Always on HA in multisubnet environment
This document provides information about deploying FortiClient EMS using always on high availability (HA) in a multisubnet environment. It aims to provide a step-by-step guide on EMS HA with some basic coverage of Windows clustering and always on HA groups. There may be inaccuracies as regards to Windows clustering and always on HA groups. Do not use this guide for database architecture design.
SQL Server Enterprise supports always on HA.
The example deployment that this document describes uses the following components:
- FortiClient EMS
- FortiClient
- Windows Server 2019 Standard Edition
- Microsoft SQL Server 2019 Enterprise
- Microsoft SQL Server Management Studio 18
This example uses two subnets. EMS-1 and DBSRV-1 are in subnet 192.168.0.0/24, and EMS-2 and DBSRV-2 are in subnet 10.0.0.0/16.
Note the following:
- For EMS 7.0.7 and earlier versions, for file synchronization between HA nodes, you must enable FILESTREAM on the SQL Server Database Engine instance. See Enable and configure FILESTREAM.
- There are multiple ways to implement DNS and load balancing to handle EMS failover:
Method
Description
DNS round robin or failover
EMS running in HA mode must always configure a fully qualified domain name (FQDN), and FortiClient endpoints must point to a DNS server that has enabled DNS round robin or supports DNS failover, so that endpoints can always connect to the correct primary EMS server. Endpoint users must ensure that endpoints do not cache the DNS result for more than 30 seconds so that FortiClient can resolve the FQDN to the new primary EMS server with a new IP address in case EMS failover happens quickly.
Load balancer
DNS round robin configuration may cause Fortinet Security Fabric connector to send data to the failover node, which by design has all but the monitor FCEMS services off. This results in Fabric connection failure. To overcome this limitation, set up the Fabric connection using traffic manager or FortiGates as a load balancer.
- If logged in to an EMS server as a domain user, add the domain user to the local logon as a service. Otherwise, EMS services may not start up properly.
- All machines should have complete network reachability.