Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL VPN 4500for DR

NIS_Dom_
Contributor
‎02-08-2013 01:07:AM
‎02-08-2013 01:07:AM

SSL VPN 4500for DR

Hello Guys,

We have Juniper SSL VPN 4500 box and 2 x Juniper SSG550M Firewalls.

Both firewalls are configured fir DR with NSRP (Active/Passive). Once you update configureation on one box its automatically syncchronised with the other box which is working great.

Tthe Juniper SSL box is configured and working fine.

We have recently purchased another SSL VPN 4500 box and would like to configure it for DR as well, like the firewalls.

How do you do this?




Little update.

The subnet where the first SSL box sits has been streched across our network to the secondary Data Centre.



0 Kudos
7 REPLIES 7
zanyterp_
Respected Contributor
‎11-19-2007 11:31:PM
‎11-19-2007 11:31:PM

Re: SSL VPN 4500for DR

Is the second node going on the same subnet, if not, you cannot use the active/passive cluster option. You will need to set up an active/active cluster and control access to the nodes via load balancer or FW rules
0 Kudos
Kita_
Valued Contributor
‎12-23-2010 09:21:AM
‎12-23-2010 09:21:AM

Re: SSL VPN 4500 for DR

The recommendation would be to upgrade the device that does not own the VIP. When the upgrade is complete, it will automatically upgrade the second device and fail over the VIP to the other device. During this time, user sessions will be automatically transferred over but this will cause a short disconnect for SAM and NC/Pulse users as these applications will automatically reconnect to the new node as well. If end users are utilizing applications through SAM or NC/Pulse that do not support auto connect features (like putty) they will need to reconnect these applications when the tunnel is connected to the new node.

In short there should be minimal downtime when sessions are transferred between the two device but be aware of the reconnect scenario.
0 Kudos
Kita_
Valued Contributor
‎12-23-2010 11:34:AM
‎12-23-2010 11:34:AM

Re: SSL VPN 4500 for DR

Creating a cluster will not cause any disconnect, but joining the cluster may depending if the VIP is transfered between the two nodes.  To ensure the VIP states on the exisiting node, modify the sync rank higher (in the cluster settings) on the existing node.  This will tell the device to consider the existing device to be the VIP first before the other device.

No additional licensing is needed on the boxes unless you considering increasing the load on the cluster to above the existing license installed on the box.  The recommendation is to ensure both devices in the A/P cluster have the same number of licenses.  When the two nodes are joined to the cluster, it will add both licenses from the two nodes to calcuate the total number of users allowed for the whole cluster.

0 Kudos
NIS_Dom_
Contributor
‎02-08-2013 12:50:AM
‎02-08-2013 12:50:AM

Re: SSL VPN 4500 for DR

Thanks a lot Kita.



0 Kudos
NIS_Dom_
Contributor
‎02-08-2013 01:31:AM
‎02-08-2013 01:31:AM

Re: SSL VPN 4500 for DR

Hi Bobj,

Thanks a lot for your post and link.





Has the firmware on both boxes be the same before configuration?

It's little bit old and what I would like to do is to upgrade the firmware on the second box to the newest version, then configure it for the DR (if possible), take the primary box down so it can failover to the backup box, upgrade the firmware on the primary box to the same ver. as backup box and plug it back in.

Will this work?




Also when migrating from standalone to DR is the any downtime required?




The primary box is up and running and would like to start creating the cluster, the problem is i/m not sure if this is not going to introduce any downtime?

0 Kudos
NIS_Dom_
Contributor
‎02-08-2013 02:21:AM
‎02-08-2013 02:21:AM

Re: SSL VPN 4500 for DR

Hi,




I would like to prepare the primary standalone box for DR by creating a new cluster on it but my main concern is that this will disconnect the current sessions...Will it?

Also do I need any additional licenses for configuring the box with cluster?





Thanks,

Dom



0 Kudos
Bobj_
Occasional Contributor
‎09-27-2013 12:12:PM
‎09-27-2013 12:12:PM

Re: SSL VPN 4500for DR

Hi

The following link is a good guide for configuring SA clustering, the bottom of page 20 discusses migrating from a standalone to a cluster. Have a read through if you have any questions get back to me.

http://www.juniper.net/techpubs/en_US/sa7.2/information-products/pathway-pages/sa-series/sa-service-...

The general process is configure the cluster on your current box, and then add the new box as a node.

Don't forget always take a backup before making changes like this.



Senior Security Engineer
Juniper Ambassador
JNCIS-SA, JNCIA-FWV, JNCIA-JUNOS
CCSA, CCSE CCEPE, CCNA, ACWA F5-CA
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.