Three Ivanti EPMM servers and two Ivanti Sentry servers on two data centers

This example describes one of the most complete and complex Ivanti EPMM/Sentry HA Architectures, with all related components.

Ivanti recommends to allow HTTPS traffic on port 8443 from the corporate network, limited to Ivanti applications only. This service is intended for EPMM server management and must have strictly controlled access.

Ivanti recommends restricting access to port 22 or SSH from the internal corporate network only. This service is intended for Ivanti Standalone Sentry System Manager and must have strictly controlled access.

Figure 1. Three Ivanti EPMM servers and two Sentry servers on two data centers

The key components in this architecture include:

  • A main data center hosting a pair of Ivanti EPMMs. This pair of Ivanti EPMMs is set up as Primary and Secondary. These two Ivanti EPMMs serve as the main Ivanti EPMM High Availability solution.

  • Another data center for Disaster Recovery (DR), hosting a third Ivanti EPMM in Secondary mode. The third Ivanti EPMM serves as part of the DR configuration and it resides in the DR data center. This data center also hosts a Sentry to provide High Availability to the Primary Sentry.

  • A Global Traffic Manager (GTM) or DNS that controls the external traffic to the Main data center or the DR data center. This “traffic controller” monitors the health of the Primary Ivanti EPMMs and detects when the Primary becomes unresponsive and begins routing traffic to the Secondary in the Main data center or DR data center in case of a Main data center failure. Within the data center, there is a load balancer, which takes care of monitoring the state of the Ivanti EPMMs and routing the traffic accordingly. The same concept applies to the Sentry and a second Sentry can be installed in the Main data center to allow for redundancy within the same data center.

  • The Secondary Ivanti EPMM checks the status of the Primary through a process called “heartbeat”. This process is configured during HA Standby setup. This process detects if the Primary becomes unresponsive. When this happens it initiates the failover process. When a failover occurs, the Secondary attempts to become Primary, depending on what settings have been configured; it might stay as a Secondary or become Primary. In the case of the Ivanti EPMM located in the DR data center, it sees the Secondary in the Main data center as its Primary Ivanti EPMM and the failover process takes place between these two Ivanti EPMMs.

  • The Secondary Ivanti EPMMs periodically synchronizes with its “Primary Ivanti EPMM” ensuring it has the latest changes as the Primary. The synchronization process frequency is configurable and is automated.

  • The ports used to communicate between Ivanti EPMMs are ports 8443, 443 and 22 as outlined in the diagram. This intra-Ivanti EPMM communication is essential for proper Ivanti EPMM HA operation.