We'd love to hear about it! Click here to go to the product suggestion community
I have a disaster recover location/co-location through our ISP and would like to be able to continue operating mail and remote access servers if there were a disastrous event. Because we have a gigabit link between the buildings, I was thinking we could actually use Active-Passive HA. Currently the co-location is tied to the local network between the switches on both sides. If I were to trunk the port on the switch on each end, make a new VLAN for the HA traffic and give each Sophos an access or untagged port in the VLAN for an HA interface – do you think I can enable HA between our office and the Co-location? The ISP would also need to configure our public IP block on an Ethernet hand-off at the co-location as well as our office. My concerns are passing the HA traffic through a VLAN on a trunk port even though the line is gigabit but there still would be other VLAN traffic on that link. Any input would be greatly appreciated.
Hi,
We are in the same boat. Did you resolve this question or you must a dedicated fiber-ethernet between office and co-location?
In reply to Franchesco Alba:
I am not a fan of split brain scenarios. Instead i use 2x HA in each location and cross connect them.
You need to consider, if the Link between both appliances break, you will have a Master-Master Situation, which can/will cause trouble.
UTM offers something like Backup Interface, but tbh, most of the time, those backup interfaces to check the connection in such setups, is build on the same "wire". So basically, the main connection dies, the backup dies too.
I tried to find a Feature Request for this on Ideas.sophos.com, but found only one with 2 votes.
https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/34644892-high-availability-with-backup-interface
So feel free to vote for it.
Hello Franchesco!
Please check this new KB:
https://community.sophos.com/kb/en-us/123174
Regards
In reply to KingRolo:
Hello ,
You use the device in this scenario ,but you would need to check the latency between the Ping request between the two .
If they are in range as the values in the KBA mentioned then it will work .