Chia Sẽ Kinh Nghiệm Về IT

Tìm Kiếm Với Google

Gởi Ðề Tài Mới  Gửi trả lời
Công Cụ Xếp Bài
Tuổi 14-04-2015, 04:11 PM   #1
Trả Lời: n/a
Hướng dẫn cấu hình Sophos UTM High Availability (HA) Cluster trên Hyper-V
Hướng dẫn cấu hình Sophos UTM High Availability (HA) Cluster trên Hyper-V

Deploying Sophos UTM in a High Availability pair allows for continuous uptime of the Sophos UTM services in the event that one of the UTM nodes fails.
Failures can occur due to hardware or system crashes on the UTM, or in a virtual environment the failure can occur on the hypervisor host itself. A common example of this is routine periodic patch cycles that require a reboot of the host.
Sophos UTM High Availability Options

You can configure Sophos UTM to operate in one of two High Availability modes:
Cluster (Active – Active): in this mode, both nodes are actively handling traffic. This mode allows for increased throughput in your UTM environment since all nodes are doing their share of the workload.
Hot Standby (Active-Passive): in this mode you have a primary or master node that is handling all of the traffic. The other node is ready and waiting to take over should the master fail. This mode allows for high availability but without the performance gain.
Due to the way Sophos UTM is licensed, this is a very attractive deployment since only the active node needs to be licensed. In a virtual deployment you don’t even need to purchase the UTM hardware. It is therefore almost a given that if you have enough virtual infrastructure you should be running an Active Passive pair.
You can change your deployment from Hot Standby to Cluster but you cannot change it back. You would need to perform a factory reset on the devices before you can break the cluster.
Building a Sophos UTM Hot Standby (Active Passive) Environment

In this article, we will take you through the steps to deploy Sophos UTM in Hot Standby mode using Microsoft Hyper-V.
Preparing the virtual switch requirements

We are going to build the Active – Passive High Availability (HA) deployment over two hyper-V hosts. This is typical since the hardware failure of a single host should not affect both of your Sophos UTM virtual machines. This of course, means that all of the steps below need to be configured on both hyper-V hosts.
NOTE: Although it is possible to build a HA pair on a single Hyper-V host, it does not work 100% due to the way MAC spoofing is handled.
Sophos UTM has a minimum requirement of three network interfaces:
  • Internal
  • External
  • Replica or heartbeat
Create three switches that correlate to the networks. All three switches are of the External Type.
We suggest using a crossover cable for the heartbeat network. It is rare for switch gear to fail but you don’t want a power outage on the switches to cause your HA cluster to start failing back and forth. The requirement is also for the replica to support broadcast UDP, which may not be enabled in your switch infrastructure.

Create a Sohpos UTM Virtual Machine on each host

Both virtual machines need to be identical from a network interface perspective so take extra care to make sure you get this right. Double check to ensure that the interfaces of the host itself do in fact bind to the desired network.
Attach the network adapters in order. This should ensure that they are identified as eth0, eth1 and eth2.
  • Internal
  • External
  • Heartbeat
For each adapter, you also need to enable MAC address spoofing. This is so that they can spoof the virtual MAC addresses of the virtual IP’s that are shared by the HA pair. To do this:
  • Select the network adapter
  • Select Advanced features
  • Select Static MAC address
  • Check Enable MAC address spoofing

For the rest of the hardware configuration you can specify the following:
  • 2 x CPU
  • 4GB of static RAM
  • Single dynamic virtual HDD
  • Attach your Sophos UTM build ISO to the virtual DVD
  • Building the Sophos UTM virtual machines
Building the Sophos UTM virtual machines

Step 1 – Download Sophos UTM ISO

Start by downloading the Sophos UTM ISO image as this may take some time to complete, and you can perform step 2 below while you wait.
Browse to:
Follow the download process and Sophos will email you a license key and grant you access to the downloads. You will need this key, in the form of a license file, to complete the setup.
Step 2 – Hyper-V configuration

This guide uses a Windows Server 2012 R2 host. The Hyper-V host is configured with two NICs. One will be patched directly into a DSL router. The other is patched into the internal corporate network.
Step 2.1 Configuring Host networking

Two virtual switches need to be created.
  • The Internet facing virtual switch is named External – Internet.
  • The connection type is External and the relevant NIC is selected.
  • This virtual switch is not checked to “Allow management operating system to share this network adapter”.
  • The internal network facing virtual switch is named Internal – Corporate.
  • The connection type is External and the relevant NIC is selected.
  • This virtual switch is checked to “Allow management operating system to share this network adapter”.

