UserGate supports 2 cluster types:
-
Configuration cluster. Nodes grouped into a configuration cluster use the same settings applicable within the cluster.
-
Failover cluster. You can merge up to 4 configuration clusters into a single failover cluster that supports the Active-Active and Active-Passive modes. The system can handle multiple failover clusters.
Certain settings are unique for each cluster node, e.g. network interfaces and IP routing. The list of unique settings:
|
Name |
Description |
|---|---|
|
The following settings are individual for each node in a cluster: |
Log Analyzer Diagnostics Interfaces Gateways DHCP Routes OSPF BGP VPN |
To create a new configuration cluster, perform the following steps:
|
Name |
Description |
|---|---|
|
Step 1. Perform initial configuration on the first node of your cluster |
For details, please refer to Initial configuration. |
|
Step 2. On the first node of your cluster, configure a zone with interfaces that will be used for replication of the cluster |
In the Zones section, create a new dedicated zone for replication of cluster settings or use an existing one. The following services must be allowed in the zone settings:
Do not use zones in which interfaces are connected to untrusted networks or the Internet. |
|
Step 3. Specify the IP address for communication with other nodes of your cluster |
In the Device management section, select the current node of your cluster and click Edit. Specify the IP address of the interface from the zone configured on step 2. |
|
Step 4. Generate the Secret code on the first node of your cluster |
In the Device management section, click Generate secret code. Then copy the generated code to the Clipboard. This secret code is used for one-time authentication of the second node being added to your cluster |
|
Step 5. Connect the second node to your cluster |
Connect to the web console of the second node in your cluster and select the language that you want to use during installation. Specify the interface for communication with the first node and assign an IP address. Both cluster nodes must belong to the same subnetwork, e.g. IP addresses of the eth2 interfaces on both nodes are 192.168.100.5/24 and 192.168.100.6/24, or specify gateway's IP address, which can be used to communicate with first cluster's node. Specify the IP address of the first node configured on step 3, paste the secret code and then click Connect. If IP addresses configured on step 2 in your cluster are valid, then the second node will be added to the cluster and all settings of the first node will be replicated to the second node. |
|
Step 6. Assign zones to interfaces of the second node |
In the web console of the second node in your cluster, go to Network - Interfaces and assign a valid zone to each interface. Zones and their settings have been already replicated from the first node of your cluster. |
|
Step 7. Set up the individual parameters for each cluster node (optional). |
Set up gateways, routes, OSPF and BGP parameters individually for each node. |
You can group up to four configuration clusters into a single failover cluster. The system can handle multiple failover clusters. The two modes are supported, which are Active-Active and Active-Passive. Active-Passive mode supports synchronization of user sessions for transparent switching of the traffic among nodes.
In the Active-Passive mode, one server works as the Master node and processes the traffic while all other servers are for backup purposes only. You can provide one or more virtual IP addresses for a cluster. Virtual addresses are switched from the Master node to a backup node in the following situations:
-
A backup server cannot get a response from the Master node, e.g. when the Master node is disabled or when the connection is lost.
-
The node is set up to control the Internet access (see Configuring gateways), but all the configured gateways cannot connect to the Internet.
-
A failure in the UserGate software.
A sample network diagram of a failover cluster in the Active-Passive mode is shown below. The interfaces are set up as follows:
-
Trusted Zone: IP1, IP2, IP3, IP4, and IP cluster (Trusted)
-
Untrusted Zone: IP5, IP6, IP7, IP8, and IP cluster (Untrusted)
-
Cluster Zone: IP9, IP10, IP11, IP12, IP13, IP14. Interfaces in the Cluster zone are used for replication of the settings.
Both cluster IP addresses are assigned to node UTM1. If UTM1 is not available, both cluster IP addresses are moved to the next server, e.g. UTM2, that becomes a new Master node.
In the Active-Active mode, one server works as the Master node and distributes the traffic among all other cluster nodes. Since the cluster's IP address is assigned to the Master node, the Master node responses to ARP requests from clients. By distributing MAC addresses of all failover cluster nodes one by one, the Master node ensures optimized distribution of the traffic across all cluster nodes while keeping consistency of user sessions. You can provide one or more virtual IP addresses for a cluster. The Master node role can be reassigned to a backup node in the following situations:
-
A backup server cannot get a response from the Master node, e.g. when the Master node is disabled or when the connection is lost.
-
The node is set up to control the Internet access (see the Configuring gateways but all the configured gateways cannot connect to the Internet.
-
A failure in the UserGate software.
A sample network diagram of a failover cluster in the Active-Active mode is shown below. The interfaces are set up as follows:
-
Trusted Zone: IP1, IP2, IP3, IP4, and IP cluster (Trusted)
-
Untrusted Zone: IP5, IP6, IP7, IP8, and IP cluster (Untrusted)
-
Cluster Zone: IP9, IP10, IP11, IP12,IP13, IP14. Interfaces in the Cluster zone are used for replication of the settings (support of the configuration cluster).
Both cluster IP addresses are assigned to node UTM1. If UTM1 is not available, both cluster IP addresses are moved to the next server, e.g. UTM2, that becomes a new Master node.
Important! For correct traffic processing it is required that user's sessions were always kept to the same cluster's node, i.e. traffic from client to server and from server to client always go via the same cluster's node. The easiest way to set it up is to configure NAT from client to server network (NAT from Trusted zone to Untrusted zone).
To create a new high-availability cluster, perform the following steps:
|
Name |
Description |
|---|---|
|
Step 1. Create a new configuration cluster |
Create a new cluster as described above. |
|
Step 2. On both nodes of your clusters, set up the zones with interfaces that you want to use in the high-availability cluster. |
In the Zones section, enable the VRRP service in the zone settings for all zones where you are going to add a virtual IP address for a cluster (Trusted and Untrusted zones on the above diagrams). |
|
Step 3. Add nodes of your cluster to the high-availability VRRP cluster |
In the Device management - High availability cluster section, click Add and specify the High-availability cluster parameters. |
|
Step 4. Specify the virtual IP address for auth.captive, logout.captive, block.captive, ftpclient.captive |
If you are going to set up authentication via the captive portal, then make sure that the system names of auth.captive, logout.captive, block.captive, ftpclient.captive are resolved into the IP address that you have previously configured as the virtual address of your cluster. For more details refer to General settings section of this Guide. |
Failover cluster parameters:
|
Name |
Description |
|---|---|
|
On |
Enables or disables the failover cluster |
|
Name |
Name of the failover cluster |
|
Description |
Description of the failover cluster |
|
Cluster mode |
Failover cluster mode:
|
|
Sessions sync |
Enables the synchronization mode for user sessions across all nodes in the failover cluster. Enabling this option will make transition of users among devices more transparent for users, but will significantly increase the workload for UserGate platform. This applies only to the Active-Passive mode of a cluster. |
|
Multicast identifier of the cluster |
You can create multiple failover clusters within a single configuration cluster. This parameter defines a multicast address that will be used for synchronization of sessions. Make sure to set a unique identifier for each group of failover clusters that requires synchronization of sessions. |
|
Virtual router identifier (VRID) |
A virtual router identifier must be unique for each VRRP cluster in a local area network. If you don't have any 3rd party VRRP clusters in your network, leave the default value. |
|
Nodes |
Here you can select which configuration cluster nodes you want to merge into a failover cluster. In addition, you can also assign the Master server role to a node of your choice. |
|
Virtual IP addresses |
Here you can assign virtual IP addresses and match them with the cluster node interfaces. |