I’m planning to deploy 6 controllers ... 3 different offices - 2 in each. Lots if resiliency basically; I plan to set the ‘load balance’ option in the profile to spread my users around.
Just wanted to clarify a few things please:
1. If I add all 6 controllers into the VIA profile and select load balance tick box; does this tell the user to connect to a random one when they connect or is it like round robin load balancing to pick the next one in the list etc.
2. I was looking at putting the controllers within a site in a VRRP pair for resilience, but I understand this doesn’t quite work for VIA pool etc? Am I better off just have them all independent (no VRRP pair) or in VRRP from a VIA perspective?
3. Do you just set the VIA profile on the one you know users will pull the profile from? I’m conscious we’re giving users an external DNS to go to for profile downloads, I wanted to keep it simple and only have one URL we give out. But then that would mean only one controller ever gives out the profile?
does that also mean you don’t need to set the VIA profile on any other controller?
Start off small. Give your users a single Via profile to a single centralized entry point. Even at large companies, there are mainly multiple VIA profiles only for International offices. The only requirement is that at the single entry point, the user must be able to reach all of their resources necessary.
To be clear, giving users more choices increases complexity and support costs. Make it as simple as possible and then you can silently add redundancy on the backend.
This sounds good, I agree.
So have one controller giving out the profile; within that profile just list the other 5 controllers as well as itself in the VIA server list?
Then on these other 5 controllers don’t worry about giving them a profile? Just rely on main one for profile to distribute to users?
What is the utility of 5 controllers in a profile? giving users 5 choices will just confuse them. If you are just starting out, only include a single controller. Don't make the idea of redundancy make your life more complicated.
Users only receive a profile the first time they attempt to connect or if they wipe out their profile. In the smallest networks, users just connect to https://publicfqdn-of-controller/via to obtain a EDIT: an installer cross-platform. After they install, they are asked for a URL so they can download a profile. The profile they obtain could point to the same controller for authentication, and that is it. Size that controller appropriately, and you are done. For scaling, you could optionally configure a second VIA controller and add that as a second ip address in DNS, so that users would leverage that controller without profile or client reconfiguration.
Ok thank you
My intention was to create a lot of resiliency across multiple office locations that have independent Internet connections.
The comment around 6 controllers; I agree I don’t want any complexity. I am still not 100% on how I have just one profile while allowing users to load balance between all 6 controllers.
Is this done by:
Option A: One external DNS that points to controller 1 which has the VIA profile. In this VIA profile are 6 independent controllers listed within the VIA server section. In the profile, the load balance option is also ticked.
Option B: One external DNS that round robins to all the controllers. All controllers contain VIA profiles with each other’s controller details listed in the VIA server option.
just trying to be clear on where the DNS round robin comes in?
You have posted many many questions about VIA and you should establish a simple workflow or consult your local SE if you have detailed questions. Here is how it should work:
1- User installs VIA or has VIA pre-installed on their computer
2- Users starts up VIA for the first time and is asked for a URL
3- User provides URL which points to the VIA controller which is distributing profiles: EDIT: There could be a single controller for profiles and VIA connectivity or the controller supplying profiles can be different than the controller actually terminating VIA clients.... Both are mutually exclusive.
4- The VIA controller asks for a domain username and password
5- User enters a username and password and authenticates information based on the VIA authentication profile
6- User passes authentication and VIA provides a profile to the user's client which will include the VIA servers they will authenticate to and the method a user should use to authenticate.
7- User chooses a server from the profile and connects using the method defined in the connection profile. If the VIA connection profile allows users to save credentials, the user will not be prompted for credentials subsequent times after the initial connection.
8- The server answers, and assigns the user an ip address from the pool configured on that server.
In general, that is the process. When the user launches VIA a second time, the user only goes through 7 and 8 moving forward. The user wouldn't have to go through 1-6. If you are distributing a single server using the connnection profile via DNS, that DNS a-record can be changed so that future users will connect to a different ip address using the same dns fqdn for that server.
In a simple sense, that is how it should work.
Your external DNS server could have a single ip address and point all users to the same server all of the time. You can add a second ip address and configure your external DNS server to do round robin, so that users who attempt to connect will resolve the same DNS record for that single server to a different VIA controller for every other user that attempts to connect.
Once you push multiple servers in profile, you cannot remove them from a client, so it limits your flexibility. It is advised to use DNS to scale your deployment whether it is with a single ip address that you can change centrally or with multiple ip addresses so that you can increase or shrink the number of VIA controllers on the fly.
VIA profile connects to a single controller using a single remote.company.com server
DNS for remote.company.com = ip address1, ipaddress2, ipaddress3
DNS is configured for round robin
users have already downloaded a profile with a single server pointing at remote.company.com
user1 will open VIA, click on the single server resolve dns for it and point to the via controller at ipaddress1
user2 will open VIA, click on the single server resolve dns for it and point to the via controller at ipaddress2
user3 will open VIA, click on the single server resolve dns for it and point to the via controller at ipaddress3
If you add or remove a VIA controller, you can add or remove that ip address from your DNS server entries on the fly.
I hope that makes sense.
Yes that is clear - makes perfect sense
Because they’ll get profiles from remote.company.com as well as connections; guessing I should apply the profile (with DNS only - no IP addresses) to the folder level (containing all my controllers for VIA)?
Then new users (profile download for first time) and existing users just go to any controller for connections or a profile. DNS round robin just points them at different controllers as it sees fit?
To be clear, the initial URL that users are pointed to to download their VIA profile is mutually exclusive from the servers they obtain after authenticating successfully. It could be the same (single VIA controller for everything) or different, but they are not related.
I have no comment on what folder level you put this configuration. That is a design question.
Happy days - thanks for your help
1. If I add all 6 controllers into the VIA profile and select load balance tick box; does this tell the user to connect to a random one when they connect or is it like round robin load balancing to pick the next one in the list etc. Do not give users choices. That just increases complexity. You can use an external DNS to round robin ip addresses so that users receive a single profile, but the DNS server can answer with a different ip address. You should just have an Aruba Controller dedicated to VIA with the maximum capacity that you would need. After that, you can deploy a second controller and "load balance" users to the other VIA controller with DNS.
2. I was looking at putting the controllers within a site in a VRRP pair for resilience, but I understand this doesn’t quite work for VIA pool etc? Am I better off just have them all independent (no VRRP pair) or in VRRP from a VIA perspective? No VRRP. Use individual ip addresses so that what users end up on what controller is very predictable and can be troubleshot individually. Each controller has its own individual pool. If users point to a VRRP, whatever controller is answering the VRRP will have the full user load, and the other controller will not be used.
3. Do you just set the VIA profile on the one you know users will pull the profile from? I’m conscious we’re giving users an external DNS to go to for profile downloads, I wanted to keep it simple and only have one URL we give out. But then that would mean only one controller ever gives out the profile? Only have a single controller answer via DNS. Users only download the profile the first time they connect or if they delete their profile. After that, they only attempt to connect to servers in that profile. If you push out profiles pointing to DNS, you can always change DNS as your network expands, or even distribute ip addresses via round robin with DNS to add capacity in the future.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.