you can create the Central Management via one NIC, as long as both MWGs can "reach" each other. If they are physically put into two networks that cannot route to each other you will have to use a seconds NIC and bring both MWGs "together".
The Central Management is rather simple. It synchronizes the policy - thats all. Settings such as IP addresses, routing information etc. are not synchronised. So yes, authentication will still work. Every MWG will continue using its "internet source", the routing will not be touched in any way. Also for the users nothing will change, users in building 1 will still talk to MWG1, users in building 2 will still talk to MWG2, which is perfectly fine.
Yes, both our physical MWG's are having IP as
GW, 10.1.99.12 ( IP for ADSL modem1, first internet source)
GW, 10.1.99.14 (IP for ADSL modem2, second internet source)
Both MWG are able to ping each other , I checked this using, Troubleshooting> network tools > ping ( I entered the IP of second MWG and there was ping reply). So this will work in our case ?
Any step to be done on safe side ? How the policy synchronization will be done, I mean which MWG will over write the other one first time. By chance if something goes wrong, how to return back to state which we have now.
many thanks for support.
that should work fine.
You will log in to one MWG and "add" the second one to the central management. The one you "add" will have the policy of the one you are logged on to after you joined the central management.
In case of problems make sure you took a backup. You can remove the node from central management and restore the backups. That should work fine, however I would do this change besides regular working hours to not interfere with the users browsing through MWG.
I understand, it is good to do the change besides regular working hours.
So, central management do not give any kind of high availibility, like for example in case the internet source of MWG2 went down or MWG2 fails itself, the users working through this proxy are required to change the proxy in their browsers ?
What I understand it is just for making management easy and not to provide any load balance or HA, correct me if I am wrong , please.
After implementing the central management like discussed above, then in order to have automatic redirection of users in event of failure of internet source OR MWG itself, what we can do ? I read for WCCP, presently our MWG's are operating in this mode, see picture please:
Is it possible to proceed first with central management and then for transparent setup so user not required to use proxy in their IE or chrome or firefox
you are correct, central management is *only* central management :-) It does not add any failover capabilities or similar to MWG. Settings up load balancinc/HA/Failover (however you like to call it) is a completely different step.
There are a lot of options to achieve this:
- In WCCP the route performing WCCP should be able to do the job
- You could switch to Proxy HA, which will give you a virtual IP address which will be used by the clients. If one MWG goes down the virtual IP stays reachable for the clients
- You can use any kind of load balancer in front of MWG
- You can use Proxy.pac files
If you are already using WCCP and want to keep WCCP think the users coming in via WCCP should already have failover capabilities. Maybe this requires some additional configuration on the router... there should be some more guidance here on the community or support can help, personally I don't know much about WCCP since this is a feature that people do not seem to use over here in Europe :-)
If you keep WCCP the users who directly access MWG1 or MWG2 (not coming via WCCP) won't have failover capabilities. For them a proxy.pac file may be the right choice. You can design the proxy.pac in a way that users from building 1 always use MWG1. If MWG1 is dead all users (building 1 and 2) will use MWG2. Vice versa all users from building 2 will always use MWG2. In case MWG2 dies, all users (building 1 and 2) will go through MWG1. So you keep the existing distribution of users, but have a fall-back mechanism.
If you want to switch to Proxy HA I think you will use WCCP. If that is suitable you can enable Proxy HA and assign a new IP address which virtually points to both MWGs. Clients will access this IP in the future to have failover capabilities. In this case you have no influence on which user goes through which proxy, so you will lose your "building 1 -> MWG1, building 2-> MWG2" association.
The additional load balancer should allow you to configure a virtual IP and usually should have options to keep the building <-> MWG association, because load balancers usually have more options. But those options usually have to be paid :-)