Background:
8e6 R3000 had feature to synchronize various aspects of R3000 configuration, library, and authentication sessions between any number of R3000 boxes. When using R3000 synchronization, you must elect one R3000 appliance as the SOURCE (ie. master) and the remaining R3000(s) must be TARGET(s).
The question invariably is asked: Is there an 8e6 R3000 deployment architecture that provides full High Availability for both (a) authentication, and (b) web filtering?
Recommendation:
8e6 makes recommendation for "high availability " R3000 deployments to leverage a SLB (server load balance) solution to distribute SPAN/monitor session traffic between two or more R3000 appliances.
The 8e6 server load balancer vendor of choice is Top Layer: http://toplayer.com/content/products/intrusion_detection/ids_balancer.jsp
The Details and Caveats:
Key differentiation: Server load balancing and high availability are NOT the same thing and imply different functional requirements. This statement applies to 8e6 use of Top Layer IDS/SLB and high availability.
Top Layer will only provide SLB (server load balancing) to distribute "filter load" across 2+ R3000 appliances.
Top
Layer will NOT provide high-availability in the case the single R3000
authentication server fails (ie. the SOURCE/master box). Reminder from Background above: one R3000 always "owns" the authentication.
Comparison between SOURCE and TARGET roles:
Table describing roles of different R3000 appliances when Synchronized:
Requirement
| R3000 Source appliance
| R3000 Target appliance(s)
|
apply filter policy against traffic
| YES
| YES
|
host block page for all sync'ed R3000's **
| YES
| NO
|
"owns" authentication mechanism
| YES
| NO
|
authentication virtual IP address active
| YES
| NO
|
aware of all authenticated users
| YES
| YES
|
|
|
|
** This is default functionality but can be changed with manual configuration at R3000 command-line.
Deployment questions:
We could use
2 3000s boxes, no load
balancer, authenticate on one box and filter on the other?
correct --
when R3000's sync'ed, you
always authenticate to one box -- the SOURCE box -- regardless of
whether both R3000's receiving web traffic or not.
Use 2 boxes,
with load balancer and filter
and authentication on both?
incorrect --
repeat: when
R3000's sync'ed, you always authenticate to one box -- the SOURCE
box. You can decide to use both R3000's boxes for filtering (both
SOURCE and TARGET will receive web traffic on sense interface via Top
Layer SLB). Still -- the SOURCE box does all authentication -- and
SOURCE serves up block page for all R3000 sync'ed.
It is not possible to
authenticate to both boxes when sync'ed (the virt auth IP not active on
TARGET boxes) --
Closing thoughts:
The synchronization feature of 8e6 R3000 appliances is very powerful feature to centralize management and allow for server load balanced architecture.
Operating multiple 8e6 R3000 appliances with (a) server load balancer, (b) NO synchronization, and (c) authentication enabled is a not realistic or functional architecture because neither R3000 would know
authentication identity information from other boxes. If synchronization is disabled, no authentication identity information is shared between R3000 appliances.
