Deploy High Availability for Explicit Proxy
Netskope provides support to ensure high availability of Dataplane On-Premises appliances that are running in explicit proxy mode. The high availability deployment requires at least two appliances, primary and backup configured in a cluster in active-passive mode. When high availability is enabled, the primary appliance is active and the backup appliance is on standby. The primary appliance receives requests from client machines to serve as a proxy server for the cloud and web application domains managed by Netskope. A health check service running on the appliance, monitors the health of the appliance at regular intervals. In case of a failure, the status of the appliance is changed from HEALTHY
to FAULT
.
Netskope assigns a priority value to appliances in a cluster. The appliance priority determines the order in which an appliance goes from being a backup to primary during a failover.
IP Assignment at the Inbound
The appliance receives client traffic at the inbound interface. The inbound interfaces of appliances that are configured in a high availability cluster have an assigned interface IP and a shared set of virtual IP addresses. The virtual IPs are assigned to a primary appliance. During a failover, the failed primary appliance releases the virtual IPs so they can be reassigned to the next active appliance.
The lowest IP address from the set of IP addresses of an inbound interface is assigned as the interface IP of an appliance.
If the inbound interface of an appliance is set to:
172.16.1.12-172.16.1.60,172.16.1.64,172.16.1.10,172.16.1.65-172.16.1.125
Then, the lowest IP, 172.16.1.10 is assigned as the interface IP of the appliance.
The following virtual IPs are assigned to an active primary appliance.
172.16.1.12-172.16.1.60,172.16.1.64,172.16.1.65-172.16.1.125
Note
All appliances in a cluster must have the same virtual IP addresses and a unique interface IP address assigned at the inbound interface.
Failover Scenarios
If the primary appliance fails, a backup appliance is chosen based on the appliance priority and becomes active. All client requests will be sent to this appliance. When the primary appliance is restored, it goes into standby.
If both the primary and backup fail, then the first appliance to be restored becomes the active appliance.
If backup appliance fails while on standby, then the primary appliance receives an alert from the backup appliance stating that the high availability mode is not available.
During a failover, if the available appliances in standby have the same priority value, then the first appliance to startup successfully becomes active.
Prerequisites
Before configuring appliances in active-passive mode, plan the allocation of IP addresses.
Ensure that you have two or more IP addresses to configure the inbound interface.
Depending on the number of appliances to be configured in your high availability deployment, reserve the same number of IP addresses for the interface IP. These IP addresses must be the lowest IPs in your set.
For example, if you deploy high availability with two appliances, reserve the two lowest IP addresses from your set of IP addresses for the interface IP of each appliance.
Ensure that the following do not use the lowest IP address,
proxy-listener-ip: set dataplane proxy-listener-ip <IP address>
pac-server-ip: set dataplane pac-server listener-ip <IP address>
ad-connector listener-ip: set ad-connector listener-ip <IP address>
Configure Appliances in Active-Passive Mode
Appliances can function reliably with minimum down-time when they are configured in a high availability cluster. Follow these steps to configure the Dataplane On-Premises appliances in active-passive mode.
Note
Before you begin, ensure that the appliances are configured to run in explicit proxy mode. For more information see, Configure the Appliance in Explicit Proxy Mode.
At the Netskope shell prompt, enter
configure
to go to configuration mode.Assign the interface IP and virtual IPs at the inbound interface of the appliance. Refer to the Prerequisites section before assigning interface IPs.
set interface inbound ip <interface-ip-address,virtual-ip-addresses without space>
For example, on DPoP1, run:
set interface inbound ip 172.16.1.64,172.16.1.65-172.16.1.125,172.16.1.10,172.16.1.12-172.16.1.60
For example, on DPoP2, run:
set interface inbound ip 172.16.1.12-172.16.1.60,172.16.1.64,172.16.1.65-172.16.1.125,172.16.1.11
Warning
This command will override the previous inbound interface IP configurations on the appliances.
Optionally, set the virtual router id of the cluster to which the appliance should be assigned. By default, Netskope assigns a virtual router id of 16 to all appliances in a cluster when high availability is enabled.
set dataplane ha mode active-passive vrid <integer value>
Note
All appliances in a cluster must have the same virtual router id.
Enable high availability in active-passive mode.
set dataplane ha mode active-passive enable true
Enable the explicit proxy mode on the appliance.
set dataplane proxy-listener-ip <virtual-ip-address>
For example,
set dataplane proxy-listener-ip 172.16.1.20
For information on configuring the proxy-listener-ip and pac-server-ip, see Configure the Appliance in Explicit Proxy Mode.
For information on configuring the ad-connector listener-ip, see .
Enter
save
to save the configuration.
View Configuration
To view your configuration, in operation mode enter:
show dataplane ha environment
Health check plugins are signals from the appliance services that provide the overall health of the appliance. The following health check plugins monitor the health of services and are enabled by default.
forward-proxy
tssfastscan
internet
To disable a health check plugin, in CLI's configuration mode, run:
set dataplane ha mode active-passive health-check-plugin <health check plugin> enable false
save
Manual Failover
When configuration changes are made on the primary appliance, a manual failover can be performed to ensure that services are not disrupted. Manual failover is only possible when a healthy backup appliance is available.
In operation mode, run:
request dataplane ha manual-failover
If this command is run without an available healthy backup appliance, then the current primary appliance on which the command is run will continue to be the primary.