I have some questions for those of you who have setup HA with 2 ISPs

RSaull
RSaull Posts: 32  Freshman Member
First Answer First Comment Friend Collector First Anniversary
edited August 2023 in Security

We're looking to remove some SPOF in our network . . . Following one of Zyxel's guides on HA/VRRP seems simple enough, but I'm far from being a network engineer. I'm wondering what happens after a failover when we have an Exchange server and site-to-site VPN, among other things, in our environment.

What additional configuration needs to be done to ensure these things work as intended on the second ISP with a different public IP? Do we just need to create a second set of PBR and what not? Should we set up a second site-to-site VPN on the 2nd ISP?

All Replies

  • mMontana
    mMontana Posts: 1,396  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    @RSaull are you telling that your current idea is HA with a single firewall device for each ISP? Or you're looking to both ISP and firewall redundancy?

    May I assume that your Exchange Server is in fact a public-accessible email server?

  • RSaull
    RSaull Posts: 32  Freshman Member
    First Answer First Comment Friend Collector First Anniversary
    https://community.zyxel.com/en/discussion/comment/55728#Comment_55728

    Ideally, both ISP and firewall redundancy . . . and yes, our Exchange server is publicly accessible.

  • mMontana
    mMontana Posts: 1,396  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    Thanks for both answers.
    I do not have any experience nor knowledge on HA solutions, but your answers eased some possible doubts that readers of your first post might had.

    Don't forget that… you cannot NAT twice on the same device for the same port. Unless you do that on a trunk/VTI, instead on an interface…

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @RSaull ,

    Greeting forum.

    In our HA deployment, you only need to configure one (Primary) device, it will sync to passive through the Heartbeat port at the same time. The cable ports of Passive device won't light except heartbeat port, so you don't need to worry about which one should host exchange public IP .

    Firewall will do failover within two conditions:

    1)When Monitor interface Failure.

    2)When Device service fails.

    I believe you do not hope failover happend when WAN1 ISP failure, you have WAN2 ISP after all.

    So please don't add WAN interface as the Monitor interface.

    (Note: HA pro only supprt above ATP/FLEX 500 series. )

    Thank you

  • RSaull
    RSaull Posts: 32  Freshman Member
    First Answer First Comment Friend Collector First Anniversary
    edited August 2023

    @mMontana

    I do not have any experience nor knowledge on HA solutions.

    Thanks?

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)