Applies To:

Show Versions Show Versions

Manual Chapter: FirePass Controller version 5.4 Handbook: Using FirePass Controllers in Clusters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


9

Using FirePass Controllers in Clusters


Overview of FirePass controller clusters

You can configure FirePass 4000 and 4100 controllers as a cluster in order to support large numbers of concurrent connections to a single URL without performance degradation. A cluster of FirePass controllers comprises two or more nodes that are configured as cluster nodes to provide configuration synchronization for user account. A cluster can also be used for load balancing connections. A cluster node consists of a FirePass controller or a failover pair of controllers.

Clustering is ideal for enterprises with either a local or globally distributed network, allowing easy scalability, with increased performance and availability. For large deployments, a FirePass controller cluster can contain up to ten nodes, allowing up to 10,000 concurrent connections.

Note

Any cluster node can be a failover pair of FirePass controllers. Configure redundant systems (failover pairs) before configuring your cluster. For more information about configuring failover pairs, see Overview of FirePass controller failover pairs .

To ensure the highest level of availability, a FirePass controller cluster should be composed of multiple failover pairs. If this is not possible, F5 Networks recommends that at a minimum, your cluster primary node be a failover pair.

If load balancing is enabled, the primary controller in a cluster balances the load of new client sessions among secondary controllers by redirecting sessions to the secondary controllers. To make this possible, the secondary controllers report their number of currently active sessions as a part of the synchronization process.

Installing FirePass controllers as a cluster

This chapter assumes you already have installed the FirePass controllers and have completed basic configuration. For more information, see Installing the FirePass controller .

Starting FirePass controller clusters

Always start the primary controller first. If the primary controller is not available when the secondary controllers start, the cluster will not work properly.

Configuring FirePass controller clusters

In a FirePass controller cluster, you configure one node as the primary, or master controller, and all additional controllers as secondary, or slave controllers. The primary (master) controller distributes configuration updates to the secondary (slave) controllers, once per minute. This synchronization process allows secondary controllers to service any user session. Clustered controllers do not share session information. Each session is established with a single controller.

Each FirePass controller (or node) in a cluster must have a valid certificate and be publicly accessible from outside the LAN using its own unique, fully-qualified domain name.

Note

Many clustering screens and links are visible only if you have enabled clustering.

There are some configuration settings you can change only on your primary FirePass controller. The primary controller sends these configurations to all secondary controllers during synchronization. When you use the Administrative Console to connect to a secondary controller, you are limited to changing configuration options that are not controlled by the primary controller. For example, you cannot change user and group account information on secondary controllers, and consequently the Users option on the navigation pane is not displayed when you connect to a secondary controller. The user and group account configurations flow from the primary to the secondary controllers. To make global configuration changes to a cluster, always make them on the primary.

You can configure all options on the primary node. On the secondary nodes you can only configure network settings and clustering settings.

Overview of cluster configuration

To configure FirePass controllers as a cluster, you need to complete several tasks, in order.

  • Enable clustering
    The first step in configuring a cluster of controllers is to enable clustering on each controller. To enable clustering on a controller you must restart the controller. After you have restarted the controller, additional clustering screens and options are visible. As part of the process of enabling clustering, you need to copy the Cluster ID and Global ID from the primary controller to each of the secondary controllers. For more information, see Enabling clustering .
  • Configure your primary controller
    Configuring your primary controller involves two tasks.
  • Configure your secondary controllers
    Configuring your secondary controllers involves two tasks.
  • Verify that the cluster configuration is working
    After you have configured your cluster nodes, but before you allow remote clients to access the cluster, verify that all the controllers are working properly. For more information, see Verifying the cluster configuration
  • Enable Load balancing
    If you want to use the FirePass controller cluster for load balancing, you need to define at least one user service on the primary controller. The user service must allow HTTP and HTTPS access so that the service is accessible to users from outside the network. Load balancing is an optional feature that distributes the sessions among the available controllers. For more information, see Configuring load balancing .

Enabling clustering

You need to enable clustering on each of the nodes to be used in the cluster before you can configure the controllers for clustering. When you enable clustering, you are prompted to restart the controller. After restarting the controller, clustering configuration screens and options are visible in the Administrative Console.

Tip


If you are enabling clustering on a redundant system, configure clustering on the active controller of the pair.

To enable clustering on a primary FirePass controller

  1. Connect to the FirePass controller's Administrative Console using a Web browser.
  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, click Device Management, expand Configuration, and click Clustering and Failover.
    The Clustering and Failover screen displays.
  4. In the Clustering (Load-Balancing) Configuration area, follow these steps:
    1. Check the Enable Clustering Configuration box.
    2. Type the number of nodes in the Total Number of Cluster Nodes box.
    3. Select Master from the Cluster Node Master/Slave list.
    4. Copy the Cluster ID from the Cluster ID box.
      Write the Cluster ID down or paste it into a text file. You will need this ID when you configure the secondary controllers.
    5. Copy the clustering/failover global ID from the Cluster/Failover Global ID box.
      Write the global ID down or paste it into a text file. You will need this ID when you configure the secondary controllers.
  5. Click Apply Clustering/Failover Settings to configure the controller with the new settings.
    When the reconfiguration is done, you are prompted to restart the controller.
  6. Click the indicated text, here, to restart the controller.

