Information regarding high availability / failover / Disaster recover on VIP EG
In an environment protected by Symantec Validation & ID Protection Service (VIP), connectivity is crucial for the communication between the enterprise applications and the VIP Authentication Service that is hosted in the cloud. Any disruption in this communication affects the ability to perform two-factor strong authentication and impacts business transactions VIP Enterprise Gateway and the components within it are all stateless. Therefore, your enterprise can achieve failover and redundancy simply by deploying two VIP Enterprise Gateway instances.
• Failover and redundancy for client applications
To prepare for failover and redundancy for client applications (such as VPN), configure the client(s) to connect to both VIP Enterprise Gateways in a round-robin fashion using RADIUS load balancing. For applications that use Symantec-provided integration plug-ins, consult the specific VIP Application Integration Guide for your application's load balancing and failover information.
• Failover and redundancy for VIP Manager and Self Service Portal IDP
Since the IDP residing on VIP Enterprise Gateway are web applications, we recommend that you place a load balancer in front of each VIP Enterprise Gateway. Recommendation and example for High availability is available in VIP_Enterprise_Authentication_Deployment_Guide.pdf (available at VIP Manager > Account > Download Files > General Documentation)
The Automatic Business Continuity feature in Enterprise Gateway enables Validation Servers to detect loss of connectivity to the VIP Authentication Service and switch to the Business Continuity mode automatically. In the Business Continuity mode, Validation Servers use only the first factor authentication. After the connectivity is restored, Validation Servers switch back to the two-factor authentication without human intervention.
• The following are some of the typical connectivity issues that the Business Continuity feature in the Automatic mode detects:
- VIP User web services host or port unreachable
- Enterprise HTTP proxy access issues
- VIP certificate has expired
• The term connectivity in this topic stands for the connectivity between VIP Enterprise Gateway and the Symantec hosted VIP service. This does not include the connectivity between VIP Enterprise Gateway and User Store or the connectivity between an enterprise application (such as a VPN) and the VIP Enterprise Gateway.
• Note: If the VIP Enterprise Gateway host is connected to the VIP user services thorough an HTTP proxy server, a delay can occur in detecting the connectivity issues. This will impact the timely switching between the normal and the Business Continuity modes.
• Instruction on how to configure Automatic Business Continuity available in the VIP Enterprise Gateway configuration is in the VIP installation and configuration guide (available at VIP Manager > Account > Download Files > Enterprise Gateway > X.X (select a version) > VIPEGXXInstallAndConfig.pdf > Configuring Automatic Business Continuity
Sample Use Case 1: Supporting Load-balancing and Failover
Before you configure LDAP Directory Synchronization Service on multiple VIP Enterprise Gateway servers, you must ensure that the User Stores for these servers are configured identically. Also, the User Stores on all the VIP Enterprise Gateway servers must be arranged in the same order. Ideally, you can configure the User Stores on a VIP Enterprise Gateway server, export its configuration settings, and import them on the other servers.
To achieve load-balancing, you must ensure that the synchronization schedules of these VIP Enterprise Gateway servers are distinct and at least three hours apart. Three hours is the window period for a synchronization schedule beyond which a synchronization task will not last. No other instance can run within this window period if that instance is part of the same Synchronization Cluster.
To achieve failover, you must configure the synchronization schedules of the LDAP Directory Synchronization Service instances within the window period of three hours.
In such cases, only one instance of LDAP Directory Synchronization service can synchronize the users. At the beginning of its synchronization schedule, the other instances of LDAP Directory Synchronization service verify the following:
> Whether an LDAP synchronization is in progress.
> Whether an LDAP Synchronization instance has started within the past three hours.
If either of these conditions are met, the LDAP Synchronization Service aborts the scheduled LDAP synchronization and waits for the next interval.