Sophos XG High Availability on VMware

Hello Everyone,

We have a mail server deployed on esxi which is protected by mail protection of a virtual sophos XG on same esxi. we are considering to deploy another XG box an configuring HA with active/active mode. I've searched sophos community and found that several people have issues with deploying XG HA on virtual environment and in several cases problem resolved with allowing mac address change on virtual switch that seems logical since configuring HA creates virtual mac on interfaces and so mac address change should be enabled. Idecided to test XG HA on VMware environment for myself and finally succeeded to configure 2 XG box in active/active HA after enabling mac address change on my virtual switch configuration.

My concern is that there is no official sophos guide about configuring HA on virtual environment. Also in none of official documents about HA, there is no reference about HA support on virtual environment. So first of all I need someone from sophos support team on community confirm that deploying xg with HA on VMware environment is officially supported. Also in my tests, I found with only one client on lan side of XG active/active cluster, all traffic is passed through primary device and on auxiliary device there is no connection from my client. I want to know that which method XG uses to load balance traffic on active/active cluster and is there an option to change load balancing method?




  • Hi,

    while you will probably get some answers, but not complete ones.

    What  you really are asking for is equivalent to a paid support technical assistance from a vendor/partner. ian

    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55/c - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi

    Looks like I have some more explaining to do. I do not need someone to help me configure ha on virtual. I have already configured that and it is working. I just wondering that lack of configuration guide on sophos kb means HA on virtual environments is not supported by sophos.

  • Actually it is supported. 

    There is even a option designed for Hypervisor in V18. 

    Most likely Sophos is building KBs and Guides, if needed or if somebody is asking for it. 

    I saw many customers resolving this with other mechanism (vMotion etc.). Or they snapshot XG and run single appliance, in case of failure, return the snapshot. 



  • Thank you. That is promising and all I needed about XG support on VM. How aboutconnection  load balancing method? Do you know how XG load balance tcp traffic between active-active  cluster devices?

  • HA in XG is working as described here:


    TCP Load Balancing is partial possible, needs two separate licenses. 


  • Thank you again. I’ve read this before but couldn’t find what I wanted. Like I said before I have tested High Availability function on my lab. On my lab, I used a single machine on lan zone of cluster and tried accessing multiple internet destinations ( mostly tcp sessions ). I found that all of connections forwarded from primary xg and none of them forwarded by aux device. I  confirmed this with tcpdump and connection list on GUI. So I assumed load balancing is happening based on source ip not destination ip or something else. This is important for me because in my real word scenario there is going to be only on server in lan zone so what I realy want is to find out that if I buy another license and configure active-active cluster is it really going to load balance traffic ( since I only have on source machine ) or is there anyway to change default load balance method to destination ip or combination of src/dst?

  • The primary appliance will always answer all queries. The session will only be load balanced in case of jobs, which can be done by the other appliance.


Reply Children
No Data