Distributed Engine Example Architectures
This reference architecture is our best practice architecture for Verify Privilege Vault (SS) Distributed Engines (DEs). The two most common use cases are:
- Distributing work across firewalled networks using the fewest ports possible to help ensure a better network security model
- Separating work tasks away from the Web servers and placing the processing work on other dedicated servers within the IBM Security infrastructure to improve overall performance
Both of these use cases are covered with minimal and best high-availability solutions. The final reference architecture in this collection combines both uses cases with a high availability solution.
Minimal HA Single-Site Deployment with No Distributed Engines
Overview
Requirements
General
- SQL Server Standard Edition with basic availability group configuration.
- SQL Server 2012 R2+.
- Use Windows authentication for SQL Server.
- You can use local load balancers for Web server nodes.
- We require a file-share witness for SQL quorum voting for SQL to stay online during single-node unplanned failures.
- Distributed Engine Ports.
- Distributed Engine Proxy Configuration.
- SQL Quorum Ports.
Virtual IP or Computer
-
ss.company.com: 443 (load balancer)
-
ss.company.com: 5671 or 5672 (load balancer)
-
ss-aoag.company.com: 1433 (created as part of SQL AlwaysOn configuration). Computer object or virtual IP.
-
Windows Failover Cluster Object (created as part of Windows failover clustering configuration):
- Computer object or virtual IP
- One additional virtual IP address may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster.
Diagram
The reference number for this diagram is A1.
Figure: Minimal HA Single-Site Deployment with No Distributed Engines
Minimal HA Single-Site Deployment with Distributed Engines for Additional Datacenters
Overview
- Minimum-cost HA configuration.
- No shared storage requirement.
- Verify Privilege RabbitMQ Helper installed on separate dedicated servers.
- Two DEs for HA of local site, which is included with all licensing models.
-
Distributed Engine licenses required for this design:
- Three DE site licenses added (for DMZ, secondary, and cloud Locations), one DE included per site.
- One DE per site license added, which allows for second DE in each DE site for HA.
- All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.
Requirements
General
- SQL Server Standard Edition with basic availability group configuration.
- SQL Server 2012 R2+.
- Use Windows authentication for SQL Server.
- You can use local load balancers for Web server nodes.
- We require a file-share witness for SQL quorum voting for SQL to stay online during single-node unplanned failures.
- Distributed Engine Ports.
- Distributed Engine Proxy Configuration.
- SQL Quorum Ports.
Virtual IP or Computer
-
ss.company.com: 443 (load balancer)
-
ss.company.com: 5671 or 5672 (load balancer)
-
ss-aoag.company.com: 1433 (created as part of SQL AlwaysOn configuration). Computer object or virtual IP.
-
Windows Failover Cluster Object (created as part of Windows failover clustering configuration):
- Computer object or virtual IP
- One additional virtual IP address may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster.
Diagram
Figure: Minimal HA Single-Site Deployment with Distributed Engines for Additional Datacenters
Minimal HA Single-Site Deployment with Distribute Engines for Separate Work Tasks
Overview
- Minimum-cost HA configuration.
- No shared storage requirement.
- Verify Privilege RabbitMQ Helper installed on separate dedicated servers.
- Two DEs for HA of local site, which is included with all licensing models.
- Local site for AD or LDAP, SMTP, SIEM, or RADIUS integration.
-
Distributed Engine licenses required for this design:
- Two DE site licenses added (for secret and discovery tasks), one DE included per site.
- One DE per site license added, which allows for second DE in each DE site for HA.
- Single-site design with no native DR capacity. DR can be provided by VM replication if subnets are spanning locations, otherwise re-IP + DNS changes may be necessary.
- All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.
Please see Verify Privilege Vault Example Architectures for additional design variations.
Requirements
General
- SQL Server Standard Edition with basic availability group configuration.
- SQL Server 2012 R2+.
- Use Windows authentication for SQL Server.
- You can use local load balancers for Web server nodes.
- We require a file-share witness for SQL quorum voting for SQL to stay online during single-node unplanned failures.
- Distributed Engine Ports.
- Distributed Engine Proxy Configuration.
- SQL Quorum Ports.
Virtual IP or Computer
-
ss.company.com: 443 (load balancer)
-
ss.company.com: 5671 or 5672 (load balancer)
-
ss-aoag.company.com: 1433 (created as part of SQL AlwaysOn configuration). Computer object or virtual IP.
-
Windows Failover Cluster Object (created as part of Windows failover clustering configuration):
- Computer object or virtual IP
- One additional virtual IP address may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster.
Diagram
Figure: Minimal HA Single-Site Deployment with Distribute Engines for Separate Work Tasks
Best HA Multi-Site Deployment with No Distributed Engines
Overview
- All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.
Please see Verify Privilege Vault Example Architectures for additional design variations.
Requirements
General
- SQL Server Standard Edition with basic availability group configuration.
- SQL Server 2012 R2+.
- Use Windows authentication for SQL Server.
- Global and local load balancers.
- We require a file-share witness for SQL quorum voting for SQL to stay online during single-node unplanned failures.
- Distributed Engine Ports.
- Distributed Engine Proxy Configuration.
- SQL Quorum Ports.
Virtual IP or Computer
- ss.company.com: 443 and rmq.company.com: 5671 or 5672 (two virtual IPs—global load balancer).
