same subnet of HySecure VM.

   9. Click Add to add a node in a cluster. Enter the details and click Save.

      • Server name: Enter the server identifier.
      • Server IP address: It should be the eth0 IP address of the HySecure VM.
      • Server Weight: Keep the default value.

      

   10. Click Save then click Reload Service.

       

   11. Click Monitor to view the status.

       • The popup will appear when connected to Standby/Real. The administrator can verify this by checking the role as Active, Real, or Standby label next to the IP address.
       • Gateway IP address: Displays the node you are logged into.
       • Cluster Nodes Information: Displays the available nodes in a cluster and will show whether the services are running properly.

       

Conclusion

This single-node deployment option involves setting up all cluster components on a standalone single node. This involves configuring network settings, installing the necessary software, and creating SSL certificates for secure communication. However, it is crucial to recognize that this setup should only be used in non-production scenarios to avoid potential downtime and performance issues.

For the production environment, it is recommended that two-node or multi-node cluster deployments be explored. They can provide the necessary scalability, reliability, and High Availability to meet high operational demands effectively.