This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clustering not in the same subnet

Hello, I know is technically possible to have a SEA cluster within two different subnets, granting the following ports (http://sea.sophos.com/webhelp/index.html#sea/concepts/PortConfig.html)  free communication between the two SEAs; but I want to know if is a supported scenario or not.

From the SEA internal help: https://SEA_IP:18080/Help/en/index.html?tab=Config&page=Clustering&cluster= I found a particular phrase:

Using clustering requires that you have two or more Email Appliances with identical software versions that are connected to the same network and able to communicate using the ports specified on the port configuration page.

Why do they specify "same network" and the the list of ports that needs to be open? Within the same network, apart from some very specific configuration, there is no "easy" way to filter the traffic.

Is this a just a problem with the docs or clustering within two different subnets is not supported?

@AimanAnsari or @ ?

Thanks!



This thread was automatically locked due to age.
Parents
  • Hi Massimo,

     

    To answer your question, .. "sort of"  depending on what your trying to do..

     

    First issue:

    There is nothing technically preventing you from hosting appliances globally, however it can be fairly complicated because you need to globally share / access the non internet ports. 

    So ports like port 80 or 123 and similar would rely on the site specific internet configuration of that site..

    But services/ports such as 5432 database 8888 delay queue and 24/22 and DNS would need to be accessible between sites/appliances as well as their respected networks.

     

    Second issue:  (and why its recommended they are all on the same subnet)

    lets say you have ABC.com

    with 3 A records at 3 different sites

    1.1.1.1

    2.2.2.2

    3.3.3.3

    clustering does not share mail between hosts.  so all 3 of these hosts must be able to deliver down stream to the mailbox server.  Normally with appliances in the same subnet or on the same flat network in general, none of the appliances would have any trouble relaying mail down stream to the mail box server.  Once you add that extra level of routing/resolution you need to get much more creative with your mail flow.

     

    Third Issue: quarantine release

    lets say a message comes in on appliance 45 and  appliance 16 is the cluster master  appliance 16 would generate a quarantine digest and send it out to all users who received spam within the time range..normally you would create an exchange receive connector that says "anything for appliance 16 send it to ip 1.2.3.4 when appliance 16 receives that message it will tell appliance 45 to release the message.

     

    In regards to support

    It's for the second reason that its not listed as supported.. It can be made to work for sure, but its not something that you can just pick up the phone and get support for.  So in that respect its a little outside the supportable realm and chances are your going to be able to identify that outage faster then support can

     

     

    I'm guessing your looking for mail cloning or DR?  or if you had say 10 companies and each had their own mail delivery..

    something like so may work for you....

    company A, B, C

    deploy appliances on all 3 sites. square away the routing issues and configure each appliance for its local network then cluster them.

    create mail domains  for A, B and C and configure the related mailbox server  for each domain. each mailbox server can receive and send mail for its respected domain.

    this would allow you to cluster all 3 appliances, receive mail for all 3 domains and push policy across them all.

     

    If you wanted a DR solution just create a rule to "send a copy" of all mail from domain A to domain B and set up domain B to deliver to the DR server.

  • Yes and no :)

    What I have in mind is something like 2 clustered SEA (and I mean clustered instead of standalone just for the ease of configuring and maintaining the same settings) one on premises and the other on a VPS provider, connected trough IPSEC VPN.

    My MX records will prioritize the SEA in che "cloud" (just for fun, I know spammers will just ignore the priority or even they usually try first the lower ones) but both the appliance will be able to deliver the email directly to my On-Premises  Exchange. This will allow me to accept email even when my head quarter internet connection will be down or in case of software updates.

     

    I know I can archive this by just putting them in a standalone mode

     

    Thanks!

  • You shouldn't have any problem,

    just make a split tunnel and route ports 22/24/5432/8888 between the appliances and everything else out the gateway. 

  • Technically it work just fine, I have already tested it, but Sophos Support just said that is not a "Supported Configuration" and I will be "on my own" in case of any issue...

    I really don't understand the situation...

  • Hi Massimo,

     

    Sorry for any confusion, there is nothing wrong with remotely clustered devices.  

    It is not listed as a recommended deployment but as long as the port requirements are met and there is bidirectional communication there is NO reason it would not be supported.

     

    So if you want 30 remote appliances, knock yourself out.

Reply
  • Hi Massimo,

     

    Sorry for any confusion, there is nothing wrong with remotely clustered devices.  

    It is not listed as a recommended deployment but as long as the port requirements are met and there is bidirectional communication there is NO reason it would not be supported.

     

    So if you want 30 remote appliances, knock yourself out.

Children
No Data