Wireless Access

Reply
MVP
Posts: 113
Registered: ‎01-27-2016

VIA + RAP - Controller Positioning

I am looking for recommendations for VIA/RAP/DMZ controller deployment. 

 

I have an existing infrastructure of Master/Standby/Locals. All roles and policies are built. 

 

Should I configure the DMZ controllers as Locals to the existing environment? I beleive i read best practices says to build them as Masters. Therefor I would need to rebuild all the policy configurations. That doesnt seem right. AirWave WMS offload seems scary if I need to go that route. 

 

Thanks much. 

 

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: VIA + RAP - Controller Positioning

I am not sure where Airwave and WMS offload have a role in this.

 

In the simplest deployment, you can have a single controller inside your network with a 1:1 static nat on your firewall.  You would be allowing UDP 4500 for ipsec and TCP 443 for SSL to allow VIA and RAP to work.  This setup will work whether it is a master or local, because the ipsec pool is defined on the physical controller that the RAP or VIA terminates on.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 113
Registered: ‎01-27-2016

Re: VIA + RAP - Controller Positioning

Thanks Colin. I will deploy via your recommendation. 

 

I was thinking I could do Multi-Master with the VIA 'Master' in the DMZ and the Master sitting on the Prod network with WMS offload to AirWave so I could keep all my roles and policies in sync. 

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: VIA + RAP - Controller Positioning

Many people dedicate a controller in the DMZ to VIA that does not have any WLAN configuration (just VIA configuration), so there is not necessarily a reason to keep them in Sync.  It also reduces your licensing requirements for VIA VPN to a single controller.  If you did VIA Master/local, you would need a VIA VPN license for the master to configure the VIA policies and one for the local to terminate VIA.  It is probably good to have a single Master in the DMZ that does VIA/RAP, because the policies for remote users many times is only a smaller subset of what WLAN users require and don't need to be synchronized...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 113
Registered: ‎01-27-2016

Re: VIA + RAP - Controller Positioning

I didnt consider the additional license on the Master.  The VIA L3 Authentication and Connection profiles are created on the Master and not directly on the Local... which makes sense. 

 

In that case, since I only have a single PEFV license, I will require the VIA/RAP controller to be a Master and recreate policies. The customer will want a seamless experience no matter how they connect... cap/rap or via. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: