Here is the scenario: We have two SA4500 devices. One in Florida that is licensed for 200 users and IVS. This is our main SSL VPN device that is configured with three companies via IVS. It is backed up nightly to a local FTP server. Our second SA4500 device is in New York configured only with an ICE license to be used in the event the Florida device fails. My question is, how should I be backing up the IVE in Florida (keeping the IVS in mind) and if there was a failure at our Florida office, what is the best (and fastest) way to get the New York device ICE license activated and the config from the Florida IVE (and IVS) up and running on the New York device? Would a cluster license be more practical in this scenario than the ICE license?
I think the cluster is a good idea. Run an active/active cluster and you will know that the configuration is up-to-date between your primary and backup devices. You don't have to do anything to enable the use of the backup, which makes testing your DR plan much easier. This assumes of course that there is a network path between the internal interfaces of the devices.
One other side benefit of this is that the status of your backup device is always shown on the status screen of your primary device. If your backup is down, you'll see it in red on the status screen of your primary device.
I haven't found any downsides to an active/active cluster, except that upgrading one immediately upgrades the other. Don't get me started on active/passive.
OK, so if the cluster is the preferred, what licenses would I need to purchase? The firdt device was ordered with 100 users, then 100 additional users added at a later date and we have the IVS license on it as well. Would I need a cluster license, 200 users licenses and the IVS license to get to the second device in to an active/active cluster?
Are we talking about IVE clustering over WAN link? Behave!
Sometimes "more" redundancy can lead to "less" availability.
Assuming the wan link breaks, both nodes "could" get master and noone can log in in active/passive scenario.
Automatic backups of whole config and user accounts is great.
You could also use little cronjob script to send automatic the config via mail (secure config with strong password...) from the ftp server, so if IVE aND FTP servers burn, you will still have your config and can recover it in the second IVE System.
On linux something like.....
mail -s "backup-config" [email protected] -a iveconfigbackup_1312009.cfg
I'd never suggest active/passive over a WAN, even if it were possible. (Even though I use it, I'm not sure I would even recommend it over a LAN.) But I've had good success using active/active between Shanghai and Tokyo and between Bangalore and Mumbai to maintain consistent configurations. I did have problems when I also had Sydney in the Shanghai/Tokyo cluster; the delay between the nodes and the very large size of my configuration made for real problems.
I also do clustering to help control my costs - a cluster license is cheaper than a standard license (maybe not cheaper than an ICE license),
But there are alternatives, as you suggest. It might also work to push the configuration regularly.