What special requirements are there when using HA with SphereShield credentials?

Owned by Agat Support
Last updated: Mar 27, 2022 by Avi J. Levin (Unlicensed)
2 min read

The main requirement is that there can't be a load balancer between the internal Bastion (Authentication extender) servers and corresponding SfB Front End servers.

Each Internal Bastion channel needs to know to which FE is it sending traffic to, for KCD purposes.

Therefore, it's easiest to have one internal Bastion per FE, but not required. The diagrams below explain the different ways to deploy HA with internal Bastion. Each one refers to a different Bastion to Front End ratio.

To have less Bastions than FEs you'll need a load balancer to load balance each of the available ports on the Bastion as if it were a separate server.

So, for the 1:3 example below you'll need your LB to distribute the traffic among the
following targets:

1: IntBastion:4431.

2: IntBastion:4432.

3: IntBastion:4433.