To enable clustering on a secondary FirePass controller

  1. Connect to the secondary controller using a Web browser.
  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, click Device Management, expand Configuration, and click Clustering and Failover.
    The Clustering and Failover screen displays.
  4. In the Clustering (Load-Balancing) Configuration area, follow these steps:
    1. Check the Enable Clustering Configuration box.
    2. Type the number of nodes in the Total Number of Cluster Nodes box.
    3. Select Slave from the Cluster Node Master/Slave list.
    4. Type or paste the Cluster ID from the primary node into the Cluster ID box.
    5. Type or paste the clustering/failover global ID from the primary node into the Cluster/Failover Global ID box.
  5. Click Apply Clustering/Failover Settings to configure the controller with the new settings.
    When the reconfiguration is done, you are prompted to restart the controller.
  6. Click the indicated text, here, to restart the controller.

Follow the same procedure on all your secondary controllers to enable clustering.

Configuring the primary FirePass controller

After you have enabled clustering on all your nodes, you can configure the primary node. The primary node FirePass controller manages cluster synchronization and, if load balancing is enabled, makes decisions as new user sessions connect. All traffic goes through the primary node first.

To configure the primary node of a cluster, you need to configure a synchronization service, configure the internal synch, and map other web services to the cluster nodes.

Configuring a synchronization service on the primary controller

Synchronization is the process used by the primary FirePass controller to synchronize data with the secondary nodes of the cluster. Data synchronized from the primary node to the secondary nodes includes: group data (including authentication parameters), new user accounts, and preconfigured favorites with the secondary controllers. Data synchronized from the secondary nodes back to the primary includes: passwords, personal favorites, and account settings.

The following limitations affect how you configure the synchronization service:

  • The service must allow HTTP connections. For this reason, you should not configure it on a port that is also configured for user services.
  • The service cannot be redirected to another service (for example, HTTPS).
  • If the service is on a redundant system (failover pair), you should configure it on the pair's shared virtual IP address.
  • You can configure the service on the same port as a failover synchronization service is configured.

To configure a synchronization service

  1. On the primary FirePass controller, connect to Administrative Console using a Web browser.
  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The IP Configuration screen displays.
  4. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.
  5. In the Add new service area, follow these steps:
    1. Select a virtual IP address from the IP list.
    2. Type an unused port in the Port box. For example, type 82 in the Port box.
    3. Type the fully qualified domain name of the FirePass controller in the Hostname field.
    4. Select ActiveOnly from the For Mode list.
    5. To add the service, click Add New.
  6. On the Web Service Configuration for <Hostname or IP Address> screen:
    1. Check the Do not redirect the HTTPS box.
    2. Check the Synchronization Agent box.
    3. Leave all other options unchecked.
    4. Click Update to update the synchronization service settings.

Configuring internal synchronization on the primary controller

After you configure a synchronization service, you must pair that service on the primary controller to a service on each of the secondary controllers.

To configure internal synchronization on a primary node

  1. Click the Clustering tab at the top of the screen.
    The Clustering Settings screen displays.
  2. In the Internal Synchronization area, follow these steps:
    1. From the Service On Master list, select the IP address and port number of the synchronization service on the primary node.
    2. Type the IP address and port of the synchronization service on the slave node in the Service on Slave box.
    3. To update the synchronization service settings, click Update Table.
  3. At the top of the screen, click the Finalize tab.
    The Finalize Settings screen displays.
  4. Click Finalize Changes to finalize the primary node configuration.
  5. When prompted, click Go to restart the controller.
Note

The configuration on the primary node should match the corresponding entries on the other cluster members.
Important

These settings do not take effect until you have committed them using the Finalize screen and restarted the controller.

Configuring a secondary node FirePass controller

The secondary node FirePass controller handles user sessions delegated to it by the primary node of the cluster. During synchronization it sends updated passwords and favorites to the primary node. To configure a secondary node, you need to configure a Web service for synchronization, and for internal synchronization.

Configuring a synchronization service on a secondary controller

Synchronization is the process used by the primary FirePass controller to synchronize data with the secondary nodes of the cluster. Data synchronized from the primary node to the secondary nodes includes: group data (including authentication parameters), new user accounts, and preconfigured favorites with the secondary controllers. Data synchronized from the secondary nodes back to the primary includes: passwords, personal favorites, and account settings.

The following limitations affect how you configure the synchronization service:

  • The service must allow HTTP connections. For this reason, you should not configure it on a port that is also configured for user services.
  • The service cannot be redirected to another service (for example, HTTPS).
  • If the service is on a redundant system (failover pair), you should configure it on the pair's shared virtual IP address.
  • You can configure the service on the same port as a failover synchronization service is configured.

