Fortinet black logo

HA with Multiple Databases Deployment Guide

Home FortiClient 7.2.0 HA with Multiple Databases Deployment Guide
7.2.0
7.2.0
7.0.0

SQL Server always on availability groups

SQL Server always on availability groups

This document provides information about deploying FortiClient EMS using always on high availability (HA) in a multisubnet environment. It aims to provide a step-by-step guide on EMS HA with some basic coverage of Windows clustering and always on HA groups. There may be inaccuracies as regards to Windows clustering and always on HA groups. Do not use this guide for database architecture design.

SQL Server Enterprise supports always on HA.

The example deployment that this document describes uses the following components:

  • FortiClient EMS
  • FortiClient
  • Windows Server 2019 Standard Edition
  • Microsoft SQL Server 2019 Enterprise
  • Microsoft SQL Server Management Studio 18

This example uses two subnets. EMS-1 and DBSRV-1 are in subnet 192.168.0.0/24, and EMS-2 and DBSRV-2 are in subnet 10.0.0.0/16.

Note the following:

  • Sharing files between EMS nodes relies on network shares that different EMS nodes can access.
  • There are multiple ways to implement DNS and load balancing to handle EMS failover:

    Method

    Description

    DNS round robin or failover

    EMS running in HA mode must always configure a fully qualified domain name (FQDN), and FortiClient endpoints must point to a DNS server that has enabled DNS round robin or supports DNS failover, so that endpoints can always connect to the correct primary EMS server. Endpoint users must ensure that endpoints do not cache the DNS result for more than 30 seconds so that FortiClient can resolve the FQDN to the new primary EMS server with a new IP address in case EMS failover happens quickly.

    Load balancer

    DNS round robin configuration may cause Fortinet Security Fabric connector to send data to the failover node, which by design has all but the monitor FCEMS services off. This results in Fabric connection failure. To overcome this limitation, set up the Fabric connection using traffic manager or FortiGates as a load balancer.

  • If logged in to an EMS server as a domain user, add the domain user to the local logon as a service. Otherwise, EMS services may not start up properly.
  • All machines should have complete network reachability.
Previous
Next

SQL Server always on availability groups

This document provides information about deploying FortiClient EMS using always on high availability (HA) in a multisubnet environment. It aims to provide a step-by-step guide on EMS HA with some basic coverage of Windows clustering and always on HA groups. There may be inaccuracies as regards to Windows clustering and always on HA groups. Do not use this guide for database architecture design.

SQL Server Enterprise supports always on HA.

The example deployment that this document describes uses the following components:

  • FortiClient EMS
  • FortiClient
  • Windows Server 2019 Standard Edition
  • Microsoft SQL Server 2019 Enterprise
  • Microsoft SQL Server Management Studio 18

This example uses two subnets. EMS-1 and DBSRV-1 are in subnet 192.168.0.0/24, and EMS-2 and DBSRV-2 are in subnet 10.0.0.0/16.

Note the following:

  • Sharing files between EMS nodes relies on network shares that different EMS nodes can access.
  • There are multiple ways to implement DNS and load balancing to handle EMS failover:

    Method

    Description

    DNS round robin or failover

    EMS running in HA mode must always configure a fully qualified domain name (FQDN), and FortiClient endpoints must point to a DNS server that has enabled DNS round robin or supports DNS failover, so that endpoints can always connect to the correct primary EMS server. Endpoint users must ensure that endpoints do not cache the DNS result for more than 30 seconds so that FortiClient can resolve the FQDN to the new primary EMS server with a new IP address in case EMS failover happens quickly.

    Load balancer

    DNS round robin configuration may cause Fortinet Security Fabric connector to send data to the failover node, which by design has all but the monitor FCEMS services off. This results in Fabric connection failure. To overcome this limitation, set up the Fabric connection using traffic manager or FortiGates as a load balancer.

  • If logged in to an EMS server as a domain user, add the domain user to the local logon as a service. Otherwise, EMS services may not start up properly.
  • All machines should have complete network reachability.
Previous
Next