test

SunScreen 3.1 Administration Guide

Installing High Availablility

The following is an overview for installing the SunScreen software in an HA configuration:

To Install High Availability

  1. Configure identical interfaces on all HA machines, by editing the /etc/inet/hostname.interface-name file or running the ifconfig command.

  2. Dedicate one interface on each machine to HA.

    • You must have a dedicated network between the HA hosts that, for reasons of security, is not connected to any other network.

    • All the HA machines must be configured with the same interface names and be connected to the network and to each other in the same way.

    • The dedicated HA interface must have a unique address name and IP address. (This is so that the configurations, including interface configurations, can be synchronized later.)

  3. Connect the HA interfaces of the HA machines one at a time after installing the operating system (if necessary) and configuring the routing on these machines.

    Since the HA hosts have the same names and IP addresses, you must connect the non-HA interfaces of only one of the HA machines, for example, HA1 as shown by the solid line in Figure 6-1. This machine will become the Primary and active HA Screen. (This approach prevents confusion from arising in the routing and ARP tables on the active HA Screen. After the HA configuration is complete, the HA software keeps the routing and ARP tables orderly.) You connect the secondary Screen, for example, HA2 as shown by the broken line in Figure 6-1, to the hubs after you have installed, configured, and tested the Primary, active HA Screen and after you have installed and configured the Secondary HA Screen

    You do not have to install any special software for HA other than installing SunScreen. The HA software is automatically installed as part of SunScreen.

    Figure 6-1 Wiring Before and During HA Configuration

    Graphic

To Install HA on the Secondary HA Screen

  1. Install SunScreen on the Secondary HA Screen.

  2. Accept default settings on all install screens except for the Secondary HA Configuration dialog window:

    Select YES. The Secondary HA Data dialog window appears.

  3. In the Secondary HA Data dialog window:

    1. fill in the HA Interface field.

    2. fill in the Primary HA IP Address field.

  4. Click the OK button.

    The Secondary HA Configuration dialog window appears.

  5. Reboot the Secondary HA Screen.

To Define the HA Interface

The dedicated HA interface can be any interface on the Screen which has been plumbed and is not defined as a screening interface. To define an HA interface, perform the following steps:

  1. From the Common Objects area, Select interface from the Type choice list.

  2. Click the Search button.

  3. Select the interface name which you want to dedicate to HA and click Edit.

    If the interface does not appear, select New... from the Add New choice list.

  4. Define the interface, selecting HA as the Type.

  5. Click the OK button.

To Define the Screen Object for the HA Primary Screen

  1. From the Common Objects are, select Screen in the Type choice list.

  2. Click and highlight the name of the Screen that you want as the Primary HA Screen then, click the Edit button.

    If the Screen object is not yet defined for the Primary Screen, select New... from the Add New choice list and enter the name of the Primary Screen in the Name field.

  3. Click the Primary/Secondary tab.

  4. Select Primary in the High Availability field.

  5. Enter the IP address of the Primary Screen's dedicated HA interface in the High Availability IP Address field.

  6. Enter the ethernet address of the interfaces on the Primary Screen in the Ethernet Address field.

  7. Click the OK button.

To Initialize HA on the Primary HA Screen

  1. Log in to the SunScreen Administration GUI.

    Go to the Policies List page.

  2. In the Policies List page, click on Initialize HA.

    The Initialize HA dialog window appears.

    Figure 6-2 Initialize HA Dialog Window

    Graphic

  3. Choose the interface to be the HA interface from the Interface choice list.

    Note -

    The HA interface on the Primary HA Screen and Secondary HA Screen must be the same.

  4. Click the OK button

    The Policies List page appears.

To Add the Secondary HA Screen to the Primary HA Screen

  1. Click the Edit button on the Policies List page.

    The Policy Rules page appears.

  2. Select Screen from the Type choice list.

  3. Select New... from the Add New choice list.

    The Screen dialog window appears.

  4. Enter the name of the Secondary HA Screen in the Name field.

  5. Click the Primary/Secondary tab in the Screen dialog window.

    Figure 6-3 Screen Dialog Window HA/MasterConfig Area

    Graphic

  6. Enter the following in the Primary/Secondary area of the Screen dialog window:

    1. High Availability: Secondary

    2. Primary Name: Name of Primary Screen

    3. Administrative IP Address: Leave blank.

    4. High Availability IP Address: Secondary Screen IP address

  7. Click the OK button.

  8. Click the Save Changes button on the Policies List page.

    The Activate Policy dialog window appears.

  9. Click YES.

  10. Fully connect the Secondary HA Screen to the network.

    Note -

    After adding an HA Secondary Screen and activating your policy, the new Secondary Screen may become active. If you need to perform additional administration on the Primary Screen, you must direct the Secondary Screen to become passive in order to communicate with the Primary Screen.

  11. Configure the service and policy rules on the Primary HA Screen.

    All changes made on the Primary HA Screen are automatically copied to all Secondary HA Screens.

  12. Save and Activate the policy.