SSL VPN
Reply
Visitor
Greg.fr
Posts: 1
Registered: ‎09-13-2011
0

SA4500 - Clustering Method and Licences

[ Edited ]

Hello all,

 

I search technicals informations about the SA4500 Clustering Active/Active method implémentation.

 

 

I have see in the official documentation the sharing licences method in active/actove cluster of two Juniper SA Apliances series and it's corresponding to my objectif in cluster implementation (just acquiering one licence to one user connection).

 

But the only thing that could maybe generate probleme it's the Cluster VIP with External load Balancer Configuration.

 

So, I explain my desirate configuration to ask you if it's possible to realized it with two SA4500 without buy Double licences for each user connection.

 

Desirate Configuration:

 

Related one of two Internet IPaddresses on the first SA4500 and the second internet IP addresse on the second SA4500.

User can choose between two url to connect to the SSL VPN, so the two SA4500 must be active to accept user's requests.

Each user need to be have only one connection to the enterprise VPN, so one licence by user.

But when an Internet IP is not reachable, the user can choose to connect by the other url, so to the other SA4500.

 

The two SA4500 must be in a internal cluster group to manage and share the licences.

 

So, to resume, Can I configure the external ip addresses of each SA4500 nodes with a different ip addresse (not same network) so without implemente a VIP or load balancer system ?

 

 

I need to the two SA4500 can accept SSL VPN connecteion simultanely with a different way because the two SA4500 are not installed on the same site.

The fault tolerance it's just managed manualy by the user, they are juste to type one other url if the first url doesn't respond.

 

PS: I precise the SA4500 System Version is 7.1R1 (build 17675)

 

Thank you in advance.

GreG (FRANCE)

 

 

Recognized Expert
MattS
Posts: 205
Registered: ‎11-06-2007
0

Re: SA4500 - Clustering Method and Licences

With clustering, you can do either Active-Active (which needs a load balancer) or Active-Passive (which uses a floating VIP).   As the units are not in the same site it is not recommended to cluster them unless you have a LAN-like connection between them.

 

If you do not wish to use a load balancer and want to use both units active with different sign-in URLs per SA4500 you can run them as stand-alone units.  This would not allow the units to 'share' the license's total user count across the two as they are not clustered which would mean they can only accept the user count they are individually licensed for. 

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.