When you have two or more Symantec Encryption Management Servers (SEMS, AKA PGP Server, or PGP Encryption Server) operating in your organization, you can configure them to synchronize data with each other; this configuration is called a cluster.
Servers in a cluster can all keep data replicated from the other servers in the cluster such as users, keys, managed domains, and policies etc.
For those servers running Web Email Protection, this data can all be replicated to each cluster node with the proper configuration.
Data is replicated in a cluster and is useful in the event that one server goes down. The PGP server does not automatically redirect traffic to the other nodes if this happens, and should be done instead using load balancing. For information on Load Balancers with the PGP server, see the following article:
156803 - Using DNS Round Robin and Load Balancers and Reverse Proxies with Encryption Management Server
Important Note: If your PGP Server backup is larger than 5GBs, there is a "Manual Join" process that will work better for cluster joins. Reach out to Symantec Encryption Support to see if this option may be advisable. The advantage of the "Manual Join" process is all data will be dumped into a single file, and that can immediately be merged to the "Joiner" server, making fast work of data that would normally replicate "over the wire".
You can begin creating a cluster as soon as you have a single PGP Server installed and running on your network. Use the following steps to add a new server as a PGP Server cluster member.
In a clustering configuration, you have a "Sponsor" and a "Joiner" server.
The port being used is 444 and this port must be open to all nodes in the cluster. For example, if you have 3 server nodes, "keys1", "keys2", and "keys3", then the keys1 host must be able to communicate on port 444 to keys2 and keys3 on port 444. Keys2 must be able to communicate with keys1 and keys3 on port 444. Keys3 must be able to communicate to keys1 and keys2 on port 444. If port 444 is blocked from any cluster nodes, then replication "Backlog" can occur, which will use up hard disk space, and depending on the size of the database, could result in critical issues, so make sure port 444 is open.
The Sponsor server is the node that already has all the data.
The Joiner server is the node you wish to add to the cluster, and will be provided with all applicable replication data from the Sponsor server.
Once each node is joined to the cluster, typically all data is replicated/synchronized to each clusters. There are two methods to join PGP servers to the cluster:
Method 1: Install the PGP server as "New Installation" and then Join (Recommended).
The reason "New Installation" is the preferred method is because you can install the PGP server from scratch, and actually login to the server.
You can setup SSH access to aid in the clustering troubleshooting process if necessary and this gives you better insight into the cluster join process.
If you would like to configure SSH access proactively to be able to use, see the following article:
TIP: In order for clustering to work, you want to make sure port 444 is open both directions from each cluster node.
As an example, if you have two nodes "server1.domain.dom" and "server2.domain.dom", to test this is working, you can run the following command:
Run the following command on Server2 to test connectivity to server1:
telnet server1.domain.dom 444
Run the following command on Server1 to test connectivity to server2:
telnet server2.domain.dom 444
The telnet connection should succeed immediately. If there is any lag, this likely means you can't connect.
If the session does connect, to get out of the session, type the following key combination:
ctrl + ]
Then type "quit"
Step 1: Login to the Sponsor and Joiner servers and click on the System/Clustering Tab.
Step 2: On the Sponsor server, you will click "Add Cluster Member".
Note: You only need to use the DMZ mode if your server is in the DMZ and you do not want to replicate keypairs. If you're in doubt, please reach out to Symantec Encryption support for guidance.
You will then add the IP address or Hostname/FQDN of the "Joiner" server. To use the "hostname", you must make sure DNS is working properly and resolves both forward and reverse.
Once you have added the proper information, you will click Save" and an entry will be saved in the shelf under the Clustering tab (You will come back here after adding an entry on the Joiner server to complete the process).
Step 3: On the Joiner server, click "Join Cluster", and enter the Hostname/IP address of the Sponsor server.
Step 4: Once you have added both of these entries, go back to the Sponsor server and click "Contact".
The Sponsor and the Joiner will now establish a connection and all the data that is clustered will now be replicated from the Sponsor server to the Joiner Server.
Step 5: It may take a few minutes/hours to replicate all data depending on how much data is there, and when it's complete, go the Consumers tab and validate that everything was replicated.
You'll also see Groups replicate and Consumer Policies. This should complete the join process.
Method 2: Do a fresh installation of the PGP server and choose "Cluster" as the install option. Follow the steps below for this method.
This method is useful if you have done an installation, but does not give you access to SSH or other visibility into the clustering if you need to do further troubleshooting.
Method 1 is better to be able to troubleshoot if needed.
1. Install the joining server using the PGP Server installation ISO. For more information on how this is done, see the following article:
157080 - Pictured Installation Guide for Symantec Encryption Management Server
2. After initial setup is complete and the joining server reboots, connect to the server through a browser interface at https://<hostname>:9000 or https://<IP address>:9000 to complete the administration setup.
3. Click the Forward arrow and read the license agreement.
4. Scroll down and then click I Agree.
5. On the Setup Type screen, you will see the option to use Cluster Member. This option typically works, but we recommend you use "New Installation" instead and proceed with the setup first.
Once the server is completed as a new installation, you can join. We recommend taking a snapshot of the server before you join the cluster, so if something goes wrong during the join, you can simply revert back and won't need to go through the installation again.
If you want to use the "Cluster" install method, select this option and go next.
6. Set the date and time for the server and click the Forward arrow.
7. Confirm the Network Setup for the server and click the Forward arrow.
8. Enter information for a proxy server or click Skip.
9. Click Done.
10. On the sponsoring PGP Server, go to System > Clustering in the administrative interface and click Add Cluster Member.
