Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to deploy SA in active/passive Cluster?

Fahad_khan_
Occasional Contributor
‎12-15-2008 08:45:PM
‎12-15-2008 08:45:PM

How to deploy SA in active/passive Cluster?

Dear all,

I have two SA devices and I wanna deploy them in cluster (active/passive), can someone help me to find the best possible design ?

what are the recommendations?

is the external port used? when I put the external ports in the public segment and configured a VIP with a public IP, then I notice that these public IPs are not reachable.

now come to the intenal port, I notice that local lan user are unable to access SA via its internal VIP (with private IP).

Kinldy help me out with your expert knowledge to deploy them.

Thanks and best regards,

0 Kudos
2 REPLIES 2
Jickfoo_
Super Contributor
‎12-16-2008 06:01:AM
‎12-16-2008 06:01:AM

Re: How to deploy SA in active/passive Cluster?

We've tried deployment a couple different ways and here is what we do:

We enable the external port and put it into a DMZ, then we create NATs in the firewall for the outside world to access the site. You need to hit this site by a hostname, not an IP and the sign-in policy has to be configured for the host name you are using. You should also get a certificate for this site.

We enable the internal port and put it into a seperate subnet on our internal network. Then we lock down what people can get to with the IVE policy. It's normal for users to be denied from hitting the internal port. As a security measure the Internal port is for admins only.

Best of Luck.. The deployment guides are very good.

0 Kudos
Mrkool_
Super Contributor
‎12-30-2008 12:01:PM
‎12-30-2008 12:01:PM

Re: How to deploy SA in active/passive Cluster?

Fahad,

You should really read up alot before setting this up. there are alot of diffrent ways Junipers can be setup but once they are setup a change will require downtime and this is always a big issue for us.

you can hide the external interfaces behind a nat but than we ran into issues using the pass through proxy so i recommend putting the external interfaces directly on the internet but behind a firewall.

the VIP for the cluster is setup in the cluster setup and not the network configuration. The cluster setup will only show up if you have a cluster license though.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.