Deployments

Ivanti Policy Secure(Ivanti Policy Secure) supports two types of cluster deployments:

  • Deployment of Active/Active Cluster
  • Deployment of Active/Passive Cluster

Requirements and Limitations

The following are the requirements and limitations for clustering:

  • Cluster members must run the same software version.
  • Cluster members must use the same hardware platform.
  • State synchronization must occur only through the internal Network Interface Card (NIC). Ensure the cluster communication and resource access must take place over an internal network.
  • You can deploy active/active or active/passive clustering only within the same IP subnet.

We recommend you to use Pulse One instead of cluster to sync only the configuration across devices.

Deployment of Active/Active Cluster

An Active/Active deployment provides load balancing and high availability. Ivanti Policy Secure relies on an external load balancer for distributing the load among Ivanti Policy Secure nodes. Active/Active cluster configuration allows increased aggregate system throughput; however, it does not provide increased scalability beyond the total licensed users. It also provides seamless failover, which is achieved by state synchronization between the devices.

If a node goes offline, the load balancer adjusts the load on the active nodes. Users do not need to sign in again, however some session information entered a few seconds before the active machine went offline, such as cookies and passwords, may not have been synchronized on the current device, in which case users may need to sign in again.

- WAN clustering is not supported.
- You can deploy up to 8 nodes for PSA-7000. All other platform models support 2 node clusters only. The system (UI) allows adding up to 8 nodes. However, only up to 4 nodes in a cluster have been officially qualified.

Deployment of Active/Passive Cluster

An active/passive cluster configuration provides high availability. Active/Passive deployment allows seamless failover without the need to set up any external equipment. The states are synchronized between the two devices for all the configurations so that the devices are virtually identical.

Active/Passive clustering is supported only if the members of the cluster pair are in the same subnet because the VIP address must be shared by both the members. Ivanti Policy Secure uses a virtual IP (VIP) address to address the cluster pair in addition to addressing each device. The IP address takeover (IPAT) approach is used for the VIP address. If the active node fails, the passive node takes over the VIP address and sends a gratuitous Address Resolution Protocol (ARP) message notifying other networking devices that it now owns the VIP address. You should check that other devices in your network, especially the next-hop gateways, will consider the gratuitous ARP messages.