cancel
Showing results for 
Search instead for 
Did you mean: 

SG A11.18 in a new subnet

SOLVED
Go to solution
Erick Arturo Perez
Frequent Advisor

SG A11.18 in a new subnet

Hi there,
I currently have a two node cluster with lock lun in a 172.16.6.x subnet (apache) and a two node with lock lun in the 172.16.5.x (MySQL).

LAN users only have access to the apache cluster and the apache cluster have access to the MySQL cluster. Users do not "see" or have access to the MySQL cluster/network. Both cluster use a heartbeat network of 10.10.10.x and 10.10.11.x.

The network is being redesign by an external contractor, a new firewall is being placed, the DMZ network on the firewall is 192.168.1.x. Due to new needs we need to provide access from Internet to the Apache cluster (hosting a special app) so I guess my first choice will be to move (reconfigure) the Apache SG from the original subnet to the new subnet, but im open to suggestions.

1- Should I move the entire Apache SG cluster to the new DMZ network (creating rules for hearbeat, reconfiguring SG, etc). So LAN and WAN users access the Apache SG using only the DMZ IP address for the cluster?

2- What if I create another two node cluster installation of Apache, but this cluster only for DMZ/Internet users?

Licensing/cost is not an issue at this time, I am seeking the less complicated way to do things. As I write this I think that the less complicated thing will be:
1- to leave the existing cluster for LAN users and create a new cluster for WAN/Internet users.
2- if the option 1 is not possible, then move the entire cluster to the new config, planning for minimal downtime.

I am open to comments and suggestions!!!!

Thanks,
4 REPLIES
Steven E. Protter
Exalted Contributor

Re: SG A11.18 in a new subnet

Shalom,

1 - I would say no. You need only for LAMP applications to make sure web traffic reaches the server. The firewall should permit that traffic both ways.

2 - This will work.

To be less complicated I would make the firewall people responsible for routing traffic and avoid putting the server in the DMZ.

That being said, if the application users from the public internet are not supposed to have any access to your lan then you should move the entire operation to the DMZ and conversely have the firewall people make sure users from your internal network can access the application via the public internet.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Erick Arturo Perez
Frequent Advisor

Re: SG A11.18 in a new subnet

Thanks Steven,

As per conversations with the contractor, he is following some security practices that mandate servers to be in DMZ instead of LAN.

And Yes, another cluster just for WAN access seems overkill (both in price and effort).
Steven E. Protter
Exalted Contributor
Solution

Re: SG A11.18 in a new subnet

I see. Well then you move it to the DMZ and your do the standard configuration change for serviceguard after the network configuration is redone:

cmquerycl
cmcheckconf
cmapplyconf

With a good plan it should be pretty simple.

Internet exposed web application or LAMP servers should be in DMZ, not a Corporate LAN.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Erick Arturo Perez
Frequent Advisor

Re: SG A11.18 in a new subnet

Answer provided by Steven Protter:
Well then you move it to the DMZ and your do the standard configuration change for serviceguard after the network configuration is redone:

cmquerycl
cmcheckconf
cmapplyconf

With a good plan it should be pretty simple.

Internet exposed web application or LAMP servers should be in DMZ, not a Corporate LAN.

----------------
Is what i was looing for.