Switching from active/passive to active/active setup

 Hey everyone!

We want to switch from active/passive to active/active operation mode. Do we need to first switch off HA and then back on in the new mode?

Regards

Alex

  • Hallo Alex,

    Active/Active requires a license for two nodes.  You can get that in the licensing section of MyUTM by trading half of the remaining time in your subscription.  That means, if you presently have 18 months left now, you will have only nine months after the upgrade.

    You might be better off upgrading to bigger hardware and remaining with Active/Passive.  If you trust your reseller, you should ask them.

    Cheers - Bob

  • In reply to BAlfson:

    Hey Bob!

    As always: Thanks for your help! I've looked sharp and found the button "Upgrade cluster nodes" on the licensing portal.

    Yeah, you're right, I should be satisfied with the current active/passive setup, but it looks like we need an active internet connection in both locations.

    Keep on your good work here in the forum! :)

    Alex

     

  • In reply to asc_:

    Hi Alex,

    keep in mind that an active/active connection does not get you two webadmins for each appliance.

    Active/active means that the working processes of the master are delegated to the slave/workers.

    When the slave/worker has finished a work process the result is send back to the master.

    The main connections are still initiate from the master himself.

    So when you decide to install a second internet connection at a another location you have to transmit the signal to the master as well.

    Here you can see a simple diagram how the setup has to be.

    This can also be realised with an active/passive scenario

    Best Regards
    DKKDG

  • In reply to DKKDG:

    Hey DKKDG,

    thanks for your input. I've had a second look into the HA documentation of Sophos UTM (which is actually quite scarce and has lots of room for improvement) and thought about the "active/active" setup.

    Given that there's no reconfiguration of IPs on both of our nodes, that'll leave us with one IP as Gateway into the internet. The setup I was thinking about is depicted here. Host A and host B need to have access to the internet even if the underlying VLANs are not properly spanning all locations (in case of a connection failure between locations). As I understand active/active setup now, Sophos UTM Master always has the GW IP address. So all connections from host A and host B are going to the UTM Master. I would need to have two active UTMs that can act as default GW for internal hosts.

    Can I achieve this with active/active setup?

    Regards

    Alex

  • In reply to asc_:

    If we were your reseller, Alex, we would recommend Active/Passive in both locations, sending only necessary traffic between the locations.  Although it's possible to configure HA in separated locations, it's a level of complexity that I always recommend against.  I would put smaller units in the smaller location and get only Network and Web Protection subscriptions for it.

    Cheers - Bob

  • In reply to BAlfson:

    Hey Bob!

    That's of course an interesting solution and I will have a look into this - don't know why that didn't come to my mind. Thanks again for your help!

     

    Regards

    Alex