I have some questions for those of you who have setup HA with 2 ISPs

Options
RSaull
RSaull Posts: 24  Freshman Member
First Anniversary 10 Comments Friend Collector First Answer
edited August 2023 in Security

We're looking to remove some SPOF in our network . . . Following one of Zyxel's guides on HA/VRRP seems simple enough, but I'm far from being a network engineer. I'm wondering what happens after a failover when we have an Exchange server and site-to-site VPN, among other things, in our environment.

What additional configuration needs to be done to ensure these things work as intended on the second ISP with a different public IP? Do we just need to create a second set of PBR and what not? Should we set up a second site-to-site VPN on the 2nd ISP?

All Replies

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    @RSaull are you telling that your current idea is HA with a single firewall device for each ISP? Or you're looking to both ISP and firewall redundancy?

    May I assume that your Exchange Server is in fact a public-accessible email server?

  • RSaull
    RSaull Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Ideally, both ISP and firewall redundancy . . . and yes, our Exchange server is publicly accessible.

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Thanks for both answers.
    I do not have any experience nor knowledge on HA solutions, but your answers eased some possible doubts that readers of your first post might had.

    Don't forget that… you cannot NAT twice on the same device for the same port. Unless you do that on a trunk/VTI, instead on an interface…

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 755  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @RSaull ,

    Greeting forum.

    In our HA deployment, you only need to configure one (Primary) device, it will sync to passive through the Heartbeat port at the same time. The cable ports of Passive device won't light except heartbeat port, so you don't need to worry about which one should host exchange public IP .

    Firewall will do failover within two conditions:

    1)When Monitor interface Failure.

    2)When Device service fails.

    I believe you do not hope failover happend when WAN1 ISP failure, you have WAN2 ISP after all.

    So please don't add WAN interface as the Monitor interface.

    (Note: HA pro only supprt above ATP/FLEX 500 series. )

    Thank you

  • RSaull
    RSaull Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2023
    Options

    I do not have any experience nor knowledge on HA solutions.

    Thanks?

Security Highlight