This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clustering not in the same subnet

Hello, I know is technically possible to have a SEA cluster within two different subnets, granting the following ports (http://sea.sophos.com/webhelp/index.html#sea/concepts/PortConfig.html)  free communication between the two SEAs; but I want to know if is a supported scenario or not.

From the SEA internal help: https://SEA_IP:18080/Help/en/index.html?tab=Config&page=Clustering&cluster= I found a particular phrase:

Using clustering requires that you have two or more Email Appliances with identical software versions that are connected to the same network and able to communicate using the ports specified on the port configuration page.

Why do they specify "same network" and the the list of ports that needs to be open? Within the same network, apart from some very specific configuration, there is no "easy" way to filter the traffic.

Is this a just a problem with the docs or clustering within two different subnets is not supported?

@AimanAnsari or @ ?

Thanks!



This thread was automatically locked due to age.
Parents
  • Hi Massimo,

     

    To answer your question, .. "sort of"  depending on what your trying to do..

     

    First issue:

    There is nothing technically preventing you from hosting appliances globally, however it can be fairly complicated because you need to globally share / access the non internet ports. 

    So ports like port 80 or 123 and similar would rely on the site specific internet configuration of that site..

    But services/ports such as 5432 database 8888 delay queue and 24/22 and DNS would need to be accessible between sites/appliances as well as their respected networks.

     

    Second issue:  (and why its recommended they are all on the same subnet)

    lets say you have ABC.com

    with 3 A records at 3 different sites

    1.1.1.1

    2.2.2.2

    3.3.3.3

    clustering does not share mail between hosts.  so all 3 of these hosts must be able to deliver down stream to the mailbox server.  Normally with appliances in the same subnet or on the same flat network in general, none of the appliances would have any trouble relaying mail down stream to the mail box server.  Once you add that extra level of routing/resolution you need to get much more creative with your mail flow.

     

    Third Issue: quarantine release

    lets say a message comes in on appliance 45 and  appliance 16 is the cluster master  appliance 16 would generate a quarantine digest and send it out to all users who received spam within the time range..normally you would create an exchange receive connector that says "anything for appliance 16 send it to ip 1.2.3.4 when appliance 16 receives that message it will tell appliance 45 to release the message.

     

    In regards to support

    It's for the second reason that its not listed as supported.. It can be made to work for sure, but its not something that you can just pick up the phone and get support for.  So in that respect its a little outside the supportable realm and chances are your going to be able to identify that outage faster then support can

     

     

    I'm guessing your looking for mail cloning or DR?  or if you had say 10 companies and each had their own mail delivery..

    something like so may work for you....

    company A, B, C

    deploy appliances on all 3 sites. square away the routing issues and configure each appliance for its local network then cluster them.

    create mail domains  for A, B and C and configure the related mailbox server  for each domain. each mailbox server can receive and send mail for its respected domain.

    this would allow you to cluster all 3 appliances, receive mail for all 3 domains and push policy across them all.

     

    If you wanted a DR solution just create a rule to "send a copy" of all mail from domain A to domain B and set up domain B to deliver to the DR server.

  • Yes and no :)

    What I have in mind is something like 2 clustered SEA (and I mean clustered instead of standalone just for the ease of configuring and maintaining the same settings) one on premises and the other on a VPS provider, connected trough IPSEC VPN.

    My MX records will prioritize the SEA in che "cloud" (just for fun, I know spammers will just ignore the priority or even they usually try first the lower ones) but both the appliance will be able to deliver the email directly to my On-Premises  Exchange. This will allow me to accept email even when my head quarter internet connection will be down or in case of software updates.

     

    I know I can archive this by just putting them in a standalone mode

     

    Thanks!

  • You shouldn't have any problem,

    just make a split tunnel and route ports 22/24/5432/8888 between the appliances and everything else out the gateway. 

  • Technically it work just fine, I have already tested it, but Sophos Support just said that is not a "Supported Configuration" and I will be "on my own" in case of any issue...

    I really don't understand the situation...

  • Hi Massimo,

     

    Sorry for any confusion, there is nothing wrong with remotely clustered devices.  

    It is not listed as a recommended deployment but as long as the port requirements are met and there is bidirectional communication there is NO reason it would not be supported.

     

    So if you want 30 remote appliances, knock yourself out.

  • Hey  ,

    why port 22 between the clustered appliances?

    I thougt SSH is going tu use port 24. Is there any additional traffic over port 22?

     

    Thanks,

    Andy

     

     

     

     

  • 22 is for remote assistance to Sophos.

    as well to copy files between members it's via scp

  • OK thanks. I ask because i have three clustered appliances in different subnets and i get temporary connection errors between them if i use the "Search" or at saving configuration changes. Port 22 is currently closed.

     

    My cluster scenario:

    - two SEA´s in a DMZ as Internet-Facing-Mail-Relay (only the ports for clustering are opened to internal SEA (24, 5432, 8888, 18080))

    - one SEA in the LAN (only for Active Directory recipient validation, EndUser-Web-Quarantine and access to Admin-Dashboard)

     

    So is this scenario working and supported?

     

     

     

Reply
  • OK thanks. I ask because i have three clustered appliances in different subnets and i get temporary connection errors between them if i use the "Search" or at saving configuration changes. Port 22 is currently closed.

     

    My cluster scenario:

    - two SEA´s in a DMZ as Internet-Facing-Mail-Relay (only the ports for clustering are opened to internal SEA (24, 5432, 8888, 18080))

    - one SEA in the LAN (only for Active Directory recipient validation, EndUser-Web-Quarantine and access to Admin-Dashboard)

     

    So is this scenario working and supported?

     

     

     

Children
  • Hi Andy,

    The "official" supported configuration is here: http://sea.sophos.com/webhelp/index.html#sea/concepts/PortConfig.html

    That been said, the basic clustering requirements have been met (24, 5432, 8888, 18080) however there are some issues with not allowing all of the listed ports, for example by not allowing 25 you may inhibit an appliance from emailing a critical alert email to Sophos, or your administrator. Likewise not allowing 32224 will prevent you from using features like Time Of Click.  In turn you may also get artificial red/yellow alerts.

    The errors and timeouts you describe sound more like potential infrastructure issues. 

    IE:

    * perhaps the rules are for only TCP and not both TCP/UDP

    * IPS/Filtering Web Filtering is applied to any of the applainces

    * DNS resolution between the 3 appliances (ensure they can resolve each other by short/fqdn)

    * some sort of route issue with 1 member

     

    Unfortunately the forums is not a viable method of troubleshooting other than to suggest a few things to try.  

    IE:

    * log into another appliance and run the same report

    * don't run reports based on the cluster, run it on each member and see if one fails over the other.

    * Ensure there is unobstructed communication to both appliances

    * allow all of the ports and ensure there is no filtering, or put all 3 in the same subnet/dmz and see if the issue persists. 

     

    If none of these tests resolve the issue (even to test with) your best to contact support so an engineer can test connectivity directly and live monitor the logs for potential errors when searching or running reports.