Support Center > Search Results > SecureKnowledge Details
How to configure management HA when the Primary and Secondary management servers are on separate networks? Technical Level
Solution

When the Secondary Management server is on a remote network, the Secondary Management may have problems synchronizing with the Primary Management server.
This is usually caused by incorrect/incomplete configuration of NAT (for IP addresses of Management servers) on the Security Gateways, which protect these Management servers.

Follow these steps in SmartDashboard:

  1. Object of Primary Management server (e.g., 'MGMT_Pri') - Properties - 'General' tab - 'IP address' field has to contain real (internal) IP address of the machine.

  2. Object of Secondary Management server (e.g., 'MGMT_Sec') - Properties - 'General' tab - 'IP address' field has to contain real (internal) IP address of the machine.

  3. Object of Security Gateway, which protects the Primary Management server (e.g., 'FW_MGMT_Pri') - Properties - 'General' tab - 'IP address' field has to contain real (external) IP address of the machine (which is reachable from outside the network).

  4. Object of Security Gateway, which protects the Secondary Management server (e.g., 'FW_MGMT_Sec') - Properties - 'General' tab - 'IP address' field has to contain real (external) IP address of the machine (which is reachable from outside the network).

  5. Create a 'Node' object represents the NATed (external) IP address of Primary Management server - 'Manage' menu - 'Network Objects...' - 'New...' - 'Node' - 'Host' - give it a name (e.g., 'MGMT_Pri_External_IP'), and assign the NATed (external) IP address.

  6. Create a 'Node' object represents the NATed (external) IP address of Secondary Management server - 'Manage' menu - 'Network Objects...' - 'New...' - 'Node' - 'Host' - give it a name (e.g., 'MGMT_Sec_External_IP'), and assign the NATed (external) IP address.

  7. Object of Primary Management server (e.g., 'MGMT_Pri') - Properties - 'NAT' tab: 

    1. check the box 'Add Automatic Address Translation rules'
    2. in 'Translation method' choose 'Static'
    3. in 'Translate to IP address' enter the NATed (external) IP address of the Primary Management server (IP address that was assigned to object 'MGMT_Pri_External_IP')
    4. in 'Install on Gateway' choose Security Gateway, which protects the Primary Management server (e.g., 'FW_MGMT_Pri')
    5. do not check the box 'Apply to Security Gateway control connections'


    No. Original Packet Translated Packet Install On
    Source Destination Service Source Destination Service
    1 MGMT_Pri Any Any (S)MGMT_Pri = Original = Original FW_MGMT_Pri
    2 Any MGMT_Pri Any = Original (S)MGMT_Pri = Original FW_MGMT_Pri

    where
    • MGMT_Pri - represents real (internal) IP address of Primary Management server
    • (S)MGMT_Pri - represents NATed (external) IP address of Primary Management server
    • FW_MGMT_Pri - represents Security Gateway, which protects the Primary Management server


  8. Object of Secondary Management server (e.g., 'MGMT_Sec') - Properties - 'NAT' tab: 

    1. check the box 'Add Automatic Address Translation rules'
    2. in 'Translation method' choose 'Static'
    3. in 'Translate to IP address' enter the NATed (external) IP address of the Secondary Management server (IP address that was assigned to object 'MGMT_Sec_External_IP')
    4. in 'Install on Gateway' choose Security Gateway, which protects the Secondary Management server (e.g., 'FW_MGMT_Sec')
    5. do not check the box 'Apply to Security Gateway control connections'


    No. Original Packet Translated Packet Install On
    Source Destination Service Source Destination Service
    1 Automatic NAT rule (outgoing) for Primary Management Server
    2 Automatic NAT rule (incoming) for Primary Management Server
    3 MGMT_Sec Any Any (S)MGMT_Sec = Original = Original FW_MGMT_Sec
    4 Any MGMT_Sec Any = Original (S)MGMT_Sec = Original FW_MGMT_Sec

    where
    • MGMT_Pri - represents real (internal) IP address of Primary Management server
    • (S)MGMT_Pri - represents NATed (external) IP address of Primary Management server
    • FW_MGMT_Pri - represents Security Gateway, which protects the Primary Management server
    • MGMT_Sec - represents real (internal) IP address of Secondary Management server
    • (S)MGMT_Sec - represents NATed (external) IP address of Secondary Management server
    • FW_MGMT_Sec - represents Security Gateway, which protects the Secondary Management server


  9. Create Manual Static NAT rules for communication between NATed (external) IP addresses of Management servers:

    Important Note:
    These Manual Static NAT rules have to be created above the Automatic NAT rules, which were created in the previous steps.

    No. Original Packet Translated Packet Install On
    Source Destination Service Source Destination Service
    1 MGMT_Pri MGMT_Sec Any MGMT_Pri_External_IP MGMT_Sec_External_IP Any FW_MGMT_Pri
    2 MGMT_Sec MGMT_Pri Any MGMT_Sec_External_IP MGMT_Pri_External_IP Any FW_MGMT_Sec
    3 Automatic NAT rule (outgoing) for Primary Management Server
    4 Automatic NAT rule (incoming) for Primary Management Server
    5 Automatic NAT rule (outgoing) for Secondary Management Server
    6 Automatic NAT rule (incoming) for Secondary Management Server

    where
    • MGMT_Pri - represents real (internal) IP address of Primary Management server
    • MGMT_Sec - represents real (internal) IP address of Secondary Management server
    • MGMT_Pri_External_IP - represents NATed (external) IP address of Primary Management server
    • MGMT_Sec_External_IP - represents NATed (external) IP address of Secondary Management server
    • FW_MGMT_Pri - represents Security Gateway, which protects the Primary Management server
    • FW_MGMT_Sec - represents Security Gateway, which protects the Secondary Management server


  10. Install the policy onto both Security Gateways.

  11. Install the database onto both Management Servers - 'Policy' menu - 'Install Database...' - choose both Management Servers - click OK.

 


 

Related Solutions :

  • sk39345 - What are restrictions of Management HA
  • sk54160 - How to Configure Management HA
Imported from Nokia support database
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment