Clustering Overview

The following figure shows two ISA series devices deployed as a cluster pair.

Deployments

Ivanti access management framework supports following types of clusters:

•Load balancing clusters or Active/Active clusters: In an Active/Active configuration, there is no VIP, and ICS relies on an external load balancer if the load is to be distributed among the ICS nodes. Synchronization still takes place in Active/Active and can be configured with configuration sync only.

Node-specific options, such as IP addresses, VLANs, etc (refer to the ICS Administration Guide for full list), will NOT synchronize among nodes and will be used only locally. Session IDs and user data are synchronized, if enabled.

•Failover clusters or Active/Passive clusters: In an Active/Passive configuration, ICS uses a Virtual IP (VIP) which floats among the nodes and is owned by only one node - the active node. Status is reported on the cluster status page. In the event that a node has not sent an update, the passive node in an Active/Passive cluster will assume the VIP (failover).

•Configuration-only cluster - This option allows only the configuration elements to be synchronized. This does not allow session or user data synchronization.

- Ivanti recommends using standalone nodes or clusters of a maximum of 2 nodes behind a load balancer.
- Ivanti Security Appliance (ISA)/ISA-V does not support clusters containing more than two nodes for ICS.

Requirements and Limitations

You must follow these considerations when deploying a cluster:

•Cluster members must run the same software version.

•Cluster members must use the same hardware platform.

•State synchronization must occur only through the internal Network Interface Card (NIC).

•Ensure the cluster communication and resource access must take place over an internal network.

•You can deploy an active/passive clustering only within the same IP subnet.