3 Replies Latest reply on Nov 15, 2011 3:06 PM by lchaylian

    PI HA servers behind a firewall




      We are configuring a new secondary PI server in a HA infrastructure which is behind a firewall, We understand each server need an IP address but, in case of a fail, how the client will reach the active server? Where the collective is configured, on the client or server side?


      In summary, we need to know if both PI servers need to be known out of the firewall by a coorporate IP address each one or if only the primary need a coorporate IP address in case the collective is configured on the server side.











        • Re: PI HA servers behind a firewall

          For PI HA, the collective is created on the server side. Once the collective is created, the servers will know that they belong to 1 single collective. On the client end, the failover between the collective members is handled by PI SDK, which knows that the servers are part of a collective (from the server setting) and will attempt to connect to other collective members when connection to an member fails.


          You can say that this failover is handled at the application level. At the network level, it is still required for the client to be able to establish the connection to each of the collective members, so your firewall should be configured such that all the collective members should be reachable on the port 5450.


          Hope to clarifies your doubt.

            • Re: PI HA servers behind a firewall



                           Here are a few things we learnedfrom our experience. First of all everything Han shared is "spot" on. Next we had a primary on SCADA side and a secondary on the Corporate side. The IP addresses of the servers were on different subnets and we had dns entries for both servers on both sides. The two "networks" were even different Domains, and were not trusted, things worked fine with a firewall port 5450 open between the servers and the clients subnets.   Some draw backs for us came during the initial synchrozation and any re-synchrozation, in order to use the synchorazation that is started by the collective manager (automated) we had to open a couple other ports between the two servers, port 135 and port 445 and netBios, these two ports were frowned upon by our "network" security folks, because according to them it allows mapping and copying of files, (of course thats what a re-synch is, basically), we were finally able to convince them to create the firewall rule and disable it and then when/if we re-synched we would ask for rule to be re-enabled.


              Now this was two years ago so the process may have changed we stopped using HA about a year ago for other reasons, and I think there was also a Manual way to do the re-synch if necessary.


              I am not sharing this to discourage using HA across a firewall, only to help, I personally think the benefits of HA far exceed the small re-synch item.


              Also any interface IP's will need to be allowed on port 5450 in addition to Hans and my comments.  Hope this post is helpful....