Enroll Cluster Members
- Update all appliances to the same appliance build (patch) prior to building your cluster.
- In order to enroll an appliance into a cluster, appliances must be able to communicate over TCP and UDP port 655 and TCP port 443. In addition, all members of a cluster must all have IPv4 or IPv6 network addresses. That is, if one appliance has only IPv4, all appliances in the cluster must have IPv4; same with IPv6. An appliance with only IPv4 cannot communicate with an appliance with only IPv6.
- Appliances can only belong to a single cluster.
- You can only enroll replica appliances to a cluster when logged into the primary appliance (using an account with Appliance Administrator permissions).
- You can only add one appliance at a time - the maintenance operation must be complete before adding additional replicas.
- Enrolling a replica can take as little as 5 minutes or as long as 24 hours depending on the amount of data to be replicated and your network.
- During an "enroll replica" operation, Safeguard puts the replica appliance in Maintenance mode and locks down the remaining appliances in the cluster. On the primary appliance, you will see an "enrolling" notice in the status bar of the cluster view, indicating that a cluster-wide operation is in progress. While a cluster-wide operation is occurring, all appliances in the cluster are locked down meaning that no modifications, password change or check requests, or access requests can be performed on any of the appliances in the cluster. Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again use the features available in Safeguard.
TIP: The Activity Center contains events for the start and the completion of the enrollment process.
- The primary appliance's objects and security policy configuration are replicated to all replica appliances in the cluster. If a replica has objects (such as users, assets, and so on) or security policy configuration defined, they will be replaced with the objects and configuration defined on the primary.
- Some of the maintenance tasks available require that the cluster has consensus (that is, the majority of the remaining members are online and able to communicate). When half (or 50%) of your appliances in the cluster are online and able to communicate this is NOT the majority. Therefore, it is highly recommended that you create clusters with an odd number of appliances.
Unjoin Cluster Members
- You can only unjoin replica appliances from a cluster. To remove a primary appliance, you can failover to a replica making the replica the new primary and then unjoin the 'old' primary appliance.
NOTE: If the cluster has consensus (that is, the majority of the remaining members are online and able to communicate), you can use the Failover option to promote a replica to be the new primary and then unjoin the 'old' primary appliance. However, if the cluster does not have consensus (that is, the majority of the remaining members are offline/unable to communicate), you must use the Cluster Reset option to rebuild your cluster.
- To perform an unjoin operation, the replica appliance to be unjoined can be in any state; however, the remaining appliances in the cluster must achieve consensus.
- You can unjoin a replica appliance when logged into any appliance in the cluster that is online (using an account with Appliance Administrator permissions).
- When you unjoin a replica appliance from a cluster, the appliance is removed from the cluster as a stand-alone appliance that retains all of the data and security policy configuration information it contained prior to being unjoined. After the replica is unjoined, the appliance is placed in a Read-Only mode. You can however activate the appliance so you can add, delete and modify data, apply access request workflow, and so on.
NOTE: When a replica is activated, it will start to manage the assets and accounts in its own configuration.