Getting started with VPN Broker high availability
The VPN Broker high availability environment consists of a VPN Broker domain, two or more VPN Broker gateways, and several VPN Broker members.
- VPN Broker domain — The VPN Broker domain is a virtual network that contains the VPN Broker gateways and the VPN Broker members.
- VPN Broker gateways — Each VPN Broker gateway is configured on a single pre-installed Forcepoint NGFW appliance that is dedicated for use only with the VPN Broker. When configuring the gateways in different instances of the NGFW Manager, set one as the primary gateway, and consider that NGFW Manager as the primary NGFW Manager. Changes that you make to the list of VPN Broker members in the primary NGFW Manager are automatically synchronized to other gateways.
- VPN Broker member — Each VPN Broker member is an NGFW Engine in the Firewall/VPN role (Single Firewall or Firewall Cluster).
All VPN Broker members in the domain can connect to any VPN Broker gateway
in the VPN Broker domain.
When you use Master NGFW Engines and Virtual NGFW Engines, the
same Master NGFW Engine can host VPN Broker members that belong to more than one VPN Broker domain.
VPN tunnels can be created between VPN Broker members that are controlled by different Management Servers. The members do not need to be in the same administrative Domain in the Forcepoint NGFW Security Management Center (SMC).
The following is an example environment for a VPN Broker high availability configuration. In this scenario, two VPN Broker gateways are configured in the same VPN Broker domain.
- 1
- All VPN Broker members in the domain can connect to any VPN Broker gateway in the VPN Broker domain.
- 2
- VPN Broker Gateway A
- 3
- VPN Broker member
- 4
- VPN Broker Gateway B
- 5
- VPN tunnels are created and removed as needed between the VPN Broker members. The tunnels are negotiated using RSA authentication.
Access rules that allow communication between the VPN Broker gateway and the members are automatically created. The communication between VPN Broker members and the VPN Broker gateway is authenticated using a shared secret.
The members communicate with the VPN Broker gateways using a VPN Broker Interface that you must configure on each NGFW Engine. The traffic that goes into the VPN also passes through this interface.