Overview:
Kerio Control version 9.3 or newer supports High Availability in Active/Passive mode. Having this configuration in place ensures that if the Master Kerio Control appliance fails, the Slave appliance automatically replaces it to ensure continued protection with no blockers or downtime.
Enabling High Availability
To set up Active/Passive High Availability, you need identical Kerio Control appliances as Master and Slave. This means that in case of hardware appliances the model number and version should be the same, and in case of software appliances, the versions should match. In addition to this, both appliances should have the same number of interfaces and their names configured, same admin credentials set and the disk partitioning details should also match.
You can use the diagram below while setting up High Availability using hardware boxes. The objective is to have two identical Kerio Control appliances (both hardware or software supported) set up in a specific network configuration.
Follow these steps to configure High Availability:
- Set up two Kerio Control version 9.3 or newer appliances to be used as Master and Slave devices.
- Run both appliances.
- In the admin console of both appliances, go to the High Availability tab, and set the following fields:
| Field | Description |
|---|---|
| High Availability | Select the mode for High Availability configuration. At the moment only Active/Passive mode is supported in Kerio Control. |
| Instance Mode | Select Master for your primary appliance and Slave for your secondary appliance. |
| Sync/Status Interface |
Select an Ethernet interface to be used for synchronization between Master and Slave appliance to enable High Availability. |
| Device Name | Enter different device names for both Master and Slave appliances. |
| Shared Secret | Enter a key to be used for validation during synchronization between the Master and Slave appliance. The key should match in both appliances for successful synchronization. |
Master appliance settings
Slave appliance settings
- In the list of existing interfaces that appear in the grid below, select the interfaces that you want to be available at all times.
- Assign each selected interface a virtual IP. Virtual IP moves between Master and Slave and is given to clients as a floating gateway. Since this gateway is always up (either Master or Slave), the client is never disconnected. This virtual IP of interfaces should match in both the Master and Slave appliance.
Example Master appliance interfaces
- After performing this configuration on both Master and Slave appliances, click Apply to initiate synchronization between Master and Slave appliance.
While activating High Availability, the system runs a two-phase validation process before synchronizing Master and Slave appliances:
- Phase 1 - Validation of shared secret, device name, instance mode, identical Master and Slave appliance, etc.
- Phase 2 - Mapping interfaces between Master and Slave. Both Master and Slave appliances should have the same number of interfaces and same interface names as also shown in the above images.
The synchronization result can be seen through the Status and Health Check fields on the High Availability tab on both Master and Slave appliances.
High Availability Alert Management
In Kerio Control, you can activate alerts for Master and Slave up/down events from the Accounting and Monitoring > Alert Settings > System Alert page. These alerts are sent as emails to the registered email address from both Master and Slave appliance when its peer appliance goes up or down.
Public IP clarifications
In case the ISP can provide only one Public IP address, it is possible to set up a single public IP for both appliance (WAN interface). The WAN interface of the slave device will be disabled while the master is running. HA will do this so you don't have to disable the interface manually.
If both Slave and Master WAN Interfaces have the same IP address, then you can access the active device using the Virtual IP assigned if any otherwise, you can only access the device via local network or via MyKerio only, because both the devices are having the same WAN IP address only the active one can be accessed.
Confirmation:
Successful synchronization status
Priyanka Bhotika
Comments