What is centralized management for and how can a centralized management cluster be created?

Introduction

This document describes what centralized management on the Email Security Appliance (ESA) stands for and how a centralized management cluster can be created.

What is centralized management for and how can a centralized management cluster be created?

Background

The centralized management feature allows you to manage and configure multiple appliances at the same time, to provide increased reliability, flexibility, and scalability within your network, allowing you to manage globally while complying with local policies. A cluster consists of a set of machines with common configuration information. Within each cluster, the appliances can be further divided into machine groups, where a single machine can be a member of only one group at a time. Clusters are implemented in a peer-to-peer architecture - with no master/slave relationship. You may log into any machine to control and administer the entire cluster or group. This allows the administrator to configure different elements of the system on a cluster-wide, group-wide, or per-machine basis, with based on their own logical groupings.

Requirements to Remember

• All machines must have IP connectivity.
• If using hostnames, make sure everything resolves correctly - with matching forward "A" and reverse "PTR" DNS records.
• There must be connectivity on either TCP port 22 SSH or 2222 Cluster Communication Service (CCS) or the customized port of your choice.
• All appliances must have the exact same AsyncOS version and be of the same product family (NOTE: C and X series appliances are interoperable).
• All appliances must also have the "Centralized Management" feature key below version 8.x.
• You will need command-line access as the cluster management tool "clusterconfig" is not available in the GUI.

Note that many settings can be altered for individual machines or machine groups to override various settings. The order in which clustered appliances inherit their settings is as follows: 1) MACHINE 2) GROUP 3) CLUSTER. Some settings such as hostnames and IP interfaces, however, are only available at the machine level and not replicated to other cluster members.

Please also note that the clustering feature is for configuration management purposes only. It does not provide any inherent mechanism to prioritize or schedule the flow of e-mail traffic between different members. To achieve this, one would need to use identical DNS record pre fences (MX) or a separate load balancing device or some other external mechanism.

Solution

To begin with a new cluster, you should choose an appliance that has already been fully implemented as a standalone machine. This machine should be completely configured with all desired features such as host / recipient access tables (HAT / RAT), mail flow policies, content filters, and so on. This will be a point of reference by which you can form the cluster. 

Cautionary Steps to Remember

1. Verify that all machines have their correct IP address and host name.
2. Ensure the connectivity to all appliances on the desired port for device communication (using the 'telnet' command).
3. Make sure the appropriate service you choose (SSH, CCS, or custom port) has been enabled on the interface of this machine using 'ifconfig > edit'.
4. Create a configuration backup (with passwords unmasked) before continuing by using 'mailconfig' or 'saveconfig' for instance.

Next, you can create both the cluster and machine groups using the 'clusterconfig' command, and join one or more additional appliances to it:

Confiuration

1. Begin the "clusterconfig" configuration sequence and provide a name for your new cluster:
   • clusterconfig > Create A New Cluster
2. Define the IP communication parameters, choosing either IP address or hostname resolution.
   

   Note: At this point, the cluster may take a few seconds to build and the changes will be committed automatically.

3. Here you may choose to create a new group before adding machines to the new cluster. When you create a new cluster, a default group called Main_Group is created automatically.However, you may decide to rename this or create additional groups using the following commands:
   
   
   • clusterconfig > renamegroup
   • clusterconfig > addgroup
4. Add new machines to the cluster and group. These steps are to be performed on any remaining machines that have yet to be made cluster members and can be repeated as needed. The process can be slightly different depending on the communication protocol chosen earlier.
   
   
   • clusterconfig > Join an existing cluster over SSH
     1. You will be prompted to start the Cluster Communication Service, which we can ignore since we are not using that protocol.
     2. Enter the IP address of an existing cluster machine. This can be any cluster machine but must be referenced by IP, regardless of your communication preferences.
     3. Select the port for SSH communication as defined during cluster creation.
     4. Enter the password for the 'admin' account on the existing cluster machines.You are shown the public key for this host for confirmation. You can further verify this on any appliance in the cluster with the following commands:
           logconfig > hostkeyconfig > fingerprint

     Note: There will be another delay while the new member retrieves and applies the cluster configuration automatically.

   • clusterconfig > Join an existing cluster over CCS:
     
     
     1. In order to join a cluster over CCS, you must first log in to a cluster member and tell it that this system is being added.  On any machine in the cluster run:
             clusterconfig > prepjoin > new
     2. Copy the hostname, serial number, SSH key information in order to paste it into the 'prepjoin' prompt from above on the existing cluster member. Hit <RETURN> twice to get to the main prompt, then run 'commit' to apply the changes. The 'commit' at this time is very important, as otherwise the new appliance will receive an authentication failure.
     3. You will be prompted to start the Cluster Communication Service, which opens a new service over TCP port 2222 on the interface of your choice.
     4. Enter the IP address of an existing cluster machine. This can be any cluster machine but must be referenced by IP, regardless of your communication preferences.
     5. Select the port for CCS use as defined during cluster creation.
     6. You are shown the public key for this host for confirmation. You can further verify this on any appliance in the cluster with the following commands:
        
              logconfig > hostkeyconfig > fingerprint

        Note: There will be another delay while the new member retrieves and applies the cluster configuration automatically

5. Use outputs such as 'status' and your 'System Overview' report to verify all mail flow and system operation is intact before making another configuration backup. If at any point something does not seem right - simply use 'clusterconfig > removemachine' to remove the device from the cluster and revert back to its machine-level settings.
   
   

   Note: Removing the final machine from a cluster is no different from removing machines in general, and will effectively eliminate the cluster altogether.

Now that the cluster is created and functioning properly, you can begin to make different group and cluster changes and see them apply across each appliance.

Related Information

• Replace an ESA that is in a Cluster:
• How to upgrade an ESA that is in a cluster
  
• Technical Support & Documentation - Cisco Systems