|14-04-2015, 04:11 PM||#1|
Trả Lời: n/a
Hướng dẫn cấu hình Sophos UTM High Availability (HA) Cluster trên Hyper-V
Hướng dẫn cấu hình Sophos UTM High Availability (HA) Cluster trên Hyper-V
Deploying Sophos UTM in a High Availability pair allows for continuous uptime of the Sophos UTM services in the event that one of the UTM nodes fails.
Failures can occur due to hardware or system crashes on the UTM, or in a virtual environment the failure can occur on the hypervisor host itself. A common example of this is routine periodic patch cycles that require a reboot of the host.
Sophos UTM High Availability Options
You can configure Sophos UTM to operate in one of two High Availability modes:
Cluster (Active – Active): in this mode, both nodes are actively handling traffic. This mode allows for increased throughput in your UTM environment since all nodes are doing their share of the workload.
Hot Standby (Active-Passive): in this mode you have a primary or master node that is handling all of the traffic. The other node is ready and waiting to take over should the master fail. This mode allows for high availability but without the performance gain.
Due to the way Sophos UTM is licensed, this is a very attractive deployment since only the active node needs to be licensed. In a virtual deployment you don’t even need to purchase the UTM hardware. It is therefore almost a given that if you have enough virtual infrastructure you should be running an Active Passive pair.
You can change your deployment from Hot Standby to Cluster but you cannot change it back. You would need to perform a factory reset on the devices before you can break the cluster.
Building a Sophos UTM Hot Standby (Active Passive) Environment
In this article, we will take you through the steps to deploy Sophos UTM in Hot Standby mode using Microsoft Hyper-V.
Preparing the virtual switch requirements
We are going to build the Active – Passive High Availability (HA) deployment over two hyper-V hosts. This is typical since the hardware failure of a single host should not affect both of your Sophos UTM virtual machines. This of course, means that all of the steps below need to be configured on both hyper-V hosts.
NOTE: Although it is possible to build a HA pair on a single Hyper-V host, it does not work 100% due to the way MAC spoofing is handled.
Sophos UTM has a minimum requirement of three network interfaces:
We suggest using a crossover cable for the heartbeat network. It is rare for switch gear to fail but you don’t want a power outage on the switches to cause your HA cluster to start failing back and forth. The requirement is also for the replica to support broadcast UDP, which may not be enabled in your switch infrastructure.
Create a Sohpos UTM Virtual Machine on each host
Both virtual machines need to be identical from a network interface perspective so take extra care to make sure you get this right. Double check to ensure that the interfaces of the host itself do in fact bind to the desired network.
Attach the network adapters in order. This should ensure that they are identified as eth0, eth1 and eth2.
For the rest of the hardware configuration you can specify the following:
Step 1 – Download Sophos UTM ISO
Start by downloading the Sophos UTM ISO image as this may take some time to complete, and you can perform step 2 below while you wait.
Browse to: http://www.sophos.com/en-us/products...e-edition.aspx
Follow the download process and Sophos will email you a license key and grant you access to the downloads. You will need this key, in the form of a license file, to complete the setup.
Step 2 – Hyper-V configuration
This guide uses a Windows Server 2012 R2 host. The Hyper-V host is configured with two NICs. One will be patched directly into a DSL router. The other is patched into the internal corporate network.
Step 2.1 Configuring Host networking
Two virtual switches need to be created.
If you have a look at the Hyper-V hosts you should now see three adapters. Two network adapters that are the switches, and an additional adapter called “vEthernet” which is the host’s connection to the Internal – Corporate Switch.
Step 2.2 Creating the virtual Machine
The Sophos UTM appliance has very moderate minimum requirements from a CPU and RAM perspective. Because we have more resources available, we are going to create the virtual machine with the following specifications. We have found the UTM to perform smoothly with most options enabled with this specification:
Generation 1 Virtual Machine
Step 3 – UTM Installation
Start up the virtual machine and connect to it with the console. By default the VM will boot from the attached ISO (see step 2.2 above)
Press Enter to start the installation:
Select Start. The Detected hardware should show everything showing up correctly. Select OK.
Make a note to ensure you know which eth (for Ethernet adapter) is associated with which Virtual Ethernet Card.
Select your keyboard layout (such as English USA). Select your Area. Select your Timezone.
Make sure these settings are correct in relation to your domain.
Select which interface you will use to access the Web admin user interface. This is normally your internal network. Select eth0.
Specify the IP address details:
Select Yes to install with a 64-Bit kernel:
Select Yes to install the enterprise toolkit:
Confirm that the virtual disk can be partitioned. Wait for the install to complete. Make a note of the IP address and Port as you will use this from your browser to access the Web Admin interface moving forward.
This completes the build section. If you are using a virtual machine this is a good place to take a snapshot or create a checkpoint.
Step 4 – Initial Configuration Wizard
You are now ready to start up your UTM for the first time. If you are still viewing this process from the console window you will see the following when the machine restarts. It simply show this white screen while it boots (press F2 button on your keyboard to check boot sequence and see if something goes wrong during booting).
