zGateway Cluster Overview
zGateway High availability and load balancing feature enables always ON function of zGateway service with efficient utilization of hardware resources available and fault tolerance, required to support large number of remote users. The system enables thousands of remote users to access corporate services with maximum performance. The high availability and load balancing system is referred as zGateway cluster in this document.
UNDERSTANDING ZGATEWAY CLUSTER
zGateway cluster is an active-active cluster. All of the nodes can handle user connections with load balancing and hardware is utilized to the maximum.
zGateway cluster is accessed using a virtual IP address assigned to the active node (master) Cluster Manager Node.
End users connect to the virtual IP address of zGateway cluster. The Cluster Manager Node in active role receives the user connection, which redirects the user connection to gateway according to the selected load balancing algorithm. The routing of the TCP connections is at network level.
The zGateway cluster has following components:
1. zGateway nodes which hands user connections and provide VPN function
2. Load balancer module for load balancing user connections across zGateway nodes
3. zGateway configuration database nodes which stores all user configuration and session information.
4. zGateway management console is web based management console for managing all zGateway configuration
5. zGateway Cluster configuration module is an add-on to zGateway management console and is enabled when zGateway Cluster is configured.
FAILOVER FEATURES
zGateway cluster requires minimum two hosts (nodes) and can have maximum 14 nodes. Two of the nodes run zGateway cluster manager module. The cluster manager module runs in Active-Passive configuration. In a cluster only one cluster manager node can exist which receives all connections from end user. The zGateway cluster uses a virtual IP address to redirect all connections to Active Cluster Manager Node. The users connect to the virtual IP address. In case there is a firewall in front of zGateway cluster, port 443 on firewall must be forwarded to the virtual IP address of the cluster.
The Cluster Manager Node keeps checking the health of the other nodes and redirects the user connection to zGateway nodes which handles all connection crypto and VPN functions.
If Active Cluster Manager Node fails, the standby Cluster Manager Node acquires the virtual IP address and starts receiving user connections.
If any zGateway node fails, the connections from user to the failed zGateway node will terminate. If the application used by the user has reconnect function or based on user initiated reconnection, the new connection request from the application will be redirected by the Active Cluster Manager Node to the available, least loaded zGateway Node. User session information is replicated across the cluster. So in case of failure of any of the node, users are not required to authenticate with zGateway.
Following is the behavior of user connection during any failover incidence
Failing Node | User Connection | User Re-Authentication |
Active Cluster Manager | No impact, delay of 6 seconds during failover | No re-authentication required |
Standby Cluster Manager | No impact, delay of 6 seconds during failover | No re-authentication required |
zGateway Node where user connection is terminated | Application connection dropped, reconnection to available zGateway | No re-authentication required |
LOAD BALANCING FEATURES
Cluster Manager Nodes balances the user connection load across zGateway nodes. zGateway Cluster Manager has multiple load balancing algorithms:
1.Round robin (DEFAULT)
2.Weighted Least-connections
3.Weighted round robin
4.Least connection
5.Locality based Least-Connection Scheduling
6.Locality based Least-Connection Scheduling ( R )
7.Destination Hash Scheduling
8.Source Hash Scheduling
Only following load balancing methods are recommended to be used:
1. Round Robin
2. Weighted Lead connections
3. Weighted round robin
NETWORK COMMUNICATION DETAILS
Following is the network communication between different cluster node. It is highly recommended to deploy all cluster nodes in a single subnet in the DMZ.
DEPLOYMENT OPTIONS
All of the zGateway components can run on a single host. Alternatively, the components can be divided in following configuration
1. zGateway Node: zGateway Engine for handling user connection and zGateway management console
2. Cluster Manager Node (Cluster Node): Load balancer modules, zGateway Configuration database and zGateway Cluster Configuration module
Following different cluster configurations are possible
Configuration Type | Deployment Type | No. of Hosts | Cluster Manager Nodes | zGateway Node Count |
Standalone | No High Availability | 1 | 0 | 1 |
Pre-Cluster | Cluster ready for future | 1 | 1 | 1 |
Full Cluster-1 | Cluster with minimum hardware and shared services | 2 | 2 | 2 |
Full Cluster-2 | Growing cluster with partially shared services | 3 | 2 | 3 |
Full Cluster-3 | Deployment with dedicated hosts for different nodes | 4-14 | 2 | 2-12 |