Resiliency - Overview

MOVEit DMZ Resiliency is a software package that provides sites with the ability to create a "web farm" of two or more MOVEit DMZ servers. These servers collectively appear as a single unified server to users, and provide these advantages in a typical "active-active" configuration:

• Failover: The system will remain up even if one of the servers fails completely.
• Load-Balancing: All servers can process requests, providing better performance than a single server.

Components

MOVEit DMZ Resiliency requires:

• Two or more MOVEit DMZ server Nodes. These machines must run Windows Server 2003 or Windows Server 2008.
• A reliable fileserver to hold the filesystem used by all web servers. In this document, this unit will be referred to as a NAS (Network Attached Storage) unit, but any almost fileserver with RAID drives and preferably redundant power supplies will do. Large organizations may find that exposing a piece of an existing SAN as a file share will work for this as well.
• A Network Load Balancer. This may be a hardware device such as a Cisco Content Switch or software such as the Windows 2003 Network Load Balancing services. The IP address to which users will actually connect is handled by the load balancer; the load balancer will then forward individual requests to MOVEit DMZ nodes.
• MOVEit DMZ installation package.
• MOVEit DMZ Resiliency installation package. The version of this software must match the version of the MOVEit DMZ software.
• The MySQL database engine. This is installed and used by default by MOVEit DMZ. Only MySQL is supported by Resiliency for the current release.

The first two MOVEit DMZ nodes are called the Primary and Secondary nodes. All database replication and failover occurs between these two nodes. Additional MOVEit DMZ nodes are simply called "application nodes" and are labeled by numbers starting with 3. (Nodes 1 and 2 are the Primary and Secondary nodes.)

Causes of "Fail Over" and Expected Resiliency Reactions

Several things can cause MOVEit DMZ to "fail over" in different ways. MOVEit DMZ will try to use email notifications to alert interested administrators if any of these situations occur.

Minimal Loss of Service Situations

If access to certain services or nodes is lost, connections to the afflicted node may be lost but other services, including connections established to other nodes, should proceed as if nothing happened.

• MOVEit application service (e.g., FTP, SSH or HTTPS/IIS) stopped on any node.
• MySQL or MOVEit DMZ Resiliency services stopped on the current Secondary node.
• Application Network connection to any one node lost.
• Cluster/Backbone Network connection to the current Secondary node lost.
• Complete failure of the Secondary node or any Application node (#3 or higher).

Recovery of Service Within Specified Time Situations

MOVEit DMZ will be able to recover from the following situations after taking between 30 seconds to 2 minutes to automatically decide what to do. (The length of time MOVEit DMZ waits is configurable in the "Configuration Utility: Resiliency Tab" tab.) Recovery in this situation will involve a "fail over" that involves promoting the surviving Secondary node to Primary status.

• MySQL or MOVEit DMZ Resiliency services stopped on the current Primary node.
• Cluster/Backbone Network connection to the current Primary node lost.
• Complete failure of the Primary node.

Unrecoverable Situations

MOVEit DMZ will not be able to offer any services if any of the following events occur.

• Complete Application Network failure or complete Cluster/Backbone Network failure.
• Interruption of NAS connection or any other significant NAS failure.

Licensing

Each MOVEit DMZ license permits the software to be installed and run on a single production server and also on a single non-production server. The latter is typically used for testing or standby backup.

Implementing Resiliency requires a minimum of 2 MOVEit DMZ licenses, each of which must be identical in terms of organizations, Ad Hoc Transfer and other options. Implementing MOVEit DMZ Resiliency also requires entering a new MOVEit DMZ license code that specifies the number of resilient nodes that can run simultaneously.

Specific licensing and pricing inquiries should be directed to your Ipswitch sales contact.

Note: Resiliency requires a license key and will not work with a license file.

Selecting a Load Balancer

Besides a comfortable measure of resiliency, an LB should have the ability to make sure all connections from a particular remote IP address go to a single MOVEit DMZ node. (Often, this feature is called "sticky".) This feature is essential when FTP/SSL is used because incoming data port connections must be paired up to control connections on the same machine.

Another thing to consider when selecting an LB is how traffic from the MOVEit DMZ nodes will "get out." Specifically, SMTP email notifications, LDAP queries, RADIUS queries, and the packets emitted by any third-party monitoring tools you may have installed on MOVEit DMZ will all need to be able to connect "out" to email servers, LDAP servers, RADIUS servers and/or management servers.

Finally, if you use remote management tools (Windows Terminal Services, etc.), then it will be useful if your LB can expose each MOVEit DMZ node as a separate IP address to your internal network even as it exposes the entire resilient array to the outside world as a single virtual MOVEit DMZ.

If you wish to avoid a separate, hardware-based load balancer, please consider using the (built-in) Windows 2003 Network Load Balancing services, also known as Window Load Balancing Service (WLBS). These services were qualified to work with MOVEit DMZ Resiliency in July 2004. MOVEit DMZ Resiliency is aware of WLBS and automatically controls the availability of the node through Network Load Balancing as the node's MOVEit DMZ becomes healthy or unhealthy.

See the "Resiliency - Architecture" page for recommended Load Balancer configurations.

Selecting a NAS

Almost any file server or Windows share, and many other devices, can act as the NAS. See the "Windows FileSystem" section of "Resiliency - Technical Discussion" for more information.

Hardware Recommendations

Three of the four components of a resilient system (Primary/Secondary nodes, other MOVEit DMZ nodes and the NAS) are often built from normal PC server hardware. This section briefly covers what to look for when purchasing hardware for a resilient system, but please consult the MOVEit support site for current/specific recommendations.

• Primary and Secondary (Database) MOVEit DMZ Nodes - These nodes are in charge of database replication. These nodes will benefit from fast and multiple processors and fast hard drives (e.g., fast SCSI and/or IDE w/ large disk caches). Only the standard amount of memory is generally required as both MOVEit DMZ and MySQL tend to run lean. Redundant hardware (e.g., power supplies, RAID) is not required on these nodes. SSL accelerators are also useful on these nodes if they are used to process application traffic. If possible, use identical hardware for both of these nodes.
• Other (Application) MOVEit DMZ Nodes - As these nodes have no role in file storage or database replication, these nodes need only meet standard specifications. Redundant hardware (e.g., power supplies, RAID) is not required on these nodes. SSL accelerators are also useful on these nodes because they process application traffic.
• NAS - If you opt to go with a single machine as your NAS, get large and fast hard drives (which can contain at least 30 full days of file transfer) and load up on redundant hardware features such as dual power supplies and RAID5. Memory and processor speed can normally be minimal on this component as long as they meet the underlying operating system specifications.