11. Enter the hostname/IP address for the joining cluster member server and then click Save.
|Note: If private keys should be replicated to the joining server, leave the Host private keys for Internal Users option checked. Uncheck the option if private keys should NOT be replicated to this server.
If the joining server is located in your corporate DMZ, check This server is located in the DMZ.
12. After the joining cluster server restarts, enter the license information for the server and then click the Forward arrow.
13. Type the hostname or IP address of the sponsoring cluster server and click the Forward arrow.
14. Click Done.
15. Once the joining server is restarted, switch to the admin interface of the sponsor server and click System > Clustering.
16. Next to the joining server, click Contact. The sponsoring server completes the clustering process and replicates its data to the new joining server.
The Contact function assumes that the joining server has already requested to join the cluster, specifying the IP address or hostname of the server from which you did the Add Cluster Member request (the sponsoring server).
Note: In order for the sponsoring server to successfully contact the joining server, the hostname and IP address of the joining server must be resolvable via DNS. If not, the sponsoring server will not be able to contact the joiner, and the join will not succeed.
Note: In order for the sponsoring server to accept the connection from the joining server they must agree on the current time.
Note: If the version of the joining server does not match that of the sponsor, clustering will fail.
Scenario 1: We have a single server and would like to add another server to create a cluster.
Answer: For this example, the two cluster nodes are Server1, and Server2. Server1 is the server that has all the data. Server2 is the server that you are using to join to Server1. The end result will be that Server2 will then have all the data from Server1.
Once Server2 joins the cluster in Server1, all the users and key data will then be replicated to Server2.
Scenario 2: We have two servers called Server1 and Server2 that are currently clustered and we would like to add another server to the cluster
Answer: For this example, the two cluster nodes are Server1, and Server2. Because Server 1 and 2 are clustered, they share the same data, such as Key data or User data. Once servers are clustered, they are all technically "sponsor" servers, where they sponsor all the data to other nodes.
If you would like to add another server to the cluster, the new server would be called a "Joiner" server. The Joiner server will join the cluster and attach to the cluster via one of the sponsor servers.
In this example, we have a joiner server called Server3. If you join Server3 to the cluster of Server 1 and 2, all the data on Server 3 will be wiped out, and all the data on Server 1 and 2 will then be replicated to Server 3. Once the join operation is complete, Servers 1, 2, and 3 will all have the same data, such as User and Key data.
Important Note: The thing to be concerned about here is if the data on Server3 is needed, then you cannot join Server3 to any other cluster, because Joiner servers will get their data wiped out.
Scenario 3: We have two servers that are currently part of a cluster, and another server that is its own server and not joined to any other cluster. We need to have the data on both of these setups, but would like to merge all the data to one cluster.
Answer: If you have data from two separate environments and you need the data from both environments, you cannot join any of these servers to any other clusters. The act of joining a server to a cluster will wipe out all of its local data, such as the User data or Key data. As a result, these two environments must operate independently and on their own.
Scenario 4: If I join a server we've been using for a while to a new cluster, do I need to clean up any of the data therein?
As described in the scenarios above, when a "Joiner" server is added to a cluster, the unique data it houses, such as User data or Key data, are deleted.
Going off of the example in Scenario 1 above, specific data that is clustered is what gets wiped out when you join a cluster. For example, PGP key data, or User data. If you have Server1, and Server2 in an existing cluster, then both Server1 and Server2 will have the same key data. User1 and Key1 will exist on the cluster for both Server1 and Server2.
Now, if you have Server3 that is not part of any other cluster, and has its own unique User and Key data and you would like to join that server to another cluster such as the cluster for Server1 and Server2, the data will be wiped off of Server3.
For example, we'll say Server3 has a user called "UserX" and KeyX, then when Server3 joins the cluster for Server1 and Server2, UserX will get deleted from Server3 as well as KeyX. Also, Server 1, 2 and 3 will now have User1 and Key1 from the original cluster. It's all about which server is the joiner. Joiner Servers will always lose this type of data when you join the cluster.
There is some data that is unique to the server, such as IP Addresses for interfaces, Mail Routes, or Mail Proxies, but other data, such as User data, or Key data is stuff that gets replicated.
Scenario 5: My server is very slow, and I can't join--is there another way to join the cluster?
There is a "Manual" method that we can use to join a cluster that is very slow due to system resources not being sufficient (testing servers may not have proper minimum system requirements).
First, try changing the MTU size to 1396 for the Network Interface of all cluster nodes. If this does not work still and network connectivity is good, reach out to Symantec Encryption Support for further guidance.
Ensure that all of the Environmental Requirements for PGP Universal Clusters are met. For more information on this topic, see the following article:
154069 - Best Practices: Environmental Requirements for Symantec Encryption Management Server clustering (AKA PGP Server)
For more information on Clustering, see the following article:
154069 - Best Practices: Environmental Requirements for Symantec Encryption Management Server clustering (AKA PGP Server)
153721 - Creating a Cluster with Symantec Encryption Management Server
163930 - Using the Manual Join Process when the PGP Server backups are large (larger than 5GBs)
153476 - How many PGP Servers are supported in a cluster (Symantec Encryption Management Server)?
153412 - Troubleshooting: Symantec Encryption Management Server Clustering
222372 - Encryption Management Server clustering and replication uses network Interface 1
EPG-26963 - Cluster Status shows mail enabled.