If you have a look at the Hyper-V hosts you should now see three adapters. Two network adapters that are the switches, and an additional adapter called “vEthernet” which is the host’s connection to the Internal – Corporate Switch.

Step 2.2 Creating the virtual Machine

The Sophos UTM appliance has very moderate minimum requirements from a CPU and RAM perspective. Because we have more resources available, we are going to create the virtual machine with the following specifications. We have found the UTM to perform smoothly with most options enabled with this specification:
Generation 1 Virtual Machine
  • 4 x CPU
  • 4GB RAM Static
  • HDD 127GB Dynamic
  • Attached the downloaded Sophos UTM ISO from Step 1 above as a DVD Drive
Configure TWO Network adapters:
  • One Connected to the Internal – Corporate Switch
  • One connected to the External – Internet Switch

Step 3 – UTM Installation

Start up the virtual machine and connect to it with the console. By default the VM will boot from the attached ISO (see step 2.2 above)
Press Enter to start the installation:

Select Start. The Detected hardware should show everything showing up correctly. Select OK.


Make a note to ensure you know which eth (for Ethernet adapter) is associated with which Virtual Ethernet Card.
Select your keyboard layout (such as English USA). Select your Area. Select your Timezone.

Make sure these settings are correct in relation to your domain.
Select which interface you will use to access the Web admin user interface. This is normally your internal network. Select eth0.

Specify the IP address details:

Select Yes to install with a 64-Bit kernel:

Select Yes to install the enterprise toolkit:

Confirm that the virtual disk can be partitioned. Wait for the install to complete. Make a note of the IP address and Port as you will use this from your browser to access the Web Admin interface moving forward.

This completes the build section. If you are using a virtual machine this is a good place to take a snapshot or create a checkpoint.
Step 4 – Initial Configuration Wizard

You are now ready to start up your UTM for the first time. If you are still viewing this process from the console window you will see the following when the machine restarts. It simply show this white screen while it boots (press F2 button on your keyboard to check boot sequence and see if something goes wrong during booting).

Pressing F2 will show you the boot up details.

If all the steps have been completed successfully, there should be no errors during start-up. In case you missed it, the web admin URL is listed at the bottom of the screen.
From now on you will stop using the console to work directly on the virtual machine. According to my source at Sophos, one of the UTM design goals is to never require an administrator to use anything other than the web interface.
Step 5 – Sophos UTMs Initial Configuration Wizard

Open your favourite browser and connect to the specified management URL.
  • Specify the Hostname of the UTM
  • Specify Company name
  • City
  • Country
  • Admin password
  • Admin email account

Note that the admin email account will be the default account used for notification from the UTM. It is a good idea to specify a notification email address especially if you are just doing a test or trial deployment.
Check the “I accept the license agreement” check box. Click Perform basic system setup button. As part of the wizard you will be logged off: log in with your new credentials:

  • Select Continue with the wizard and click Next.
  • Check your mailbox for the attached license file from Sophos.
  • Save it locally on your machine.
  • Click the folder icon and select the file.
  • Click Next.

Here you specify the internal IP address of the UTM device as well as the subnet. Only if you do not already have DHCP enabled should you check the Enable DHCP server box.

Selecting the Internet Uplink will be determined by the kind of internet connection available. In this setup, we have a DSL connection with fixed public IP address.

We are starting with the just a basic web surfing configuration. Check the Web check box, click Next.
To make it easier to check that your UTM is up and running, enable the ping options. These can be turned off later.

For Intrusion Prevention, select the options relevant to your environment. Click Next.

Enable Network Visibility, click Next.

Check the web categories you want to filter. Click Next.
It is a good idea to also filter additional categories to make it easier to test your deployment. You want to be able to access websites through the proxy but also know that it will filter URLs correctly. These can always be changed afterwards.

The summary will indicate the choices you have made
Click Finish to complete this section.
Step 6 – Additional Post Deployment Steps

By this stage you should have a proxy that works fine for everything on its own internal subnet. If you have a small network deployment that only has one subnet you can skip this step.
To allow clients from other subnets to also be able to connect and use the proxy, you need to add a static route to all internal traffic correctly though the internal interface.
Routing basics: A machine can only have one default route. If the machine does not know where to route traffic, it will use that route. Since the UTM has two interfaces, one will be the default. This is always the external interface because it routes everything to the internet.
You therefore need to manually configure it to send any traffic destined for the internal network via the internal interface. Here’s how to do it:
  • Select Interfaces & Routing
  • Select Static Routing
  • Click + New Static Route
  • Route Type will be Gateway Route
Click + next to Network to create a new network definition with the following settings:
  • Name: Internal Corporate
  • Type: Network
  • IPV4 Address:
  • Netmask: /8
  • Click Save

Click + next to Gateway to create another network definition with the following settings:
  • Name: Internal Gateway
  • Type: HOST
  • IPv4 Address: (your internal subnet’s gateway)
  • Click Save

Once this is configured, the internal traffic should now route correctly though the internal interface. Your static routing settings should now look like the following image.

