05-01-2011 04:38 AM
I would like to know if this kind of setup and solution is possible and would appreciate if anyone could help me in this.
We have two Sites Site A and Site B with different ISP providers and both the sites are connected by 40Mb wireless link. We have a standalone SA 2500 device in one of our location (Site A) with external IP for example 220.127.116.11 from (ISP A) , External users use the URL vpn.abc.com to access the SA 2500 to get connected to the internal resources.
Now we have purchaced another SA 2500 device, we would like to install this box at other location (Site B) as a standalone device with external IP for example 18.104.22.168 from (ISP B).
I will add the DNS record for new device 22.214.171.124 as vpn.abc.com as well. I would like to know whether in this kind of setup load sharing between the two SA 2500 devices is possible as external users will use one one url vpn.abc.com which has 2 DNS records mapped to both 126.96.36.199 and 188.8.131.52
The idea is to have redundancy at hardware level as well as ISP level so that even if one hardware fails or one ISP is down my external users should not be affected and should be connected to internal network with the active device or ISP.
Kindly let me know if this kind of a setup is possible. If not what are the alternate Solution for this.
05-01-2011 05:10 AM
no problem at all,
you can use virtual ports for this solution and will have to use different certificates for each virtual port
that you use,
it would be best if you could add one more machine to maximize your redundancy for this solution
05-01-2011 05:20 AM
Thanks for your reply. I would like to know when an external users uses the url vpn.abc.com in his browser to which SA 2500 it direct the traffic Site A or Site B and how the traffic will be differentiated in the internet cloud that it need to use SA 2500 placed in Site A or Site B
Can you tell me if this can be achieved without using a load balancer.
And i would apprecite if you have the document which explains virtual ports and if possible let me know where i can find the configuration document.
05-01-2011 08:17 AM
When you configure two different ip addresses for the same FQDN on a DNS server this is known as round-robin load balancing. Your DNS server will alternate the two answers for each of the requests you get for the address. So this method does a generally good job of splitting users between two different devices.
Your two SA will have the same certificate installed since it will match the url for either site.
This configuration handles load balancing. This does NOT AUTOMATICALLY handle failover. Should one site fail, your DNS server has no way of knowing the site is down so it will still give out that address until you remove it from the server during the outage.
Second, your existing client computers that already have the down ip address will keep that address active for as long as the ttl is for the client and the record. To solve this problem your make sure the two DNS records are set to a low ttl like 5 or 10 minutes instead of the default 24 hours. This will have clients check in again if the connection fails during the day and find the new record for the other site.
In short, when you add the DNS records you set the ttl as 10 minutes. Then during a failure your delete the DNS record for the down site. When service is restored you add the DNS record back in again.
05-01-2011 03:45 PM
Thanks for the clearing my confusion Steve.
What I understood from your post is that load balancing of traffic or in other words splitting of users is done by the external DNS server.
Just to let you know our FQDN is resolved by domain hosting company and the account is managed by us. I will add the new Public IP address of the other SA 2500 (which I am going to install in future) and map it with the same FQDN. and enroll the same certificate on both the SA 2500.
Now if I do nslookup I should find 2 Public IP's 184.108.40.206 & 220.127.116.11 mapping to one URL vpn.abc.com
In real time scenario this is how it should work: if an external user-1 uses vpn.abc.com in his browser he will be directed to 18.104.22.168 and another external user-2 uses vpn.abc.com he will be directed to 22.214.171.124 according to the round robin nature of the DNS server.
Just correct my understanding if I am wrong.
And also I would appreciate if you have any documentation for this kind of a setup.
05-01-2011 07:03 PM
This type of setup will expose users to the flapping issue i.e. user A starting session on 126.96.36.199 and later on during the same session the clients being redirected to 188.8.131.52 and as 184.108.40.206 has no context of user A's session the user will be redirected to the login page or may see a different behavior depending on which client is being used. This will lead to all kinds of usability issues.
The main reason for this is that during each user session on SA the client *may* use more than one DNS look-up for the hostname vpn.abc.com
To avoid this problem you have to ensure session persistence. KB17848 explains this issue and the need for persistence in load balanced deployments with some good examples of errors and issues seen by end users.
05-02-2011 07:07 AM
You have described the functionality correctly...as well as why this will not work for use with the IVE. As ruc said, this causes users to have two connections to both IVEs (which will lead to a session termination/access issue). For example if you login to siteA and then 30-45 minutes later (or more) and launch a terminal service bookmark, that connection could have a different DNS resolution and the access will fail.
A load balancer is needed to achieve this type of one URL access (to prevent the scenario provided by ruc as well as the behavior in case of a device being down).
05-02-2011 04:18 PM
Sorry for creating some confustion here. I've used DNS round robin for web server deploys with great success over the years. It is particularly helpfull with this type of situation where there are two different data centers on two different public ip addresses.
What is the solution in this scenario? The load balancer isn't practical since your separated geographically and on different ISP networks.
Is there a recommended solution for the dual data center deploy then?