Deploying Policy Manager Clusters

A cluster is a logical connection of any combination of Policy Manager hardware or virtual appliances. This section of the deployment guide provides guidance on how to design and deploy Policy Manager clusters, how to complete major tasks such as adding a Subscriber server and deploying a standby Publisher, as well as how to rejoin a down server to the cluster. Finally, the set of cluster-specific CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands is included.

Policy Manager Cluster Overview

Policy Manager can be deployed either as a dedicated hardware appliance or a virtual machine running on top of VMware vSphere Hypervisor or Microsoft Hyper-V.

When demand exceeds the capacity of a single instance, or you have a requirement for a High Availability deployment, you have the option of logically joining multiple instances to process the workload from the network. You can logically join physical and virtual instances and also join Policy Manager instances that are dissimilar in size. However, careful planning must be taken, especially if you plan to utilize the failover capabilities within the clustering feature. The cluster feature allows for shared configuration and databases. However, it does not provide a virtual IP address for the cluster, so failover/redundancy for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. for Guest relies on Domain Name System (DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.) lookup or load balancing. RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  clients must define a primary and backup RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Authentication Requests in a Cluster

The typical use case for Policy Manager is to process authentication requests using the policy framework. The policy framework is a selection of services that work to process authentication requests, but the policy framework also determines authentication, authorization, posture, enforcement, role, etc. of the endpoint/end-user.

In the context of cluster operations, authentication typically involves a read-only operation from the configuration database. A cluster server receives an authentication request, determines the appropriate policies to apply, and responds appropriately. This does not require a configuration change, and can therefore be scaled across the entire cluster.

 

Authentication is performed from the server itself to the configured identity store, whether locally (as synchronized by the Publisher; for example, a Guest account) or externally, such as with Microsoft Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed..

Logs relevant to each authentication request are recorded separately on each server, using that server’s log database. Centralized reporting is handled by generating a Netevent from the server, which is sent to all Insight servers and recorded in the Insight database (for related information, see Deploying Policy Manager Insight in a Cluster).

Policy Manager Databases

Each Policy Manager server makes use of the following databases:

Configuration database. Contains most of the editable entries that can be seen in the Policy Manager user interface. This includes, but is not limited to:

Administrative user accounts

Local user accounts

Service definitions

Role definitions

Enforcement policies and profiles

Network access devices

Guest accounts

Onboard certificates

Most of the configuration shown within Guest and Onboard

Log database. Contains activity logs generated by typical usage of the system. This includes information shown in Access Tracker and the Event Viewer.

Insight database. Records historical information generated by the Netevents framework. This database is used to generate reports (for related information, see Deploying Policy Manager Insight in a Cluster).

Publisher/Subscriber Model

Policy Manager uses a Publisher/Subscriber model to provide multiple-box clustering. Another term for this model is hub and spoke, where the hub corresponds to the Publisher, and the spokes correspond to the Subscribers.

Figure 1  Publisher and Subscribers in Hub and Spoke Configuration

 

The Publisher server functions as the master controller in a cluster. The Publisher is your central point of configuration, monitoring, and reporting. It is also the central point of database replication. All the databases are managed through the Publisher.

There is at most one active Publisher in this model, and a potentially unlimited number of Subscribers.

The Publisher server has full read/write access to the configuration database. All configuration changes must be made on the Publisher. The Publisher server sends configuration changes to each Subscriber server.

The Subscriber servers are worker servers. All the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. load, all RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests, and the server where policy decisions are being made are on the Subscriber servers.

Subscriber servers maintain a local copy of the configuration database, and each Subscriber has read-only access to a local copy of the configuration database.

Network Address Translation (NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.) is not supported between the Publisher and Subscriber servers.

What Information Is Replicated?

A background replication process handles the task of updating the configuration database based on the configuration changes received from the Publisher.

Multiple entities exist within a Policy Manager server cluster that must be shared to ensure successful operation of the cluster. Only the configuration database is replicated.

 

The Log and Insight databases are not replicated across the cluster.

However, certain elements are server-specific and these must be configured separately for each server, which you can achieve directly on the Publisher or individually on the Subscriber server.

Elements Replicated

Cluster replication is delta-based; that is, only changed information is replicated.

The cluster elements that are replicated across all the servers in the cluster are as follows:

All policy configuration elements

All audit data

All identity store data

Guest accounts, endpoints, and profile data

Runtime information

Authorization status, posture status, and roles

Connectivity information, NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. details

Database replication on port 5432 over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.

Runtime replication on port 443 over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.

Elements Not Replicated

The following elements are not replicated:

Access Tracker logs and Session logs

Authentication records

Accounting records

System events (Event Viewer data)

System monitoring data

Network Ports That Must Be Enabled

Table 1 lists the network ports that must be opened between the Publisher and the Subscriber servers.

Table 1: Network Ports to Be Enabled

Port

Protocol

Description

80

HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.

Internal proxy

123

UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received.

TNTP: Time synchronization

443

TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data.

HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.: Internal proxy and server-to-server service

5432

TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data.

PostgreSQL: Database replication

Because any Subscriber server can be promoted to be the Publisher server, all port/protocol combinations listed in Table 1 should be:

Bidirectional

Open between any two servers in the cluster

Cluster Scaling Limitations

Due to the design requirements of the cluster Publisher/Subscriber model, various Policy Manager components scale differently (see Table 2).

Table 2: Policy Manager Cluster Scaling Limitations

Component

Scaling Limitation

Authentication capacity

Scales linearly according to the number of Subscriber servers.

Add more servers as necessary to provide additional capacity to service authentication requests.

Configuration changes (Guest/ Onboard)

These configuration changes do not scale with additional servers as they are centralized.

Requires the Publisher be scaled to support write traffic from the maximum number of Subscribers that would be active concurrently.

Configuration changes (Policy Manager)

As the total size of the configuration set is bounded, these configuration changes are assumed to be infrequent and therefore not a significant limit to scaling.

Insight reports

Because this function is centralized, reporting does not scale with additional servers.

Use a separate Insight server sufficient to handle the incoming Netevents traffic from all servers in the cluster. In a very large-scale deployment, the Publisher server should not be used as the Insight reporting server.

Logging capacity

Scales linearly according to the number of Subscriber servers, as each server handles its own logging operations.

Replication load on Publisher

Scales linearly according to the number of Subscriber servers. The replication is efficient as only changed information is sent.