I have an SA4500 at our primary site and another in our DR site.
I have previously worked with Cisco VPN and the IPSEC client where you could specify backup devices that if you could not make contact with the primary site it would automaticlaly try site2,3,4 etc.
Now I am working the the SA4500 SSL solution and can find no obvious way get the client to try a secondary site if it cannot connect to the primary.
Can anyone tell me if this is possible or not?
Short answer: no, not in the manner you described. (unless you are using an active/passive cluster in which case that is how the acces works)
Long anwer: Maybe; but nothing automatic unless you are in a cluster.
Is your DR site working together with your primary in a cluster configuration or in a completely stand-alone environment?
If it is working in a cluster, the client only connects to the one URL and will failover to the other node in event of failover; if you are using a different site/URL for access, users will need to manually connect to the DR site in the event of a failover behavior.
Thanks for the reply
The DR site is not working in a cluster, but as a standalone device,
I have not looked at options to make it into a cluster with the primary site.
This would protect against failure of the device, I was looking into failover in the event of internet link failure.
Looks like this is not an option with Juniper, just have to tell the users to connect to the other url?
It depends on your network configuration.
If you can easily-ish change the DNS entry to point to the DR site and you have a 100% replica, including system.cfg with the certificate, there is no need to have users connect to the oher site manually.
If, however, only the user.cfg and not the certificate is ported OR it is not easy to change the DNS entry, and therefore using a different host name, yes, you will need to instruct your users to connect to the other site manually.
What about the case where the ssl certificate has a subjectAltName=DNSrimary.sslvpn.tld,DNS:secondary.sslvpn.tld
Would that allow two non identically named SA's to be backups for each other by installing this single cert on both?
If the same certificate is installed on both machines, then, yes, that should work.
Thanks. That's what I thought.
You are welcome; good luck!