Symantec Privileged Access Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Multi Site Cluster

  • 1.  Multi Site Cluster

    Posted Mar 31, 2020 06:53 PM
    Hello Community,

    Please, In a cluster of 2 sites from different geographic locations, must the network parameters be different? NTP, DNS, AD etc.

    Thank You!

    Adolfo

    ------------------------------
    Consultant TI
    eSoft Colombia, s.a.s
    ------------------------------


  • 2.  RE: Multi Site Cluster

    Broadcom Employee
    Posted Mar 31, 2020 08:51 PM
    Adolfo

    I guess that would depend on your network. If you can configure with the same DNS and NTP without performance issues it may be simpler.  As for your AD, I would assume you might have different domain controllers but since the user synchronization process and password rotations are handled at the primary site I dont know that there would be a concern. Please note a multisite cluster was designed for PAM appliances that are in remote networks with different network configurations.  Are you seeing a problem after configuring?

    Joe
    Original Message


  • 3.  RE: Multi Site Cluster

    Posted Apr 19, 2020 12:57 PM
    Hi @Joseph Lutz,

    In my environment,  we​ have a Single site clustering with 2 nodes . However ,we are planning to set up a secondary site soon with 2 nodes  So in total , there will be 2 sites with 2 member's each ..As I understand  from documentation , for each site we need an Internal VIP for load balancing and an external load balancing  for user access . I want to set up my environment in such a way that all user sessions are directed to 2nd nodes of each sites . The leader should be only used for admin activities .Is that possible ? Is there any best practice recommended in this ?
    Original Message


  • 4.  RE: Multi Site Cluster

    Broadcom Employee
    Posted Apr 20, 2020 06:52 AM
    Pankaj

    So first thing is no, There is no user controls for how the cluster VIP will load balance. It is simply load based. Secondly, while I understand the desire to keep traffic off the primary node in the primary site, The primary in the secondary site is not quite so important so I would not bother with any special reservation. All secondary nodes communicate directly with the primary in the primary node so the primary in the secondary site is not that important.... If you want control you will need to use an external load balancer for IP redirects.

    Also, one additional note. All 3.3 cluster do now require 3 nodes in the primary site for fault tolerance. this is a change from 3.2 and below.

    Joe
    Original Message


  • 5.  RE: Multi Site Cluster

    Posted Apr 21, 2020 03:53 AM
    @Joseph Lutz Thanks for the information . Are 3 nodes mandatory for fault tolerance ?  
    Original Message


  • 6.  RE: Multi Site Cluster

    Broadcom Employee
    Posted Apr 21, 2020 08:57 AM
    Pankaj

    Yes, Due to a change in the underling cluster technology you will need at least 3. This is now based on a Quarum requirement for MySQL database clusters. You can read more about this and how even numbers can reduce your flexibility in cluster failover based on MySQL clustering... So for a 3 node cluster you can lose 1 node and maintain the quarum ... For a 4 node cluster you can still only lose 1 node. Quarums require more than 50% of a cluster to be functional to maintain cluster status. If you have a 2 node cluster and lose one node then you have 50% ....but you need >50%. in a 3 node cluster if you lose 1 node you still have 66% which is greater than 50%.

    Joe
    Original Message


  • 7.  RE: Multi Site Cluster

    Posted Apr 24, 2020 05:17 AM
    Hi @Joseph Lutz,

    Thanks for explanation . I need to highlight this my management . Can you let me know where in documentation its mentioned that we need atleast 3 nodes in 1 site ?​
    Original Message


  • 8.  RE: Multi Site Cluster
    Best Answer

    Broadcom Employee
    Posted Apr 24, 2020 07:23 AM
    Pankaj

    There may be several place you need to look for the full description This is where the numbers are defined. 

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/deploying/set-up-a-cluster/cluster-synchronization-promotion-and-recovery/primary-site-fault-tolerance.html

    I don't think its spell out in great detail but here Part of it on the Quorum, 

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/deploying/set-up-a-cluster/cluster-synchronization-promotion-and-recovery.html . 

    That should be enough to show your manager to highlight what you need.

    Joe
    Original Message


  • 9.  RE: Multi Site Cluster

    Posted Apr 24, 2020 07:51 AM
    @Joseph Lutz .Thanks for explaining . One last question , As I understand , If we want to promote Secondary Site as Primary in case of disaster recovery , Then Our Secondary site must have 3 nodes in a cluster for fault tolerance same as Primary site ? ​
    Original Message


  • 10.  RE: Multi Site Cluster

    Broadcom Employee
    Posted Apr 24, 2020 08:04 AM
    Yes, This is a technical design thing so you would always need 3 or more node for this type of fault tolerance
    Original Message


  • 11.  RE: Multi Site Cluster

    Posted Apr 27, 2020 12:07 PM
    Edited by Pankaj Kumar Apr 27, 2020 12:08 PM
    Hi @Joseph Lutz,

    In the documentation , below ports needs to  opened within a site. Are they bi-directional ? or Just needs to opened from primary node to secondary nodes .

    Clustered appliance: Within a site, these ports are required: 
    TCP/443, 8443 (HTTPS) 
    TCP/3307  13307 (MySQL)
    TCP/5900 (Hazelcast)
    TCP/7900 (JGroups)
    TCP/7901 (JGroups heartbeat)

    Original Message


  • 12.  RE: Multi Site Cluster

    Broadcom Employee
    Posted Apr 28, 2020 07:22 AM
    Pankaj

    these are bidirectional

    Joe
    Original Message


  • 13.  RE: Multi Site Cluster

    Posted Apr 30, 2020 05:08 AM
    Hi @Joseph Lutz,

    Need some clarification .
    Currently these ports show open from our existing cluster members bi-directionally . We will be adding a new cluster member soon . I checked with firewall team and they informed me that their is no firewall blocking between servers within same subnet . So does that mean I will see these ports open from new member only after it is added as member ? Because currently I see them as closed from new member bi-directinally .
    Original Message


  • 14.  RE: Multi Site Cluster

    Posted Apr 30, 2020 06:05 AM
    Hi @Joseph Lutz,

    Need some clarification .
    Currently these ports show open from our existing cluster members bi-directionally . We will be adding a new cluster member soon . I checked with firewall team and they informed me that their is no firewall blocking between servers within same subnet . So does that mean I will see these ports open from new member only after it is added as member ? Because currently I see them as closed from new member bi-directinally .

    Original Message


  • 15.  RE: Multi Site Cluster

    Broadcom Employee
    Posted Apr 30, 2020 07:47 AM
    Pankaj

    Yes. The cluster config does determine what IP addresses to allow those additional ports to be accessed from. There is no reason any other machine would try to access through these ports.

    Joe
    Original Message