Enterprise Console / Update Manager - High Availability Options (2020)

I work in CyberSecurity and come from an Enterprise/Telecom background.

The inability to push mission critical updates to a managed client would be considered a Severity 0 service disruption

Therefore, I am uncomfortable propose any solution to any client that doesn't have integrated BCDR/HA-DR contingency planning, no matter how Janky.

Merci,

~BAS

If thats the Case, switch to Central.

Central has a Uptime, you most likely never can archive (based of Cloud services). 

https://centralstatus.sophos.com/#!/

Because of the cloud based approach, the uptime and update cycle is always enabled. 

LuCar Toni  I forgot to mention, I require a solution with HA for use in air gap environment with asymmetric manual updates

Hi Brian Seklecki 

High Availability for the Sophos Enterprise console can be facilitated by having the VM server where vMotion is enabled, so in case the host is down, the VM server will migrate to another VM host and in this way, your Sophos Enterprise console should be available as well.

Coming to SQL, if you have clustered SQL environment, you can achieve the HA with SQL as well. Please refer to this article for the Upgradation to Clustered SQL.

Thank you Jasmin 

And a question to QC regarding HA:

  I see now that the communications between a managed client and a SEC is handled by IIOP/COBRA protocol over HTTPs/SSL Ports 8192,8193 and 8194.

  If I need to develop a low-cost HA solution other than vMotion-enabled VM, this can be done by having multiple or warm-standby SECs, and using the Migration script (https://community.sophos.com/kb/en-us/116737) as need to re-home clients.

    I see the RMS uses a CAC.pem file, so there is a trusted X.509 key, and thus a pairing process.

  Since there is no native Clustering features, the CAC.PEM will be different between SEC instances, so even if the IP/DNS/FQDN listed in mrinit.conf was a HA Layer3/4 VIP that could migrate between active standby hosts, and even if the CAC.pem cn= or subAltName= could reference the floating VIP instead of the participating individual hosts with different SEC installation instances, one would still need to re-home with the VBS migration script to establish the trust with the new unique per-host/per-installation certificate (cac.pem).

Also, if the SQL instances consumed by the different SEC instances are not replicated, then probably also:  the pairing / re-home'ing / registration process also needs to "register" some client data in the underlying SQL database on the SEC.

Thanks,

  ~BAS

Hello BAS,

I'm not an expert [:)], and it's time to leave so just a short answer for now.

You can "clone" a server's identity -  please see Re-using the same Remote Management System (RMS) certificates ....

As for the database: I'd have assumed that a remote SQL server/cluster is used when HA is desired.  

Christian

Thank you!

   You guys have been stellar on Thursday!

    Have a great weekend!

~Brian

Thank you!

   You guys have been stellar on Thursday!

    Have a great weekend!

~Brian

Hello Brian,

thanks, not yet weekend.

There are some intricacies w.r.t. a common database and a different (but with the same "identity") Management Server taking over. A change of the IP address poses no problem. According to Sophos Enterprise Console: Changing domain name, computer name, network type or upgrading of OS are not supported once SEC is installed a name change does.
BUT: A server to server migration is essentially a server rename (unless you use the same name that is not assumedin the migration guide). Server-B uses the restored (or unchanged remote) database that Server-A used and puts itself into Server-A's position. This does not work all the time. On one of the latest migrations I had to use ResetUserMappings.sql. Thus assuring another server takes over automatically (without manual intervention) might require some "research and scripting".

Christian