High Availability

Introduction

The MetaDefender Transfer Guard High Availability (HA) solution uses two sets of appliances and an appropriate appliance configuration. This ensures a high level of operational performance (uptime and dataflow).

High Availability feature supports the following:

  • TCP Streams
  • UDP Streams
  • MFT (HTTP) Streams
  • File Transfer
  • Connectors

The strategy for high availability will utilize Active/Standby components, where one appliance will be in Active state at a given time. The other appliance will be in Standby, ready to take over should hardware in the active appliance fail.

Hardware Requirements

A pair of MetaDefender Transfer Guard (hereinafter Transfer Guard) appliances will be combined in a logical unit to formulate Netwall HA. The prerequisite is that Transfer Guard appliances of same type are used to form the HA pair. Additionally, the switches to which the Transfer Guard appliances are connected must support multicast switching:

  • Two BLUE Transfer Guards.
  • Two RED Transfer Guards.
  • Two switches supporting multicast switching one for BLUE side and one for the RED side.
  • Fiber cables need to be connected as it is displayed in the Figure. Transfer Guard BLUE 1 Fiber 1 should be connected to the corresponding SFP in Transfer Guard RED 1 and Transfer Guard BLUE 1 Fiber 2 should be connected to Transfer Guard RED 2. User should repeat this schema for Transfer Guard BLUE 2 Fiber 1 and Fiber 2, connecting them respectively to Transfer Guard RED 2 and Transfer Guard RED 1.

The switches supporting multicast switching are not provided by OPSWAT.

Networking Requirements

In order to function properly, ucarp requires a logical/real IP address on each domain of the HA-pair, and a single shared VIP on each domain for the HA-pair. So the IPs needed would be:

  • Management IP for each Transfer Guard BLUE.
  • Additional IP for each Transfer Guard BLUE.
  • Management IP for each Transfer Guard RED.
  • Additional IP for each Transfer Guard RED.
  • Two Virtual IP (VIP) for Common Address Redundancy Protocol (CARP), one for BLUE side and one for RED side.

A VIP (Virtual IP address) is a shared IP that is used between either two BLUE or two RED Transfer Guard computers. This VIP is only active on one of the Transfer Guard appliances at any given time. The other appliance in the HA-pair, has the VIP interface down which places that VIP interface in standby mode. If a failover event occur, the system will force an election event (the event occurring when hardware failure is detected), and that election event will determine the state of each node’s VIP.

High Availability Setup

There are several steps a user shoud follow to properly configure High Availability.

  • Connect the fiber cables as indicated before.
  • Configure additional IPs in the 2 BLUE appliances and in the 2 RED appliances.
  • Configure Virtual IPs in the 2 BLUE appliances and in the 2 RED appliances.
  • Define Primary and Secondary servers.
  • Configure Connectors for proper failover management.

Configure additional IPs

As mentioned before, Transfer Guard will need an extra IP address per appliance for enabling logical separation between management IP network and the data IP network. This segregation ensures that management Web UI is always accessible on the management IP network. To configure the additional IP go to Advanced -> Networking -> IP Addresses, deploy the Action button and click on Add IP Address, fill in the IP Address and Mask and click on Submit button.

Configure Virtual IPs

A VIP (Virtual IP address) is required as mentioned before. To configure the VIP go to Advaced -> Networking -> IP Addresses, deploy the Action button and click on Add VIP Address, fill in the mandatory fields click on Submit button.

You need to remember the Security text you define as this should be the same in both Transfer Guard (it should be the same between the two MetaDefender Transfer Guard BLUE and again, the same between the two Transfer Guard RED), so both appliances know they are part of the same HA system. In the image bellow, there is a configuration example.

Define Primary Server

Once configured both appliances of the HA pair, user can check which one is the Primary appliance and which one is in Standby status in the Dashboard.

User can change this using the Demote button in the Primary appliance Dashboard. Once the user clicks on the Demote button, that appliance would become the secondary and would go to Stand by mode while the other appliance of the HA pair would become the Primary.

Configure Connectors

Connectors within Transfer Guard are typically designed to be outbound clients (Blue domain and some Red domain) or servers (Red domain). Thus, when the connector is outbound client, no additional configuration is needed to ensure successful failover or election events. In the case where the connector is designed as server (Red domain) the VIP address is the one that should be used for clients that need to connect to it.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
On This Page
High AvailabilityIntroductionHardware RequirementsNetworking RequirementsHigh Availability SetupConfigure additional IPsConfigure Virtual IPsDefine Primary ServerConfigure Connectors