Please find the update:
MAG 6611 needs MAG-SM160 or MAG-SM360 to run as SA. We can configure Active /passive cluster setup with sincle MAG 6611 itself .
For MAG6611, you can cluster two service modules in a pair, either using the MAG-SM160 or MAG-SM360.
1. In active/passive setup external interfaces of the and its corresponding external VIp should be in same subnet
2. Internal Interfaces of the 2 MAG modules with in MAG 6611 should be in same subnet .
However I understand that you have 2 MAG 6611 , if these MAG 6611's are placed in WAN then cluster will not be possible since WAN clustering in MAG is not supported.
Since this is a new deployment and its impact is high I would recommends you to create a case with JTAC Technical Support Team to give the confirmed information.
Thanks for sharing. Your input is very valuable!.
Yes I bought 2 MAG-SM360 ( one for each 6611)
These MAGs will be placed on the DMZ.
Do you know any mag vpn design documentation, can you lead me to it?
For information on clustering, please see: the Administration Guide
1) Yes, the external ports and the external VIP can host your external IPs
2) The internal port hosts an address that has access to your LAN
You do not need to use the external port; if you do use it, you do not need to give them public IPs if you don't want to.
i have the same scenario of After1, but my devices are 2xMAG6610 and service modules are 2xSM160.
it is a new deployment, and i didn't work with these devices before.
would you please support me with how to cluster it as Active/Passive, physically connection and the config?
one more thing, in my network i have Cisco ACS and it has the access lists of the VPN Clients. the access lists are written in Cisco Language, how the juniper MAG will understand Cisco language and get these access lists from the Cisco ACS to authenticate the VPN clients?
your responsd is highly apperciate.