Pressing F2 will show you the boot up details.
If all the steps have been completed successfully, there should be no errors during start-up. In case you missed it, the web admin URL is listed at the bottom of the screen.
From now on you will stop using the console to work directly on the virtual machine. According to my source at Sophos, one of the UTM design goals is to never require an administrator to use anything other than the web interface.
Step 5 – Sophos UTMs Initial Configuration Wizard
Open your favourite browser and connect to the specified management URL.
Note that the admin email account will be the default account used for notification from the UTM. It is a good idea to specify a notification email address especially if you are just doing a test or trial deployment.
Check the “I accept the license agreement” check box. Click Perform basic system setup button. As part of the wizard you will be logged off: log in with your new credentials:
Here you specify the internal IP address of the UTM device as well as the subnet. Only if you do not already have DHCP enabled should you check the Enable DHCP server box.
Selecting the Internet Uplink will be determined by the kind of internet connection available. In this setup, we have a DSL connection with fixed public IP address.
We are starting with the just a basic web surfing configuration. Check the Web check box, click Next.
To make it easier to check that your UTM is up and running, enable the ping options. These can be turned off later.
For Intrusion Prevention, select the options relevant to your environment. Click Next.
Enable Network Visibility, click Next.
Check the web categories you want to filter. Click Next.
It is a good idea to also filter additional categories to make it easier to test your deployment. You want to be able to access websites through the proxy but also know that it will filter URLs correctly. These can always be changed afterwards.
The summary will indicate the choices you have made
Click Finish to complete this section.
Step 6 – Additional Post Deployment Steps
By this stage you should have a proxy that works fine for everything on its own internal subnet. If you have a small network deployment that only has one subnet you can skip this step.
To allow clients from other subnets to also be able to connect and use the proxy, you need to add a static route to all internal traffic correctly though the internal interface.
Routing basics: A machine can only have one default route. If the machine does not know where to route traffic, it will use that route. Since the UTM has two interfaces, one will be the default. This is always the external interface because it routes everything to the internet.
You therefore need to manually configure it to send any traffic destined for the internal network via the internal interface. Here’s how to do it:
Click + next to Gateway to create another network definition with the following settings:
Once this is configured, the internal traffic should now route correctly though the internal interface. Your static routing settings should now look like the following image.
You can use the support tools to check ping and trace route (tracrt).
The next thing that needs to happen is that the proxy functionality needs to be configured.
Select Web Protection | Web filtering: by default the allowed Network only includes the subnet that the UTM is on.
Step 7 – Configure a browser
To use the UTM, you need to configure your browser’s proxy settings.
Each browser is slightly different, but all have an option to specify a manual proxy configuration. Specify the Sophos UTM’s management IP address and Port 8080.
You should be able to surf the Internet from anywhere within your corporate network. URL filtering should also prevent you from accessing sites blocked according to the specified categories.
With your Sophos UTM now configured, it is another great time to take a snapshot of your VM.
Configure the Sophos UTM virtual machines
We are just going to proceed with a basic setup of each Sophos UTM node.
Once the Virtual Machines are joined in an HA pair the configuration will be automatically synced between the nodes. It is of course possible to add a HA node to an existing, fully configured, stand alone UTM. Just ensure you have local copies of the backups.
On each Sophos UTM Virtual Machine:
After the initial build cycle, log back in and step through the initial set up wizard as set out below. Again, this will be the same on both nodes, with the exception of the Internal IP address.
Configuring High Availability (HA) on Sophos UTM
Up to now you have configured two UTMs to be nearly identical. In this step you will merge the configuration on the two devices. The individual management addresses will fall away, one of them will be selected as the shared virtual IP that will be used from now on to manage the HA pair.
On both Sophos UTM Virtual Machines:
At this stage, the initial sync will be performed. This will cause you to be temporarily disconnected from the web interface.
The sync could take a while to complete, be patient. We set up continuous pings to the two management IP’s. When one stops responding you know things are working away in the background. After a few minutes you will be able to log back into the web interface. You can check on the progress by selecting the Status tab from the Management | High Availability section.
Once the two nodes are in sync, you will see the status change from SYNCING to READY. At this stage you have a working HA Active – Passive pair!
Managing the HA Pair can now be performed through the single management interface. All changes will automatically be replicated.
Now that the configuration is online, you can set the High Availability | Configuration | Advanced Settings.
The preferred master is the node you want to prefer to always own the role.
In the event of the cross over cable being accidentally unplugged, the backup interface setting will keep the nodes from erroneously failing over and fighting over the virtual IPs.
Testing the fail over is a simple process but it pays to do the due diligence here.
From the High Availability | Status tab, take turns to reboot each node member one at a time ensuring that the management IP does not go down during the switch over. A simple continuous ping is a great way to track it. In our testing we found that switching from one node to the other resulted in a single dropped ping.
When the nodes reboot you will notice an extra start up process for the High Availability modules. There is a built in check and you can see which interface is being used to listen to the heartbeat. This adds about 20 seconds or so to the initialising time, so it is easy to spot.