Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1596 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple IP Single Hostname over VPN

Ray Banville

 We have an ipsec vpn. Using hyper v replica to replicate vm across vpn.

If site fails need to be able to access the vms, however if a vm failsover it will have a different ip then it originally had due to the subnet it is now on.

Need to set a dns entry in the sg utm to auto route traffic to new ip if machine fails. Having it setup on the physical server wont work - this is for failure. Assume server is down. 

Ive tried setting hosts but it wont allow duplicate names.

Looked into dns groups - but not sure where it is pooling that data from to populate the IPs.

 

 



This thread was automatically locked due to age.
Parents
  • 0

    An Availability Group might solve your problem, Ray, but it's hard to tell.  I think no one's answered because no one has understood where the clients are that need to reach the servers, whether they're using the HTTP/S Proxy, what kind of traffic this is, etc.  In other words, you've talked about the solution you've imagined, but not much about the problem you want to solve.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    An Availability Group might solve your problem, Ray, but it's hard to tell.  I think no one's answered because no one has understood where the clients are that need to reach the servers, whether they're using the HTTP/S Proxy, what kind of traffic this is, etc.  In other words, you've talked about the solution you've imagined, but not much about the problem you want to solve.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Thanks BAlfson,

    We have a hyper v host running a 2012 vm.
    All its doing is hosting quickbooks and office data files. there is no "domain" to speak of except what 2012 is configured for.
    No workstations, no other servers, nothing.
    The pcs they do have there just access the shares on the 2012 vm and they go about their day. Its more of workgroup.

    They have a second site. IPSEC VPN
    They want to have the 2012 vm replicating to the second site. Which isnt an issue at all. Here is the issue, once the failover happens - how does site A access the data on the server when its at site B?

    Site A is 192.168.1.0
    Site B is 10.0.10.0
    VM being replicated from Site A is 192.168.1.20
    When it fails over to Site B it is still 192.168.1.20 - how do the users on Site A access the data?

    I was thinking have the vm setup with with multiple ips in dns so when Site A goes down then it still is accessible with Site B ip. 

  • 0 in reply to Ray Banville

    For that approach to work, you would need one of those fail-over DNS services, but I don't think they can do that with non-public IPs.

    The only thing I can think of off the top of my head involves a Full NAT on the internal interface of site A.  Put an additional address on the Internal interface, say 192.168.1.2 and have internal DNS resolve to that instead of to .20.  Assuming the VM at site B is at 10.0.10.20, make a NAT rule like:

    Full Nat : Internal (Network) -> Any -> {192.168.1.2} : from {192.168.1.2} to {Availability Group 192.168.1.20, 10.0.10.20}

    Any luck with that?

    Still, when you're ready to bring the VM at site A back online, you'll have things that need to sync back to it from site B before you allow local users to connect to the VM.  You could temporarily remove 192.168.1.20 from the Availability Group to accomplish that.

    My wife is the DR organizer for a large company with several thousand employees and dozens of mission-critical applications.  Their DR test last week took 10.5 hours to have their DR center confirmed as functional.  I don't know how many hours it took for them to get the primary site re-synced to the DR site.  I would urge you to make an extra backup before you do a DR test to confirm that things work as you want.

    Having said all that, I would worry about one of the VMs "flopping" on/off/on and causing a problem with ANY automatic fail over, so my safest suggestion would be a DNS entry that you change manually to redirect requests to the second server after you've disabled the VM in site A.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks - its easier when the the client has more in the budget for better DR tools!

    Sometimes in IT we are asked to build a Bugatti using Kia parts. 

Unfiltered HTML