You can use the support tools to check ping and trace route (tracrt).
The next thing that needs to happen is that the proxy functionality needs to be configured.
Select Web Protection | Web filtering: by default the allowed Network only includes the subnet that the UTM is on.
  • Click the folder next to Allowed Networks
  • Select and drag the Internal Corporate Network object we created earlier into the Allowed networks box.
  • Next, change the proxy mode from Transparent to Standard Mode
  • Click Apply

Step 7 – Configure a browser

To use the UTM, you need to configure your browser’s proxy settings.
Each browser is slightly different, but all have an option to specify a manual proxy configuration. Specify the Sophos UTM’s management IP address and Port 8080.

You should be able to surf the Internet from anywhere within your corporate network. URL filtering should also prevent you from accessing sites blocked according to the specified categories.
With your Sophos UTM now configured, it is another great time to take a snapshot of your VM.
Configure the Sophos UTM virtual machines

We are just going to proceed with a basic setup of each Sophos UTM node.
Once the Virtual Machines are joined in an HA pair the configuration will be automatically synced between the nodes. It is of course possible to add a HA node to an existing, fully configured, stand alone UTM. Just ensure you have local copies of the backups.
On each Sophos UTM Virtual Machine:
  • Complete the Welcome Screen
  • Accept the License agreement
  • Click Perform basic system setup
  • The only difference between the Sophos UTM nodes should be the hostname.

After the initial build cycle, log back in and step through the initial set up wizard as set out below. Again, this will be the same on both nodes, with the exception of the Internal IP address.
  • Click Continue
  • Don’t Specify License at this stage
  • Internal LAN should remain the same and should not require changing (it inherits the setting from the build stage)
  • For the Internet WAN setting, check the “Setup Internet Connection Later” box
  • Proceed through the rest of the wizard accepting all defaults
Your summary should look like this:

Configuring High Availability (HA) on Sophos UTM

Up to now you have configured two UTMs to be nearly identical. In this step you will merge the configuration on the two devices. The individual management addresses will fall away, one of them will be selected as the shared virtual IP that will be used from now on to manage the HA pair.
On both Sophos UTM Virtual Machines:
  • Select Management | High Availability | Configuration Tab
  • Operation Mode: Hot Standby (Active-Passive)
  • Sync NIC: eth2 (the heartbeat adapter)
  • Device Name: The name of the Node you are currently configuring
  • Device node ID: 1 or 2 depending on the host (they must be different)
  • Encryption key: A phrase or password to use for encryption. It has to match on both nodes. Another descriptive term would be “the shared secret.”
  • Click Apply
  • Repeat on the second node

At this stage, the initial sync will be performed. This will cause you to be temporarily disconnected from the web interface.
The sync could take a while to complete, be patient. We set up continuous pings to the two management IP’s. When one stops responding you know things are working away in the background. After a few minutes you will be able to log back into the web interface. You can check on the progress by selecting the Status tab from the Management | High Availability section.

Once the two nodes are in sync, you will see the status change from SYNCING to READY. At this stage you have a working HA Active – Passive pair!
Managing the HA Pair can now be performed through the single management interface. All changes will automatically be replicated.
Now that the configuration is online, you can set the High Availability | Configuration | Advanced Settings.
The preferred master is the node you want to prefer to always own the role.
In the event of the cross over cable being accidentally unplugged, the backup interface setting will keep the nodes from erroneously failing over and fighting over the virtual IPs.


Testing the fail over is a simple process but it pays to do the due diligence here.
From the High Availability | Status tab, take turns to reboot each node member one at a time ensuring that the management IP does not go down during the switch over. A simple continuous ping is a great way to track it. In our testing we found that switching from one node to the other resulted in a single dropped ping.
When the nodes reboot you will notice an extra start up process for the High Availability modules. There is a built in check and you can see which interface is being used to listen to the heartbeat. This adds about 20 seconds or so to the initialising time, so it is easy to spot.


  Trả lời ngay kèm theo trích dẫn này
Gửi trả lời

Công Cụ
Xếp Bài

Quyền Hạn Của Bạn
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is Mở
Hình Cảm xúc đang Mở
[IMG] đang Mở
Mã HTML đang Tắt

Bây giờ là 09:56 AM. Giờ GMT +7

Diễn đàn tin học QuantriNet |
Founded by Trương Văn Phương | Developed by QuantriNet's members.
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.