To configure a synchronization service

  1. Connect to the secondary FirePass controller's Administrative Console using a Web browser.
  2. To log in, type the administrator's user name in the Username box, password in the Password box, and click Go.
  3. On the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The IP Configuration screen displays.
  4. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.
  5. In the Add new service area, follow these steps:
    1. Select a virtual IP address from the IP list.
    2. Type an unused port in the Port box. For example, type 82 in the Port box.
    3. Type the fully qualified domain name of the FirePass controller in the Hostname field.
    4. Select ActiveOnly from the For Mode list.
    5. Click Add New to add the service.
  6. On the Web Service Configuration for <Hostname or IP Address> screen, follow these steps:
    1. Check the Do not redirect the HTTPS box.
    2. Check the Synchronization Agent box.
    3. Leave all other options unchecked.
    4. To update the synchronization service settings, click Update.

Configuring internal synchronization on a secondary controller

After you configure a synchronization service, you must pair that service on each secondary controller to the synchronization service on the primary controller.

To configure internal synchronization on a secondary node

  1. Click the Clustering tab at the top of the screen.
    The Clustering Settings screen displays.
  2. In the Internal Synchronization area, follow these steps:
    1. From the Service On Slave list, select the IP address and port number (or host name) of the synchronization service on the current node.
    2. In the Service on Master box, type the IP address and port of the synchronization service on the primary node.
    3. To update the synchronization service settings, click Update Table.
  3. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen displays.
  4. Click Finalize Changes to finalize the secondary node configuration.
    The controller is reconfigured based on the changes you have made.
  5. When prompted, click Go to restart the controller.
Note

The configuration on this controller should match the corresponding entry on the primary controller.
Important

These settings do not take effect until you have committed them using the Finalize screen and restarted the controller.

Verifying the cluster configuration

After configuring your primary and secondary FirePass controller nodes, you need to verify that the configuration is properly working before allowing access to any remote users.

To verify that your cluster configuration is working

  1. Connect to the primary FirePass controller using a Web browser.
  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, click Clustering.
  4. Click Stats to display the Stats screen.
  5. On the Stats screen, in the Last Sync column, verify that the primary and secondary controllers are synchronizing every 60 seconds.

To verify that load balancing is working

  1. Connect to the primary FirePass controller using a Web browser.
  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, expand Clustering.
    The Settings screen displays.
  4. From the Load Balancing list, select Random.
  5. Log in as a user and see if the primary controller has redirected the user session to a secondary node.
Note

Note: The user session might remain on the primary node even when load balancing is correctly configured. If the user session is not redirected, log in as a second user and check to see if that session is redirected.
  1. Check the logs on the cluster primary node for errors.

Configuring load balancing

If you choose to, you can configure the optional load balancing feature of FirePass clusters. Load balancing is the process the primary FirePass controller uses to distribute user sessions among all the controllers in the cluster. Balancing the load guarantees that no single controller becomes overloaded while another controller goes underused. By default, load balancing is turned off.

To configure load balancing

  1. Connect to the primary FirePass controller using a Web browser.
  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, click Clustering.
    The Clustering : Settings screen displays.
  4. From the Load Balancing list, select Random.
    The Allow optional manual logon to slave nodes from master logon page box appears.
  5. If you want to allow users to choose which secondary node they log on to, click the Allow optional manual logon to slave nodes from master logon page box.
  6. To continue configuring load balancing, click Please click here to set up the cluster network configuration.
    The Device Management : Configuration : Network Configuration : Clustering screen displays.
  7. In the Load Balancing section, type an IP address and port (or host name and port) for each secondary node in the Service On Slave <n> boxes.
  8. Click Update Table to update the load balancing configuration.
  9. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen displays.
  10. Click Finalize Changes to finalize the load balancing configuration.
  11. When prompted, restart the controller.

Managing a cluster configuration

After you have configured the FirePass controller cluster and verified that it is working properly, you can use the Administrative Console to manage the cluster and to make some additional configuration changes.

Accessing a secondary controller's configuration from a primary controller

You can access a secondary controller's configuration directly, by typing its <IP address/admin/> or <fully qualified domain name/admin/> in a browser. You can also access a secondary controller's configuration by using the Administrative Console on the primary controller.

To access a secondary controller's configuration from the primary controller

  1. Use the Administrative Console to connect to the primary FirePass controller in the cluster, and log in.
  2. On the navigation pane, click Clustering, and then click Slave Admin.
  3. Click the link for the secondary controller that you want to access.
    The Administrative Console displays the secondary controller's settings within the console window.
  4. On the navigation pane, click Settings.
    The slave Settings screen for the secondary controller appears.
Note

To return to the primary controller, type the fully qualified domain name for the primary controller in your Web browser, and then log in.

Displaying statistics for a FirePass controller cluster

You can display operational statistics for a controller cluster in near-real time. The statistics include the number of sessions active on the controllers, the average bitrate and CPU load, and the time of the most recent primary-secondary synchronization.

To display statistics for a FirePass controller cluster

  1. Use the Administrative Console to connect to the primary FirePass controller in the cluster, and log in.
  2. On the navigation pane, click Clustering, and then click Stats.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)