Symantec Messaging Gateway 9.5 and HA
I've read through the admin guide and I'm still unsure what adding a second scanner gets me.
I read the paragraph that says that Symantec doesn't intend for this to be HA. The second scanner is meant to spread the load between servers.
I am running in VMware, and I have upgraded the hardware to version 7 so I can add extra RAM and extra CPUs to speed a single control center / scanner.
I am interested in having HA. So if I add a second scanner, does it work if the control center is down? Can I configure inbound and outbound e-mail to relay through both the control center/scanner as well as the second scanner and expect it to flow when the control center is down?
Or do I need to setup a second control center/scanner on different IPs and mirror the configuration myself? I have an HA accelerator/offload device. I could use virtual IPs for relay, and make one Messaging Gateway the primary, only failing to the second one if there is a true failure.
The documentation is lacking on this type of a configuration. Any advice is welcome.
Comments
Scanners will continue to
Scanners will continue to operate without a control center. There can be issues when the log retention is set high becuase they can quickly fill their hard drives.
Not having a working control center just means that you can't get any reports or quarantine and no way to change settings.
The second scanner can be configured to accept inbound and outbound mail. Even in a VMWare environment, you can have software issues on the Messaging Gateway VMs. You should certainly consider adding an additional scanner if you are worried about fault tolerance.
Multiple Scanners
Just to add to what's been previously stated you can have a second scanner up and running which can send inbound and outbound mail if you configure things that way. The important thing to remember here is that you will need to somehow direct traffic through this new Scanner and how you do this is really independent of the product. For outbound mail at the moment your internal mail server(s) are most likely sending internet destined mail to the outbound interface on your original scanner appliance. You would want to configure things so that mail could be sent to either appliance using something like load balancers as you mentioned. It's the same for inbound where your mx records most likely point to original SMG at the moment and again you could use load balancers or just create multiple mx records so that traffic can still be recieved if one of the Scanners fail.
Hope that makes things a bit clearer.
Kevin
I have an additional question
I have an additional question along a similar vein: what about leveraging vmware Fault Tolerance, where the Control Center VM is mirrored to a secondary VM on an additional vmware host? This way, if the primary host failed, the secondary VM would power on a take over for the primary. Is this a supported configuration for SMG 9.5.3 in a virtualized appliance?
Thanks in advanced!
Dave.
NinjaRAT
I'm not sure you could do that, but in general MTA do better as multiple instances that are load balanced as KevkK76 mentioned - load balancing hardware, MX with multiple hosts, or DNS round robin. By having mulitple physical instances - a CC/Scanner + Scanner, or better CC + Scanner + Scanner, you allow for maintanance outages and have more capacity for peak loads.
For the public interface, LB or MX is the right way to go. Your internal mail servers probably support mulitiple "next hop" host lists and if they don't then use hostname internal to your organization set up for DNS round robbin.
Would you like to reply?
Login or Register to post your comment.