locked
active/passive broadband connections to maintain various IT services RRS feed

  • Question

  • plan to buy a firewall support active and passive internet connections, when active internet connection down, will failover to passive internet connection automatically, when active internet connection back on, will rollback to active internet connection automatically.  Found a sonicwall should able to do this already.

    public ip, default gateway and dns are different for active and passive internet connections, so when failover or rollback, they will change as well

    IT services to maintain when active internet connection down are
    - office internet access
    - email service provided by exchange 2007
    - internal/external web-based erp service provided by apache tomcat

    office internet access
    - achieve by add passive internet connection DNS to Windows DNS forwarder

    email service provided by exchange 2007
    - smtp achieve by additional MX record with passive internet connection's public IP and larger Preference Number (lower priority)
    - http://en.wikipedia.org/wiki/MX_record#MX_preference.2C_distance.2C_and_priority

    internal/external web-based erp service provided by apache tomcat
    - By additional A record with passive internet connection's public IP for apache tomcat
    - http://en.wikipedia.org/wiki/Round_robin_DNS

    Any comments?

    Any idea what need to do to maintain Outlook Anywhere and Outlook Web Access?  Just additional A record as well?

    Thx a lot!

    Wednesday, June 29, 2011 5:51 AM

Answers

  • 1. Your MX idea will work.

    2. OA/OWA - Either you need to load balance the connectios.

    3. Or when the failure occurs with your firewalls, you can change the A record to the passive firewall.  This will be a manual task.  However, you will need to have a good internal process for this to work, i/e will have to have monitoring in place to know when the active firewall has gone down, then you will have to change your A record to point to the passive firewall (also, will need to make sure the TTL is low so it can change quickly).  Again, with the automatic failback to the primary (Original active), you will have to make this change again.

    4. Maybe an atuomatic failover of the active to passive is enough, change A record, then when it's convenient failback and do DNS change. Otherwise, this autofailover and failback (firewall) is going to cause issue and outgages. What might be better is if you can cluster your firewalls at the primary site and have a redundant internet connection,

    5. Then only in a site DR you will have to perform the A record changes, which is more unlikey (a site failure) compared to component (firewall/internet connection).


    Sukh
    • Marked as answer by Gavin-Zhang Friday, July 8, 2011 6:42 AM
    Wednesday, June 29, 2011 3:48 PM

All replies

  • You can't just add additional A records for your erp web site or Outlook Anywhere\OWA if you're doing active\passtive connections. When you have additional A records it will be load balanced so some people might resolve to the passive connection and fail since it's not up. If you're doing load balancing on the connections you should be ok if not then you need to contact sonic wall to see the product incorporates some sort of dns intelligence to handle fast propagation and updating of records.
    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Wednesday, June 29, 2011 2:53 PM
  • 1. Your MX idea will work.

    2. OA/OWA - Either you need to load balance the connectios.

    3. Or when the failure occurs with your firewalls, you can change the A record to the passive firewall.  This will be a manual task.  However, you will need to have a good internal process for this to work, i/e will have to have monitoring in place to know when the active firewall has gone down, then you will have to change your A record to point to the passive firewall (also, will need to make sure the TTL is low so it can change quickly).  Again, with the automatic failback to the primary (Original active), you will have to make this change again.

    4. Maybe an atuomatic failover of the active to passive is enough, change A record, then when it's convenient failback and do DNS change. Otherwise, this autofailover and failback (firewall) is going to cause issue and outgages. What might be better is if you can cluster your firewalls at the primary site and have a redundant internet connection,

    5. Then only in a site DR you will have to perform the A record changes, which is more unlikey (a site failure) compared to component (firewall/internet connection).


    Sukh
    • Marked as answer by Gavin-Zhang Friday, July 8, 2011 6:42 AM
    Wednesday, June 29, 2011 3:48 PM