Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
We want to switch from active/passive to active/active operation mode. Do we need to first switch off HA and then back on in the new mode?
Active/Active requires a license for two nodes. You can get that in the licensing section of MyUTM by trading half of the remaining time in your subscription. That means, if you presently have 18 months left now, you will have only nine months after the upgrade.
You might be better off upgrading to bigger hardware and remaining with Active/Passive. If you trust your reseller, you should ask them.
Cheers - Bob
In reply to BAlfson:
As always: Thanks for your help! I've looked sharp and found the button "Upgrade cluster nodes" on the licensing portal.
Yeah, you're right, I should be satisfied with the current active/passive setup, but it looks like we need an active internet connection in both locations.
Keep on your good work here in the forum! :)
In reply to asc_:
keep in mind that an active/active connection does not get you two webadmins for each appliance.
Active/active means that the working processes of the master are delegated to the slave/workers.
When the slave/worker has finished a work process the result is send back to the master.
The main connections are still initiate from the master himself.
So when you decide to install a second internet connection at a another location you have to transmit the signal to the master as well.
Here you can see a simple diagram how the setup has to be.
This can also be realised with an active/passive scenario
In reply to DKKDG:
thanks for your input. I've had a second look into the HA documentation of Sophos UTM (which is actually quite scarce and has lots of room for improvement) and thought about the "active/active" setup.
Given that there's no reconfiguration of IPs on both of our nodes, that'll leave us with one IP as Gateway into the internet. The setup I was thinking about is depicted here. Host A and host B need to have access to the internet even if the underlying VLANs are not properly spanning all locations (in case of a connection failure between locations). As I understand active/active setup now, Sophos UTM Master always has the GW IP address. So all connections from host A and host B are going to the UTM Master. I would need to have two active UTMs that can act as default GW for internal hosts.
Can I achieve this with active/active setup?
If we were your reseller, Alex, we would recommend Active/Passive in both locations, sending only necessary traffic between the locations. Although it's possible to configure HA in separated locations, it's a level of complexity that I always recommend against. I would put smaller units in the smaller location and get only Network and Web Protection subscriptions for it.
That's of course an interesting solution and I will have a look into this - don't know why that didn't come to my mind. Thanks again for your help!