- ss-a.company.com: 443 and ss-b.company.com:443 (two virtual IPs—local load balancer).
- rmq-a.company.com: 5671 or 5672 (load balancer) and rmq-b.company.com: 5671 or 5672 (two virtual IPs—local load balancer).
- ss-a.company.com: 443 and ss-b.company.com:443 (two virtual IPs—local load balancer).
-
Windows Failover Cluster Object (created as part of Windows failover clustering configuration):
- Computer object or virtual IP
- One additional virtual IP address may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster.
Diagram
Figure: Best HA Multi-Site Deployment with No Distributed Engines
Best HA Multi-Site Deployment with Distributed Engines for Additional Datacenters
Overview
-
Two DE site licenses added (for DMZ and cloud locations), one DE included per site.
-
One DE per site license added, which allows for second DE in each DE site for HA and a third one for the local site (added to the primary location).
-
All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.
Please see Verify Privilege Vault Example Architectures for additional design variations.
Requirements
General
- SQL Server Enterprise Edition with availability group configuration.
- SQL Server 2012 R2+.
- Use Windows authentication for SQL Server.
- Global and local load balancers.
- We require a file-share witness for SQL quorum voting for SQL to stay online during single-node unplanned failures.
- Distributed Engine Ports.
- Distributed Engine Proxy Configuration.
- SQL Quorum Ports.
Virtual IP or Computer
- ss.company.com: 443 and rmq.company.com: 5671 or 5672 (two virtual IPs—global load balancer).
- ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
- rmq-a.company.com: 5671 or 5672 (load balancer) and rmq-b.company.com: 5671 or 5672 (two virtual IPs—local load balancer).
- ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
-
Windows Failover Cluster Object (created as part of Windows failover clustering configuration):
- Computer object or virtual IP
- Two additional virtual IP addresses may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster, representing both networks at each site.
Diagram
Figure: Best HA Multi-Site Deployment with Distributed Engines for Additional Datacenters
Best HA Multi-Site Deployment with Distributed Engines for Separate Work Tasks
Overview
-
Distributed Engine licenses required for this design:
-
Two DE site licenses added (for secret and discovery tasks), one DE included per site.
-
One DE per site license added, which allows for second DE in each DE site for HA and a third one for the local site (added to the primary location).
-
-
All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.
Requirements
General
- SQL Server Enterprise Edition with availability group configuration.
- SQL Server 2012 R2+.
- Use Windows authentication for SQL Server.
- Global and local load balancers.
- We recommend a file-share witness for SQL quorum voting. We recommend a cloud witness or DFSR share for witness configuration. This can handle the failure of both SQL Server nodes in the primary location.
- Distributed Engine Ports.
- Distributed Engine Proxy Configuration.
- SQL Quorum Ports.
Virtual IP or Computer
- ss.company.com: 443 and rmq.company.com: 5671 or 5672 (two virtual IPs—global load balancer).
- ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
- rmq-a.company.com: 5671 or 5672 (load balancer) and rmq-b.company.com: 5671 or 5672 (two virtual IPs—local load balancer).
- ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
-
Windows Failover Cluster Object (created as part of Windows failover clustering configuration):
- Computer object or virtual IP
- Two additional virtual IP addresses may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster, representing both networks at each site.
Diagram
Figure: Best HA Multi-Site Deployment with Distributed Engines for Separate Work Tasks
Best HA Multi-Site Deployment with Distributed Engines for Additional Datacenters with Separate Work Tasks
Overview
-
Distributed Engine licenses required for this design:
- Five DE site licenses added (for primary secret and discovery tasks, DMZ site, and cloud secret and discovery tasks), one DE included per site.
- Two DE per site licenses added, which allows for second DE in each DE site for HA and a third one for the local site (added to the primary and DR locations).
- All DEs require callback communication to Web servers (TCP 443) and to the Verify Privilege RabbitMQ Helper response bus (TCP 5672 or 5671). This is pictured with one set of distributed engines (local site) but is not pictured for other DEs to keep the diagram easier to interpret.
Requirements
General
- SQL Server Enterprise Edition with availability group configuration.
- SQL Server 2012 R2+.
- Use Windows authentication for SQL Server.
- Global and local load balancers.
- We recommend a file-share witness for SQL quorum voting. We recommend a cloud witness or DFSR share for witness configuration. This can handle the failure of both SQL Server nodes in the primary location.
- Distributed Engine Ports.
- Distributed Engine Proxy Configuration.
- SQL Quorum Ports.
Virtual IP or Computer
- ss.company.com: 443 and rmq.company.com: 5671 or 5672 (two virtual IPs—global load balancer).
- ss-a.company.com: 443 and ss-b.company.com: 443 (two virtual IPs—local load balancer).
- rmq-a.company.com: 5671 or 5672 (load balancer) and rmq-b.company.com: 5671 or 5672 (two virtual IPs—local load balancer).
- ss-aoag.company.com: 1433 (created as part of SQL AlwaysOn configuration). Computer object or virtual IP. May require two virtual IP addresses.
-
Windows Failover Cluster Object (created as part of Windows failover clustering configuration):
- Computer object or virtual IP
- Two additional virtual IP addresses may be required as part of Windows failover cluster for single-site design for the network configuration of the failover cluster, representing both networks at each site.
Diagram
Figure: Best HA Multi-Site Deployment with Distributed Engines for Additional Datacenters with Separate Work Tasks