Example: Creating an Active/Active Cluster That Supports IPv6 Client Access
This example describes the tasks involved in creating a cluster that supports IPv6 client access.
Overview
Ivanti Connect Secure supports an IPv6 configuration for active/active clusters. The previous intracluster communication mechanism is preserved. The intracluster communication occurs over the IPv4 corporate network through the internal interfaces.
If you attempt to change the IP address of a node while it belongs to a cluster, you might experience unpredictable results. Whenever you change the IP address configuration for a cluster, you must re-create the cluster. Therefore, to add support for IPv6 addresses, you must re-create the cluster.
Before You Begin
We recommend that you deploy a cluster in a staging environment first and then move to a production environment after testing authentication realm, user role, and resource policy configurations, as well as any applications your end users might access.
Before you begin a cluster configuration:
1.Ensure that all intended Ivanti Connect Secure nodes use the same hardware platform (for example, all are PSA-7000C Appliances).
2.Ensure that all intended Ivanti Connect Secure nodes have been initially configured (for example, Ivanti Connect Secure hostname is specified, and the internal and external IP addresses are assigned), and they are running the same service package version.
3.Designate one node as the primary node. On the primary node, configure system and user settings. When other nodes join the cluster, the primary node propagates its configuration to the new cluster member during the join cluster operation.
Defining and Initializing a Cluster
You use the primary node admin GUI graphical user interface to create the cluster and add members. The primary node is added as part of the cluster creation operation. When you add members, you are prompted for settings unique to the member, such as the name and IP address configuration for the internal and external interfaces. A few additional settings are also unique, namely the management port and VLAN port settings, so you add these manually after the add node procedure that follows, but before the join cluster operation.
To create a cluster and add members:
1.Select System > Clustering > Create and enter a name for the cluster, a cluster password, and a name for this node, such as Node-1.
You need to enter the password again when specifying additional nodes to join the cluster. All nodes in the cluster use this password to communicate.
2.Click Create Cluster. When prompted to confirm the cluster creation, click Create. After the Ivanti Connect Secure initializes the cluster, the Clustering page displays the Status and Properties tabs.
3.Click Add Members to specify the additional cluster nodes:
•Enter a name for the member; for example, Node-2.
•Enter the internal IP address. If both IPv4 and IPv6 are enabled on the internal port on Node-1, the system prompts for both IPv4 and IPv6 settings for the internal port for Node-2. Note, however, that intracluster communication uses the IPv4 corporate network.
•Enter the external IP address. If both IPv4 and IPv6 are enabled on the external port on Node-1, the system prompts for both IPv4 and IPv6 settings for the external port for Node-2.
•Change the netmask/prefix-length and gateway settings for the node if necessary.
•Click Add Node. When prompted to confirm adding the new member, click Add.
When the add node operation has completed, Node-2 is shown as an unreachable member of the cluster.
•The add node procedure does not prompt you to configure management port or VLAN port settings. As needed, go to the node port configuration page and configure these settings. For example, after the add node operation has completed for Node-2, go to its System > Network > Port > Settings page and configure its management port.
•Repeat this procedure for each node you intend to add to a cluster.
Joining Nodes to the Cluster
The primary node joins the cluster as part of the creation process. Use the following procedure to join additional nodes to the cluster.
To join a node to the cluster:
1.From an existing cluster member, select the System > Clustering > Cluster Status tab and specify the Ivanti Connect Secure you want to add to the cluster.
2.From the admin GUI of the Ivanti Connect Secure you want to join to a cluster:
•Select the System > Clustering > Join tab and enter:
•The name of the cluster to join.
•The cluster password you spehscified when defining the cluster.
•The IPv4 address for the internal port of an active cluster member.
•Click Join Cluster. When prompted to confirm joining the cluster, click Join.
The join cluster operation validates IPv4 and IPv6 settings for all the physical ports (internal/external/management) against those present in the existing cluster. For example, the external port IPv6 settings present on Node-2 are compared against external port IPv6 settings that were specified for the Node-2 add member operation entered on the primary node (Node-1). If there is a mismatch, the join operation fails with an appropriate error message.
While the new node synchronizes its state with the existing cluster member, each node's status indicates Enabled, Enabled, Transitioning, or Enabled, Unreachable.
When the node finishes joining the cluster, its Clustering page shows the Status and Properties tabs.
After the node joins the cluster, you might need to sign in again.
Advanced Configuration
Table summarizes advanced configuration guidelines.
Ivanti Connect Secure Clusters: Advanced Configuration Guidelines
|
Topic |
Guideline |
|
When using Ivanti Secure Access Clients with an active/active cluster, you must split the IP address pool across the nodes to ensure proper routing from the backend to the end user. This is a requirement whether the IP address pool is provisioned statically on the Ivanti Connect Secure or dynamically by way of DHCP. The client IP pool configuration is synchronized among all nodes in a cluster; however, you may configure each node to use a certain subset of the global IP pool. If you are running Network Connect on a multisite cluster where nodes reside on different subnets: Configure an IP address pool policy on the Users > Resource Policies > VPN Tunneling: Connection Profiles > New Profile page that accounts for the different network addresses used by each node in the cluster. For each node in the cluster, use settings in the System > Network > VPN Tunneling page of the admin GUI to specify an IP filter that filters out only those network addresses available to that node. Create a static route on your gateway router that indicates the IP address of the internal port of each cluster node. Each IP address specified on the router needs to be in the same subnetwork as the corresponding cluster node. |
|
|
FIPS |
If you are creating a cluster of FIPS devices, manually update the security world on each of the nodes. |